There's no hard limit here provided by the law or otherwise. Some of the local data protection offices say that they find something of "up to 30 days" reasonable, so I guess that's a good starting point. Cutting that time in half will show good faith and you'll still be able to analyze logs, I think.
Well, you'll for example find the 30 days in this document of the data protection office of Bavaria: https://www.lda.bayern.de/media/muster_1_verein_verzeichnis.... (It's a sample for sport clubs etc.) and it's also what our lawyer has recommended to our company as the upper limit.
With GDPR and personal data, if you can justify your use then it's legit. Working out which justifications are acceptable is left -- at least partly -- as an exercise for the reader ('s legal team).
But we may observe that some practices are easy to justify, while others are more challenging. Some attempts at justification have been rejected, which means that trying to rely on them in the future is a bad plan.
Also, intent matters. If you're trying to do the right thing, you're unlikely to get into real trouble. The most likely consequence is that you're told you should stop, and given a deadline. If you don't stop by the deadline then it's fairly obvious that you're now not trying to do the right thing.
>Also, intent matters. If you're trying to do the right thing, you're unlikely to get into real trouble. The most likely consequence is that you're told you should stop, and given a deadline. If you don't stop by the deadline then it's fairly obvious that you're now not trying to do the right thing.
The vague, uncodified "intent" is my biggest problem with GDPR and GDPR-like laws, especially when it comes to small businesses. Even with the best intent, I've seen startups in my community get into "real" trouble trying to comply with mixed results. Not every company can afford to allocate the time/money necessary to comply with sudden deadlines and/or new technical requirements. Not every company can afford to take the risk of "I think this PII is absolutely necessary, but... could I prove it in court? Can I even afford the lawyers to try?" If I didn't read HN, I doubt I'd even know laws like this new French one even existed; I can't afford to dedicate someone to monitor changing laws around the world.
Saying "it's important for businesses to allocate sufficient resources toward researching evolving law in every country they might do business in, and it's okay if businesses fail if they can't afford to do so" is reasonable.
Saying "if you're trying to do the right thing, you'll be fine" is, quite frankly, the complete opposite experience I've seen from most well-meaning companies in my sphere trying to accomodate GDPR rules with limited budgets.
Of course, I am located in the US so maybe this is the intended result.
