-
Yes.
I'm still not totally sure of what my obligations are, or the legal ramifications from failing to fulfil them, or the requirements of a data officer WRT to GDPR.
So... just holding no data whatsoever outside of that which you can access via the public website and API... that's an excellent position to be in.
The only possible thing I can anticipate that might be problematic in future is if someone requests data, but does not have any way to prove that they have the right to it. As in... we purely identify based on email address and have no other means at all, and if you have lost access to an email address but wish to make a data request then there is no way that I could ever fulfil that as you'd need to prove you were the individual who owns the email address for me to release data to you... and you wouldn't be able to produce such proof that could convince me if you didn't still have access to the email address (as just saying "but the email is my name" is not a strong assertion that you once had ownership of the email).
Velocio-
I'm pretty sure I read in one of the many ico documents that an email address can be considered personal data if it has an individual's name in it.
All in all the GDPR is hopelessly vague, the ico guidelines were still unfinished last time I checked them last week. It's impossible to know how to apply them without professional help really. You just have to do the best you can and try to make sure if you ever get pulled up on something that you can show good intent.
-
Yes I see. Well, ideally you are acting in a future-proofed calm manner to a kneejerk legislation. Fingers crossed.
Danners
pdlouche
Do you feel relief from this approach? Hopefully it’s the best choice for you