Hello!
I’m planning on posting a blog post on May 25th outlining all of the actions we’ve taken towards GDPR compliance. We’ve been discussing this topic for months now and have had a number of people advise us on how to comply. The good news? Our standards for data privacy were good to start with; I would summarize our efforts towards GDPR compliance as “a couple of minor fixes and improving verbiage to be more GDPRy”.
Google Analytics and LIstenBrainz “processing” acknowledgement are the two biggest changes that we’re making towards this effort. Completely automatic removal of user accounts when a user removes their MusicBrainz account is another one, but that will not be complete in time for GDPR day. In the meantime someone can remove their account by mailing us, which is not ideal, but GDPR compliant.
What happens if a artist asks to have information removed?
We remove birth day and birth month information if an artist requests it. Other information in MusicBrainz is not Personally Identifying Information, but public record. We clearly stand as an organization that is archiving public (non-personally identifying) information and people wishing to remove data from MusicBrainz need to have a compelling reason to do so. We get these requests periodically, but very few are granted.
So, really we anticipate no real changes to how we operate – please keep adding data to MB! And yes, we’ve been having a lot of discussions around this and informal discussions with Wikipedia and Google suggest that they are also aware and working very hard at addressing this. I can’t imagine what sort of hell must be happening in the EU offices of Facebook. (serves them right, methinks 
).
I hope this answers your immediate questions – if you have burning follow up questions, please ask them. Otherwise I ask that you wait for the GDPR blog post to appear, which should hopefully address the bulk of questions for people.
How does that sound?