For me the biggest flaw of GDPR that it does not distinguish between something done as a business to make money and something done non-profit, as a hobby project, etc. GDPR killed forums, etc. everything moved to Facebook groups, where people agree to whatever Facebook wants.
Who will create forum for a community if one has to deal with all the bureaucracy, "right to be forgotten", data accuracy checks, data export request, gathering consents, being responsible for bugs in some forum software if there will be data leak and risk huge fines if something is not done correctly.
Another issue is vagueness of the regulation. What exactly is data processing/controlling? If kids leave they clothes in kindergarten or school, can clothes be signed with kid first and last name (so it is easier to find lost items)? Is school a processor or controller of kids' PII in that case? Probably not, but who knows what will happen if someones signed hat will be stolen?
Except that a commonly used user name is already "personal information". And your eMail address you've used to register to the forum. And the IP address that you use to access the forum.
AND EVEN THE RANDOM UUID THAT YOU ASIGN TO USERS ON YOUR FORUM BECAUSE YOU'VE GIVEN UP AND ONLY IDENTIFY USERS BY THAT AND THEIR PASSWORD.
In effect everything where a user has to input something instead of being just a recipient, or where the user is connected to any persistent identifier contains PI according to GDPR.
Say bye bye to most kinds of technical server logs used to debug stuff, to your database, and storing stuff in general.
The only way to be truly GDPR compliant if you followed the law to the letter would be to just provide TV and Teletext service via radio waves.
What kind of personal data do you need to store for a forum ? For what purpose ?
> Who will create forum for a community if one has to deal with all the bureaucracy, "right to be forgotten"
Most forums are created with softwares handling everything, virtually nobody creates a forum from scratch with his own tech stack.
> If kids leave they clothes in kindergarten or school, can clothes be signed with kid first and last name (so it is easier to find lost items)? Is school a processor or controller of kids' PII in that case?
People asking these kind of questions are either trolling or making their life much harder than necessary.... The text is pretty simple if you read it in good faith and don't act like a 6th grader who doesn't want to do his homework and pretend he doesn't understand the question...
Do you think GDPR is aimed at facebook &co storing millions of users data without the immediate business need nor the consent for it ? or at kindergarten kids who have their name written on their clothes ?
> Most forums are created with softwares handling everything, virtually nobody creates a forum from scratch with his own tech stack.
If you don't host the forum yourself you need a data processing agreement with the hoster to be GDPR compliant.
If you want to load the user image from Gravatar, you need a DPA with Tumblr. Good luck with that.
Reading contracts and laws in good faith is a pretty bad idea if you don't like being sued and loosing. Always read laws in a way as if someone was going to use it just to ruin your day.
The GDPR only regulates automated data processing and manual data processing where a "filing system" is used, so you kindergarten doesn't "process" children's data just because they write the children's names on their coats... In general I think you're exaggerating a lot of the problems, many forums are still alive and kicking and most forum software has been updated to accommodate the requirements of the GDPR (which aren't very difficult to implement in any case).
The centralization of the web on very few commercial platform has many reasons, data protection is probably the least important and might even be a counter-force in my experience.
The guidelines are pretty clear on what processing is, what data it covers and who controllers are in those circumstances. The biggest flaw I see is people don't read them and assume any data in any context is bound by it and it becomes a stick to beat everything with when it's not required.
I'm afraid your example is a prime case of that - leaving a hat at school that happens to have your name on it clearly doesn't fall within the remit of data processing under GDPR, it's a strawman (straw boater?) argument
I also don't agree it's a bad thing to make no distinction on size of company, doing so would leave a grey area of when a thing becomes "big enough" to transition from outside to inside scope and therefore gaps in the enforcement.
If you want to build a hobby forum, you're free to do it without requiring my personal data. If you want to collect my data for analysis or marketing then I absolutely want you to abide by the rules and look after it even if you're a lone programmer in his basement.
Who will create forum for a community if one has to deal with all the bureaucracy, "right to be forgotten", data accuracy checks, data export request, gathering consents, being responsible for bugs in some forum software if there will be data leak and risk huge fines if something is not done correctly.
Another issue is vagueness of the regulation. What exactly is data processing/controlling? If kids leave they clothes in kindergarten or school, can clothes be signed with kid first and last name (so it is easier to find lost items)? Is school a processor or controller of kids' PII in that case? Probably not, but who knows what will happen if someones signed hat will be stolen?