How do you see GDPR

<p>Hi everyone,</p>

<p>I live in Belgium, which is more or less in the middle of Europe geographically, and also politically because we have most of the EU institutions here in Brussels (where I work at the moment). I have been working on a project that is in the Medical sphere, so because of that the privacy aspect was one of the base requirements we had to deal with. That meant that we had a good idea about GDPR even at the beginning of the year.</p>

<p>Facebook did us all a favor in terms of putting privacy on the map with their Cambride Analytica scandal, so the awareness of the general public might have been better than expected. I work in the government and health sector, so we have more exposure to this kind of subject than most people, so I was wondering how you have perceived the GDPR introduction, the privacy discussions it has inevitably generated, the load of emails you received (potentially also from ImpressCMS, I admit) about new privacy policies and terms of use.</p>

<p>I thought it very useful that every service I used in the past now asks if I am still interested <img src="https://www.impresscms.org/uploads/smil3dbd4d6422f04.gif" alt="" /> Kinda makes it easy to have an overview when you want to decide whether you are still interested.</p>

<p>The fact that several companies decided to simply block people from the EU is to me a tell that they do things with your data they don't want you to know. Perhaps the GDPR, with it's very top-down approach, but with good intentions, will help the rest of the world as a possibility of what might be a good direction to let the common people reclaim posession of their personal data.</p>

<p>How is GDPR viewed in your countries? Would you like to have similar legislation in your area?</p>

<p>I'm not really a fan of EU bureacracy (cookie acknowledgements drive me crazy, did we really need those?) but in this case, I think they have done a good thing.</p>

<p>Data collection is completely out of control right now, to an outrageous extent, and something needed to be done. Whether this law actually goes far *enough* is another question, I suspect the industry will try and shrug it off, unless a company is a&nbsp;major power like Facebook or Google it probably isn't going to attract much attention. At least, not yet.</p>

<p>Pretty much every internet connected device is gathering data and sending back telemetry to its makers and if you follow computer security in general there is a clear trend of technology companies being clueless (or perhaps, disinterested) in computer/data security or privacy. They can't secure their devices and they can't secure the data they collect.</p>

<p>Even worse, practically every company is willing to handover whatever data they have to the government when they are "legally obliged" to do so. That may be fine in a first world democracy, but if you're living in a third world country with a repressive, authoritarian government, what does "legally obliged" mean? The goon squad doesn't come with any procedural or rule-of-law protections. Handing over private data can have dire consequences, and a chilling effect on society in general.</p>

<p>I hope eventually we can get to a place where companies collect only that data they legitimately need for their service, and no more. But at the moment it's collect-all-you-can and figure out how to exploit/monetise your clients later.</p>

<p>I wasn't considering the non-democratic government angle, to be honest. The Belgian government is sometimes the laughing stock of the world when they go 1 year without being able to form a new government, but the country keeps on running as if nothing is going on. Aside from that, and perhaps a slight tendency towards more right-wing politics these last years in line with the rest of the world, I shouldn't complain. And your comment made me understand that this comfortable situation made me believe too much that everybody else is in a similar situation.</p>

<p><span style="background-color:transparent; color:rgb(85, 85, 85); font-family:helvetica neue,helvetica,arial,sans-serif; font-size:13px">Yes, data collection has gone off the charts, I'm with you there. </span>The creepy fact also is that we kid ourselves saying that we limit the information we put online. But that is at one single time. Computers have long memories, so the accumulation of the small little bits of data you put online is terrifying if you ask me.&nbsp;</p>

<p>We're to blame ourselves as well. The internet started off with freemium services in many cases, but the googles and yahoos and facebooks came in with their ad-supported free services, and suddenly nobody was willing to pay even a tiny amount for the services they consumed on the internet. At that time, if you ran ads you were really lucky if every view of your ad was counted. In the meantime, they have evolved much into the part where they run the internet in a way.</p>

<p>I believe the base idea of GDPR is good, but the way of implementation of that idea needs some proof in the real world. You very correctly mention the universally hated cookie directive. There is a new one coming along as well, <a href="http://mandate376.standards.eu/standard">EN 301 549</a>, aimed at making public websites accessible by imposing <a href="https://www.w3.org/TR/WCAG20/">WCAG Level 2</a>. That'll be fun to watch <img alt="" src="https://www.impresscms.org/uploads/smil3dbd4e398ff7b.gif" /></p>

<p>In the US, we have <a href="https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule">COPPA</a> (Children's Online Privacy Protection Act), which has been in force since 1998 and specifically addresses online privacy for children under the age of 13. From what I see, GDPR takes COPPA and extends it to everybody, regardless of age. The responsibilities and actions for a website owner are basically the same - tell people what information you collect, who has access to it, and remind them the information they volunteer, add to their profile, or post is visible (duh). There was also a stipulation about having information removed at the user's requests.</p>

<p>I've used a <a href="http://www.christianwebresources.net/modules/wiwimod/index.php?page=PrivacyPolicy">privacy policy</a> for years to address the COPPA regulation.</p>

<p>The above was all from the perspective of a site administrator. From the perspective of a web platform developer and creator, the questions and responses are a bit different.</p>

<ol>
<li>How easy is it to export data and posts from a user or visitor?</li>
<li>How easy is it to remove data and posts from a user or visitor?</li>
<li>If someone gained access to the database, is private data sufficiently obscured?</li>
<li>Do the default options favor the user's privacy?</li>
</ol>

<p>Some things are outside the scope of the CMS - web server logs that contain IP addresses, dates, times, and POST information are the first that come to mind. Cookies are created by the server, not the CMS. Tokens can be created and used by the CMS.</p>

<p>In many ways, GDPR and COPPA are like the warnings on your coffee cup from your favorite establishment - contents may be hot. At least COPPA was intended for people who hadn't reached an age where they knew such things.</p>