GDPR stuff (how do you make that 15 characters)

In the UK (and I think the US) the law is based on what the law says not what the law intends. If the meaning is ambiguous or ludicrous or against public policy the Judge can look at what parliament intended, otherwise what it says is the law. EU law is interpreted differently, each statement of law must be considered within the context of the piece of legislation. Therefore, some of the more extreme parts of the GPDR may not be interpreted so strictly when considered within the whole law itself. I am not a law person so maybe I have misunderstood, happy to be corrected.

I have not read the GDPR (as I am waiting for the audiobook or the movie). It occurs to me that Sean Connery could ask a film studio to remove all personal information it holds on him. Therefore the new edition of Dr No is going to be 3 minutes long and won’t feature 007. Surly the law has carve-outs for such things and therefore maybe the Github thing is covered too.

Yes, there is.

Yes, it is:

Article 17(3): Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing

Also, right to erasure (right to be forgotten) is about removal of personal information, not copyrighted material, so the GDPR would be irrelevant if someone said “I want my code removed from a repository”. Unless their code looks like

function myNameIsRobertPaulson ( int myAge=38, var myDOB="1980-04-01" ) {
  print "My address is 537 Paper Street, Bradford 19808";
  identifyingFeatures = [ 
    "mole on left cheek", 
    "pimple on right eyebrow", 
    "missing toenail on left pinky toe"
  ];
}

then they wouldn’t be able to use GDPR for that purpose.

I have been doing quite a bit with the GDPR recently. The thing that you will miss by reading the law is what you really need to do. And that is have a process where you consider all the decisions that you make and document the justifications for what you are doing. This is the bit called Privacy by Design.

Yes you need to look at the principals, but if you have documented what you did and the reasons you are unlikely to get hit with this.

The way companies will get hit by this is if they have a breach, (which they will have to notify within 72 hours) and then the Information Commissioner comes to have a look, and they have done things and dont have the documentation to show what they have done and why.