
Ask HN: What is your company doing for GDPR compliance? - nrjames
The EU&#x27;s General Data Privacy Regulation goes into effect at the end of May. Our company is getting ready to spend probably 8-person-months of labor time becoming compliant (for a mobile app that uses advertising). It&#x27;s a giant pain to navigate the policy when you&#x27;re on a small-ish team without somebody who has been paying close attention to this.<p>Here&#x27;s the GDPR website: https:&#x2F;&#x2F;www.eugdpr.org&#x2F;
======
jgimenez
We're a development & product company and are currently adapting to GDPR. We
compiled some useful tips in this article: [https://bugfender.com/blog/how-to-
comply-with-the-gdpr-eu-la...](https://bugfender.com/blog/how-to-comply-with-
the-gdpr-eu-law/)

You must first evaluate which level of compliance you need. For cases where
the data is not very sensitive, compliance is a matter of following some
simple rules. If the data you're collecting is sensitive, you need to do a
risk analysis and decide yourself on the requirements you should follow (which
IHMO is bad for both consumers and companies, since they do not have clear
rules to follow).

If you fall in the "simple" case, you just have to do in summary:

\- You must guarantee certain rights which might require some changes but are
not necessarily too difficult, like allowing to delete data and export it.

\- You must list the suppliers processing data for you and have a contract
with them. Also not very difficult but might require some time and requires
your suppliers to also adapt, which might probably be the most difficult step.

------
eb0la
Probably the most important part of GDPR is the fact you must prove you're
doing reasonable efforts to comply.

In my company we've setup an internal redmine project that tracks and has
pointers to all development and administrative work related to data
protection. We also upload there a copy of the final documents we produce to
have it everything in one place.

Why? In case of inspection, you cannot fake 2-3 years of work in a few hours.

------
danieltillett
Nothing. I am waiting for the EU and its army to enforce it on companies like
mine that have no business presence in the EU.

We don't collect personal information and if someone wants to have their data
removed I am happy to do this too.

~~~
foobarbazetc
No one expects them to enforce it on you.

But don’t be surprised when your EU customers start leaving for products that
do comply.

That’s kind of the whole point.

~~~
danieltillett
Considering we are B2B and don't collect personal data I think this is
unlikely.

I feel for the poor EU companies that have to deal with this mess. If you are
a smaller company it might be best to do the bare minimium and hope you sail
under the radar.

------
iends
Work for a fairly large company and we've been working on GDPR since like last
October. There is a lot of ambiguity on unstructured data that we don't
parse/process (things like customer uploaded images, pdfs, etc) that seem to
be confusing for product management and/or legal.

If a customer uploads an image or PDF and it's got a second customer's
protection information in it, how am I supposed to know? It's just sitting in
an s3 bucket without any introspection...

------
motocycle
By 8-person-months of labor time, you mean 4 people working on it on a
quarter-time basis for the next 4 months?

Deadline is May 25 2018 which is less than 4 months from now. I'm planning
this and talking with various consultants right now. Happy to share the
details if anyone is interested.

------
imhoguy
The worst is for side-project which is making small buck from freemium
subscriptions. The project is finished and almost maintenance free. I am
considering to kill the project or explicitly require only B2B users (no
consumers). There is also option to move all it behind US reseller to avoid
unnecessary compliance burden.

------
idoh
Mainly supporting the Right of erasure. I’m the PM working on it, so lots of
talking to our lawyer, consultants, going through all the db fields, etc.

If you are a SaaS provider then GDPR is table stakes now.

