What if a site simply made available direct access to download all raw data related to a session / user account that had been stored? And of course attempt to describe / explain each data point. Would this be sufficient to meet the GDPR guidelines? I have only limited exposure to this legislation so far, but want to learn more. I have no reservations to share all data stored to a visitor, and would probably opt to do this if it covers you instead of painstakingly going through each data point to evaluate what needs to be done.
Give the user complete access to the raw data and give them the opportunity to delete all records of that data if they choose to.
deletion/retention of data is the harder part than accessing data. deletion after a reasonable time, such as account shutdown request by user. or users should have option to delete. or if you keep data for a long time, encrypting it safely. add on top of that legal holds (subpoena) and that it’s affecting your core data models, it’s not a simple task. it’s a lot of work.
one nice problem that popped up is we have mysql tables that can’t handle the delete traffic fast enough. gdpr is not a project you want to leave till the last few weeks
Give the user complete access to the raw data and give them the opportunity to delete all records of that data if they choose to.