Back in 2016 the E.U. passed a new law to protect user’s data called the General Data Protection Regulation that goes into full effect on May 25th, 2018. This is why you’ve been getting emails from so many online businesses on their Privacy Policies and how they handle your personal information. According to Wikipedia, the general gist of the law is this:
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Superseding the Data Protection Directive, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of data subjects inside the European Union. Business processes that handle personal data must be built with privacy by design and by default, meaning that a system must be designed from the start to adhere to the principles of data protection, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data’s owner. The business must allow this permission to be withdrawn at any time.
A processor of personal data must clearly disclose what data is being collected and how, why it is being processed, how long it is being retained, and if it is being shared with any third-parties. Users have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a Data Protection Officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.
From what I’ve been able to gather, any website that captures so much as the IP address of someone visiting it is at risk of being in violation of this regulation and thusly possibly liable for fines for up to €20 million for non-compliance.
Now, I’d be surprised if the E.U. suddenly decided to come after me and the blogs I host for myself and friends and family as we’re decidedly small fish in the ocean of the Internet, but I’ve noticed a sudden influx of new user registrations on SEB from a bunch of people all using the same domain name which is a known SPAM account domain and I have to wonder if there’s going to be a trend of scammers trying to blackmail non-compliant bloggers into coughing up some dough. Which is why I’ve been trying to learn more about how this law applies to people like me.
In short, the whole thing is a huge pain in the ass and could bring about the end of Stupid Evil Bastard if I can’t figure out what I need to do to be in compliance. Turning off user registrations and disabling comments wouldn’t be enough as IP addresses would still be captured and that’s enough to be an issue. Short of blocking all traffic coming from the E.U. (and that wouldn’t stop users on VPNs), I don’t see an easy way to deal with this and I’ve got three days to figure this out.
Considering I’ve been researching it for a couple of months already, I’m not sure I”m going to be compliant in time.