Ask HN: Is there a GDPR compliance privacy statement template for small blogs?
Open source licenses has done wonders for individual software developers who want to publish free/libre/open source software on the internet. We don't have to hire lawyers to carefully draft a license that to give away our software for free while protecting ourselves with disclaimers.
Is there something similar for privacy statements that can be used by small blog owners to remain compliant with GDPR?
Assume the blog is hosted on a Digital Ocean virtual machine hosted in EU, runs on self-hosted Wordpress or another self-hosted free CMS with a built-in comment form. Assume it only writes Apache/Nginx access logs, does not have any analytics in the pages, no cookies, no tracker. Only user comments and access logs. Anything handy for such blogs?
14 comments
[ 2.9 ms ] story [ 29.0 ms ] threadThis is a solved problem for open source licenses. It would be great if there is something like that for privacy statement too.
If you do collect personal data and are stickler for the letter of the law you can just state which personal data you collect and for what purpose. No-one will bother you if you are indeed only a small blog.
Many other articles I read also agree with above.
A more nuanced, and realistic explanation may be found at [1] (UK GDPR is the same as EU GDPR but Brexit...)
That does not really help about your question, though. Again, if you clearly state what is collected and why you should be more than fine.
[1] https://ico.org.uk/for-organisations/guide-to-data-protectio...
iP addresses are within scope of GDPR, period.
Source: I hold CIPP/E certification
This sentence does not mean anything.
The actual position regarding IP addresses as personal data is that "an IP address may be personal data if you are able to access additional information which enable you to identify the user behind the IP address", hence my previous statement. Unfortunately, this is often oversimplified (as tends to happen to any non-trivial issue) to "an IP address is personal data". It does mean, though, that one must be careful when handling IP addresses and may treat them as personal data by default as a belt and braces approach (as I already mentioned in my first comment), but that's not the same thing.
I'm glad we agree.
Does it fall within the scope of GDPR? If yes then how is the right to have personal data erased implemented? How would you process a request from someone with the name Bob Yan asking you to delete all comments posted by 'Bob Yan' on your website? Without a user registration or an email, how would you verify that the Bob Yan contacting you is the one who posted all those comments? This part seems to be very confusing. I'd appreciate any knowledge or tips you can share about this.
Otherwise, it falls within the scope of the GDPR even re the access logs if IP addresses are logged.
https://gdprhub.eu/Article_2_GDPR says:
> According to Lindqvist in particular, the publication of personal data on a blogging site made available to an unlimited number of people would 'obviously' not be subject to the household exemption.
For now, let us assume that the commenter name and IP addresses fall within the scope of GDPR. Do you have any comments about how the right to erasure would be implemented in the scenario I described in my comment above?
I think you are falling down the "GDPR rabbit hole" here, though. As said, for a personal blog the most probable scenario is that no-one will care about your following the law strictly to the letter.
Now, you can reasonably argue that you have a legitimate interest in logging IPs and to keep them for a sensible duration for security audit purposes. So in any case, you can just inform visitors that you will log IPs for security/spam prevention purposes and move on.
Commenters do not necessarily have a right of erasure and as you have said you probably won't be able to check that requests are genuine, anyway. So I think a sensible approach is not to worry about that until and unless you receive such a request and then decide what to do to make your life the easiest possible. For instance, if one day someone claims to be the author of a comment and wants it deleted you might decide to just delete it and to move on whatever the strict legal position and procedure might be.
The Schrems II ruling says it's not enough to have the data hosted in EU since DO is a US corp.
One trick I've seen people use is to move the discussion to a different forum, like posting the article to HN and having a link in the article saying "Discussion on Hacker News".