[HN Gopher] Show HN: Databunker - a GDPR compliant, secure stora...
___________________________________________________________________
Show HN: Databunker - a GDPR compliant, secure storage for personal
data (PII)
Author : stremovsky
Score : 60 points
Date : 2021-04-04 15:37 UTC (7 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| intricatedetail wrote:
| > and you still need to consult with an attorney specializing in
| privacy.
|
| Governments should be refunding solicitor costs to anyone needing
| GDPR advice. Otherwise this is just another way to add barriers.
| If you are on modest income you can forget about setting up a
| website in the EU.
| remus wrote:
| > Otherwise this is just another way to add barriers.
|
| Personally I think pretty much everything in GDPR is just
| sensible guidelines for how to handle personal data, and if
| you're not willing to do those things then you probably
| shouldn't be handling personal data in the first place. Being
| ignorant of good data practice is not an excuse.
|
| > If you are on modest income you can forget about setting up a
| website in the EU.
|
| This is just rubbish. GDPR only applies to personal info for a
| start so if you don't store personal info then you have nothing
| to worry about. Even if you do store personal info the vast
| majority of use cases are really straightforward and require a
| very minimal understanding of the law to be compliant.
| reitanqild wrote:
| Furthermore you can often ask them for help (or so I have
| heard).
| Rule35 wrote:
| > GDPR is just sensible guidelines for how to handle personal
| data
|
| And yet it doesn't say "don't give it to me if you don't want
| me to have it."
|
| > GDPR only applies to personal info for a start so if you
| don't store personal info then you have nothing to worry
| about.
|
| So logging IPs is fine?
| jdlshore wrote:
| The law is quite readable, and the various Data Protection
| Agencies (country-specific regulators) have provided more
| concrete guidance. If you're setting up a website that takes a
| restrained approach to personal data, you don't necessarily
| need an attorney.
| stremovsky wrote:
| Databunker turns basically any startup to be privacy by
| design compliant.
| NiceWayToDoIT wrote:
| Nice project, although I have question I would appreciate someone
| can answer. How does in real world "right to forget" works. What
| is confusing part for me that data that identify you are also
| required for the business, so how do you draw line what can be
| forgotten and what cannot. Let say I use some service, then I
| violate policies of that company, then I exercise my "right to
| forget", and after they delete my data I sign up again and repeat
| the entire thing? Second, how does that work in regards to book
| keeping and tax policies, where you are required to have data
| about your clients?
| jimmygrapes wrote:
| I am no expert on GDPR or security, but wouldn't a simple "PII
| to Cryptologically Secure Hash" solution work for some of this?
| The PII would possibly need to be accessed piecemeal while the
| account is active, so hashing is not appropriate alone, but
| once the account is deleted you could store a user's hash (or
| partial hash, made from only truly unique info or info combos)
| since it cannot be reconstituted and contains no specific PII.
| You then store this hash in your "abusive person" list, or
| whatever, maybe link it to refund data if needed, and if a
| "forgotten" user needs to interact with the service they fill
| in their information which is converted to the hash without
| saving. Doable?
| remus wrote:
| The right to erasure (aka the right to be forgotten) is not
| universal and only applies in certain circumstances.
|
| > Let say I use some service, then I violate policies of that
| company, then I exercise my "right to forget", and after they
| delete my data I sign up again and repeat the entire thing?
|
| In this case a business (or 'data controller' in GDPR lingo)
| can use 'legitimate interest' as a lawful basis for processing
| the users information. Of course the data you kept would have
| to be proportional to what you're doing. For example, it would
| be hard to argue that you needed to keep the users billing
| address history if your services used a simple email black list
| (this is the 'data minimisation' principle).
|
| > how does that work in regards to book keeping and tax
| policies, where you are required to have data about your
| clients?
|
| As a rule of thumb, if you're using some personal data to
| comply with another piece of law then that usage is generally
| exempt from GDPR.
|
| Source: https://ico.org.uk/for-organisations/guide-to-data-
| protectio...
| NiceWayToDoIT wrote:
| Thanks.
| tyingq wrote:
| That does get complicated in the real world. You might need
| to retain some data for potential future refunds, for
| example. But perhaps the application that does refunds also
| does the loyalty program, and the internals of the app aren't
| always separate enough that you can delete/obfuscate/whatever
| info from just the loyalty part.
| hkh28 wrote:
| > You might need to retain some data for potential future
| refunds, for example.
|
| Then that would be a legitimate interest, and you could
| store that information for a period of time that is
| reasonable for processing refund requests.
|
| But you would be barred from using that same information
| for a different purpose, e.g. the loyalty program.
|
| GDPR article 25 requires systems to be have privacy built
| in, so a system such as the one you describe where a
| separation of these concerns is impossible, would probably
| itself be in violation of the regulation.
| neitrino2 wrote:
| Great Project! Looks very promising!
| stremovsky wrote:
| Thanks!
| throwaway823882 wrote:
| I think there would be more value to this project as a standard,
| and a set of implementations of the standard in different
| libraries and frameworks.
|
| The companies I work for are just going to re-implement this
| (poorly) in their own language and framework. They generally
| can't just pick up a single turn-key solution, because they
| already have 50 custom internal systems with records they need to
| manage.
|
| If there were open source libraries that followed a standard for
| GDPR record management, they could pick up those libraries and
| plug the pieces they need together, according to the standard.
| That would remove a lot bugs from trying to write all the code
| themselves, and make it easier to integrate different systems.
| canveed wrote:
| Looks interesting, good luck!
| stremovsky wrote:
| Thanks!
| Johnyma22 wrote:
| Demo goes to 502 bad gateway ;\
| stremovsky wrote:
| Hi, The demo is fixed now.
| stremovsky wrote:
| Hi guys,
|
| Project demo is back to life. Project demo is available at:
|
| https://demo.databunker.org/
|
| User account: Phone: 4444 Code: 4444
|
| Admin access token: DEMO
|
| Many more info is available at:
|
| https://databunker.org/
| jonahbenton wrote:
| Really good idea. Excellent to capture the abstraction of a
| usertoken. Implementation looks like a good start. Good luck to
| you!
| stremovsky wrote:
| Thanks!
___________________________________________________________________
(page generated 2021-04-04 23:00 UTC)