• By defining all information that is processed and why.
• By not processing and storing any personal identifiable information (an IP address is PII for example) without a clearly defined need.
• When stored ONLY using data for the defined purposes. This also means shielding data that should be shielded.
• By implementing the mechanics for someone to be forgotten (delete my account, should delete all info, especially PII).
• Making sure the mechanics to federate these changes/deletions exist.

You can’t and this is a shit article…the GDPR doesn’t apply to instance outside of the EU…

The GDPR even applies if no financial transaction occurs if the US company sells or markets products via the Internet to EU residents and accepts the currency of an EU country, has a domain suffix for an EU country, offers shipping services to an EU country, provides translation in the language of an EU country, markets in the language of an EU country, etc.

https://www.dickinson-wright.com/news-alerts/what-usbased-companies-need-to-know#:~:text=The GDPR even applies if,language of an EU country%2C

Literally people using the GDPR like it’s some gotcha thing for admins. If nothing is sold or offered to be sold and their is no financial gain it’s not going to apply. On top of that good luck suing a FOSS dev.

Edit: that downvote button does jack shit on Lemmy people. If you think I’m wrong why not prove that I’m wrong…and why a bunch of law firms are wrong as well.