New European Union privacy directive - 679/2016/EU or GDPR as the common term is - will be either reason for celebration or horrible business-breaking problem, depending on how prepared you are. And of course how invasive your information excavation happens to be (*cough*facebook*cough*).
From purely personal perspective it's pretty great - no longer can these huge privacy-sucking corporations just vacuum out everything about you and post it for anyone to take without you having any say about it.
But for many businesses it can be a huge problem, scope of which many haven't realized yet. Aside the typical issues mentioned just about everywhere, there is also how personal data is defined;
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.This is direct copy from directive text. If you start reading this like the proverbial devil reads the bible, this is a huge can of worms. For example, if you have web page somewhere, there very likely is an access log there too, one that logs IP addresses. Now, that IP address may not tell you who the user is, but indirectly it can be used - when combined with other data, say, logs from other services - to identify the user.
No, I am not kidding. I was just recently in a meeting where a lawyer actually said this - there is already a court case that essentially said this.
This meeting went on, but the end result was that just about anything can be 'personal data' and must be treated as such. By this point I had loads of alarm bells going on in my head, and the IP log mentioned above wasn't even close of top issue in my mind.
How are your logs and databases doing, by the way?