This blog is now compliant with the General Data Protection Regulation (GDPR).
The link above takes to the original regulation text. I used various online guides to make my blog compliant with the regulation.
Why am I affected?
This blog collects two pieces of personal data: commenter emails and visitor IP's. This data is not used for purely personal or household activity. The blog is still a part of my consulting activities and acts as a marketing channel. Thus the article 18 (personal or household activity) does not apply. Otherwise it would exempt the blog from the regulations.
Steps to compliance
- Create a privacy notice.
- Implement consent system.
- Make data collection compliant.
- Drop non-compliant 3rd party services.
The article 32 of the regulation states the requirements for consent. Quote:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
This means that displaying a message and having the user keep browsing the site is not enough for consent. The user might browse the site but you cannot collect and process the user's personal data until you get actual consent.
Dropping IP address from Nginx logs
There is no easy way to ask user's consent before the user makes the first request to the server and implementing such conditional logging of IP address might be technically challenging. I also did not find a good reason to have IP logged (personal data processed) without visitor consent ("nice to have" or "maybe we need it later" does not seem to be enough). Therefore it was simplest to just remove the IP field from the log format.
Whether a webpage using Sentry.io is GDPR-compliant is still a bit mystery to me. There does not seem to be enough information available on this issue. At the moment I am getting IP address in Sentry reports and that means it's definitely not compliant. Or rather, it's conditionally compliant if you get user's consent before sending Sentry report. This is bound to Sentry's technical solution and I really have no time to work on this. So I just dropped using their service for now.
There is a good guide for 3rd party GDPR compliance. You will need consent if you use certain Google Analytics features, for example.
It is also possible to comply by not collecting any personal data. I thought about it but decided to keep my analytics for now.
A very brutal solution is to block every visitor from EU. This is the last resort solution. Sadly I have seen it being used by some sites, including some US .gov sites.
Other than a privacy activist suing Internet giants over GDPR on its first day when it came into effect, I have found no other actual cases.
I expect the Internet giants (Facebook, Google, etc.) to be already compliant or get there very soon. They have all the legal and development resources to do it.
The fines (up to 20M or 4% of yearly revenue, whichever is higher) are very high. For comparison, Cookie Law had country-dependend and much smaller fines. There are numerous cases where the Cookie Law has been applied in EU to hand out fines, so these privacy laws are not there for nothing but are real legal risks.