You are simply missing the point. It's not required to "contain" anything. If it is the email address of a person, then that makes it PII.

> Therefore, if you collect email addresses you have to go through great pains to protect them.

Well, yes, of course you do? If you want to profit from using other people's addresses, you better make sure they don't get harmed by it.

> We live in a data driven world that requires.... well... collecting data.

Erm ... no? We don't live in a data driven world, we live in a world where some people are completely unwilling to respect the boundaries of other people and consider it their right to do whatever it takes to manipulate them in their interest. There is no such right, there is nothing that requires that you violate other people.

> Saying "just dont collect email" isn't helpful

Well, whether it is helpful depends on what you expect to be helped with. But it is a perfectly viable thing to do. If people voluntarily hand you their email address so you can send them invoices, say, there is absolutely no problem with you doing so, because that obviously means that there is consent. Anything beyond that, and you are just selfishly trying to ignore the interests of other people, and it is perfectly viable to just not do that.

> collecting IP address info without associating it with use data is pretty pointless.

... so don't do it, then?

> It is a huge, expensive undertaking to make any kind of "legacy" pre-GDPR infrastructure GDPR compliant.

Erm, well, it's an expensive undertaking to stop being an asshole ... so what?

> If you are doing anything useful on the internet, you are collecting data.

So, if I publish a free software project on my own web server that doesn't write any log files ... that's not useful? Could you explain how exactly that reasoning goes?

If you don't need that email address for anything, then don't collect it. If you do (perhaps because the customer has agreed to let you send them email), then fine, collect it, but also provide a way to delete it, permanently, if the customer wants to terminate their relationship with you.

> It is a huge, expensive undertaking to make any kind of "legacy" pre-GDPR infrastructure GDPR compliant.

Yes, it is. But worthwhile things are often not trivial.

Indeed. But there is not trivial, and then there is prohibitively difficult and expensive to the point of being unreasonable.

Obvious examples, exhibit A: Suppose you use a deduplicating backup system, and being a responsible service you also ensure that all user data is properly encrypted as part of your backup process. If each single customer who decides they don't want to deal with you any more can require you to remove any reference to them from anything you currently store or have ever stored, please describe a technically and commercially viable strategy for reliably cleansing your backups.

We have swung way too far into a regime where personal information is irresponsibly slung around the internet with no accountability and no consequences when that data is misused.

> If each single customer who decides they don't want to deal with you any more can require you to remove any reference to them from anything you currently store or have ever stored, please describe a technically and commercially viable strategy for reliably cleansing your backups.

That's not my job to do. That's "your" job as a responsible technologist to figure out, based on your knowledge of your systems and processes. I'm in the midst of preparing to be GDPR compliant at my employer, and I'm not saying it's easy, but all these problems are tractable. Would I rather be focused 100% on building new products and features? Sure, who wouldn't? But part of being a professional developer is taking responsibility for the software you write, which includes handling customer data with respect. GDPR is a step in the right direction for that.

I haven't built my business off your data or anyone else's, unless things like having your details to charge the agreed payments or keeping routine server logs counts. None of my businesses is in the data harvesting field, nor do any of them collect personal data that isn't legitimately relevant to what they do or share it with any third parties other than to help do whatever it is they do.

Not yours. Mine. I dictate how it is used and who has it.

Well, no, you don't. You might wish you did, but neither the law nor the facts are currently on your side. This will remain the case even under GDPR.

You keeping my data can actually be a threat to my security and livelihood.

Your paranoia may be a greater threat to your security and livelihood. There is very little that we do that could pose any significant threat to anyone even if our systems were compromised. How do things like keeping records of how people are using our own services and resources to help with our own planning and protection against abuse pose any threat to you whatsoever?

That's "your" job as a responsible technologist to figure out, based on your knowledge of your systems and processes.

And I suggest that for many businesses, no solution will exist that is responsible in terms of good practices like keeping proper records and back-ups, compliant with the letter of the law under the GDPR, and commercially viable in the face of people actually exercising their full rights under that law.

But part of being a professional developer is taking responsibility for the software you write, which includes handling customer data with respect.

I am a staunch advocate of privacy and protecting the rights of the little guy. I do treat all personal data with respect, and we go to considerable lengths in my businesses to ensure that such data is not collected or shared unnecessarily, is stored and processed according to good practices, and so on. We have always done so, from day one, even with only limited resources and sometimes at the expense of doing things that would no doubt have made us more money but crossed into territory we weren't happy being in.

My objection to the GDPR is precisely that despite doing reasonable things to run our businesses and doing nothing that most people would consider even remotely controversial or unreasonable, we are still subject to the kinds of excessive and expensive measures we have been talking about. It's rather ironic that the obligation to notify third parties to which data has been disclosed comes with caveats about being impossible or involving disproportionate effort, yet the obligation to erase data held directly does not.

However, given that this is the case under the GDPR, it's hard to imagine how most businesses could withstand full enforcement of the right to erasure by customers wanting to make trouble without compromising their ability to operate viably and responsibly in other respects. That is not, IMHO, a good law, even if you're a privacy advocate. In fact, since it sets an almost impossibly high standard for compliance, it is arguably worse than a more moderate law, because businesses may decide that they're screwed in any case if someone wants to make trouble so they have little to lose by not doing their best in terms of data protection.