I don't know, would it really be so complicated for most businesses? Taking my former SaaS business as an exmaple, I would have needed to gather the required information from two sources basically:
- Our database (containing user data like login, e-mail etc.)
- Our third-party SaaS providers such as Mailchimp (e-mail address and name), Mailjet (no personal data stored directly there) and Stripe (transaction history).
Automatically pulling together the necessary information from these sources and sending it to the user seems totally doable and not overly complex.
In general, I think the whole idea behind these rights is to incentivize companies to implement well-documented and automated processes for dealing with user data, and to keep the data in as few places as possible.
BTW I'd be very interested to hear from people running startups how they process user data and how many different data stores / services they use to manage that data!
In general, I think the whole idea behind these rights is to incentivize companies to implement well-documented and automated processes for dealing with user data, and to keep the data in as few places as possible.
That in itself is reasonable, but it lacks the proportionality aspect that is so important. My own objections to the GDPR aren't about the spirit in which it's intended; while you might not guess it from my comments on HN today, I'm generally a very strong advocate of privacy safeguards. Instead, my concern is the amount of additional red tape and ambiguous obligations that the GDPR appears to be introducing for what ought to come down to simple questions like whether you are using personal data only for legitimate purposes and you are storing it safely, which plenty of us already were anyway.
I'm kinda in your boat. IMHO, GDPR needed something for small businesses. If you're doing reasonable, expected stuff with your small businesses and you reply as such to the example letter, there should be no need to use a lawyer. And it should be codified in the law, rather than relying on prosecutorial discretion.
There should be a distinct "If you adopt these reasonable policies, you are legally in compliance with GDPR".
We do have control mechanisms, but they are practical measures. Data of a given type is kept in one primary location with systematic backups. Processing of that data is typically done by programs that all use a specific related module in the code to access the data so they're easy to review, except for things like email where the nature of the processing is obvious anyway. Only a limited number of people have access to the relevant code or data at all, and everyone involved knows everything that is going on and could immediately describe exactly what data we store and how it is used. The privacy policy discloses our practices accordingly. What we don't currently have is a lot of the formalities that may (or may not) be required once the GDPR comes into effect.
I commend your organization: by following some good practices when it comes to data collection and storage it's already very far into the process of being GDPR compliant, it looks like all you all are missing is the documenting it part of it where the processes are clearly defined and nominating someone to be the data protection officer.
He was asking in general however, without a mechanism to control that corporations are doing what yours is already doing, how would we verify compliance?
- Our database (containing user data like login, e-mail etc.)
- Our third-party SaaS providers such as Mailchimp (e-mail address and name), Mailjet (no personal data stored directly there) and Stripe (transaction history).
Automatically pulling together the necessary information from these sources and sending it to the user seems totally doable and not overly complex.
In general, I think the whole idea behind these rights is to incentivize companies to implement well-documented and automated processes for dealing with user data, and to keep the data in as few places as possible.
BTW I'd be very interested to hear from people running startups how they process user data and how many different data stores / services they use to manage that data!