- From: Lukasz Olejnik <notifications@github.com>
- Date: Wed, 11 Oct 2017 11:45:02 +0000 (UTC)
- To: w3c/payment-request <payment-request@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/payment-request/issues/632/335783314@github.com>
> Do you expect every business that uses your specification in Europe to have to do a privacy assessment from scratch when looking at your api? Either you can help them out, or they'll have to assess the privacy impact each themselves. All sites will require a privacy impact assessment throughout the EU https://www.itgovernance.co.uk/blog/gdpr-and-privacy-impact-assessments-why-are-they-required/ First of all, Data Protection Impact Assessment will not have to be performed for all sites, and that article is not stating that. Secondly, when making a PIA/DPIA, it all depends on the setting. You are asking "what", DPIA should say "why" and "how". It's a standard API, and even using your way of reasoning businesses would still be needed to analyse their existing payment solutions. So if they include a new API, it's only a slight change? > In terms of amount of work, it is one large piece of work to allow lots of business to do a small piece of work, or a small piece of work that forces lots of businesses to do a large piece of work. Again, a lot depends on the context. > If this spec fails a privacy impact assessment, then it is illegal to use in various industries and use cases... risking businesses falling foul of breaking the law because they would erroneously believe the spec was okay and worse the human factor of risking privacy. Sorry for off-topic, but is it also the case for other APIs? I think so! Still, I am not convinced this is the right place to look for a full PIA. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/payment-request/issues/632#issuecomment-335783314
Received on Wednesday, 11 October 2017 11:45:27 UTC