
What does the GDPR actually mean for startups? - milly1993
https://hackernoon.com/what-does-the-gdpr-actually-mean-for-startups-b4010e9b962f
======
no1youknowz
As a solo founder with already too much to do. I simply looked at the GDPR and
decided to kick that can down the road for 12 months after launch of my start
up.

Although a UK Citizen, will be bootstrapping the startup in the US and simply
blocking EU buyers from accessing the site.

Why you may ask?

\- I don't have the funds to hire a DPO.

\- I don't have the funds to hire out an expensive company to go through the
platform in minute details and prepare it for GDPR.

\- I don't have the resources to deal with inquiries to that nightmare letter
or any questions for that matter.

\- I don't have the resources to monitor the 3rd parties privacy policies that
I send data to use their service and constantly update my own.

From my perspective this is just burdens my company with more costs in doing
business with the EU. I'm more than happy to concentrate on the US and the
rest of the world.

One issue that I'd like to point out as well. Some commentators mention that
the EU is ~22-25% of the worlds GDP to be accessed. Well, that's a complete
fallacy.

The EU unlike the US isn't a contiguous block. There are 28 nations and 24
languages to deal with. You simply can't launch in the EU like you would in
the US. Each country has it's own idiosyncrasies to deal with. Which is why
some companies just launch in France, Germany, UK and then push out the other
smaller markets years down the line and in some cases not at all. There may be
other local regulations to deal with.

My opinion is that the GDPR over the long term, will hamper the ability of EU
companies to do business on the world stage, even more than currently. But
that's a completely different topic for another time.

~~~
marcus_holmes
\- I don't have the funds to hire a DPO.

Just appoint yourself as DPO. It's a role, not a qualification.

> \- I don't have the funds to hire out an expensive company to go through the
> platform in minute details and prepare it for GDPR.

Just go through your database and work out what data can be associated with an
individual. Do you have a good reason to keep that data? If yes, cool, you're
golden. If not, delete it and you're golden. The only thing that GDPR changes
about data is (rightly) turning it from an asset into a liability.

> \- I don't have the resources to deal with inquiries to that nightmare
> letter or any questions for that matter.

These are your customers. If you don't have the time or resources to talk to
your customers, then your business is going to fail anyway.

> \- I don't have the resources to monitor the 3rd parties privacy policies
> that I send data to use their service and constantly update my own.

You don't have to monitor them, you just need to read them. If you don't have
time to read contracts that you're singing, then your business is going to
fail anyway.

Pretty much everything in GDPR was already covered by existing UK Data
Protection legislation. Under UK law you already had to appoint someone in
your organisation to deal with Data Privacy, you already needed to have a good
reason to collect personally identifiable information, and an obligation to
ensure it wasn't disclosed to third parties.

I suggest you start taking all of this a bit more seriously than your comment
suggests, not because of the legal implications, but the moral ones. Your
customers are trusting you with their personal information. It's a serious
responsibility that you need to take seriously. If you can't be bothered
making sure that your customer's data is safe, then you shouldn't be trusted
with it.

~~~
Silhouette
_These are your customers. If you don 't have the time or resources to talk to
your customers, then your business is going to fail anyway._

This point isn't about your customers. It's about the bitter ex-customer who
decides to take revenge through legal means by exploiting the rights they have
under the GDPR to waste your time and money. And if you think this is a
hypothetical risk, read the news today about kids lining up to damage exam
boards in exactly this way if they didn't get the grades they wanted, and
explain to me how that isn't a threat to the integrity of the examination
system.

 _You don 't have to monitor them, you just need to read them. If you don't
have time to read contracts that you're singing, then your business is going
to fail anyway._

The fact that you have read the privacy policy of one of your suppliers does
nothing to help the data subject. Unless _they_ have meaningful information
about how personal data about them is being processed and who is doing that
processing, they haven't really gained any meaningful control or protection.

And no small business has the time to fully read all of the legal paperwork
affecting them. Like consumer contracts, it's the great fiction of the legal
community. Most new businesses won't even have had time to read the contract
with their banks and other financial services before signing to open their
account, and those often contain some very nasty and one-sided terms. But of
course those contracts all tend to contain similarly nasty and one-sided
terms, and you're going to need those services to do business anyway.

~~~
Aaargh20318
> It's about the bitter ex-customer who decides to take revenge through legal
> means by exploiting the rights they have under the GDPR to waste your time
> and money.

Except you can't sue anyone under the GDPR. All you can do as a
consumer/bitter ex-customer is file a complaint with your country's privacy
watchdog. IF there really is a problem, they will just tell you to fix it,
that's all. You only need to worry if you're doing shady things with personal
data and don't intend to stop doing them even after being warned, in which
case you deserve everything you get.

~~~
Silhouette
Unfortunately, the entire point of the "nightmare letter" was that much of
what you just wrote isn't actually true. It wasn't about suing anyone. It was
about wasting their time and potentially their money identifying which of the
numerous points actually required a response (and a few traps among them that
most certainly did not) and then gathering lots of obscure information they
probably didn't just have as standard in their usual information management
systems or published in their privacy policy, and highlighting the fact that
the GDPR removed the small but non-zero fee that previous law allowed for
exercising these rights that served as a practical barrier to this kind of
abuse.

~~~
Aaargh20318
> It was about wasting their time and potentially their money identifying
> which of the numerous points actually required a response

I've seen the letter and it's all questions you should be able to easily
answer anyway. If this letter would be a nightmare scenario for you you'd
better get your shit in order, regardless of the GDPR.

~~~
Silhouette
_I 've seen the letter and it's all questions you should be able to easily
answer anyway._

The _very first point_ in that letter requires identifying every communication
you have ever had with or about the data subject that is still stored anywhere
in your organisation, among other actions. If you think that is easy,
presumably you know how to automate that process, in which case I look forward
to seeing the multi-billion-dollar business you have presumably built scanning
unstructured data reliably in ways that no-one else has figured out how to do
yet.

~~~
Aaargh20318
> The very first point in that letter requires identifying every communication
> you have ever had with or about the data subject that is still stored
> anywhere in your organisation, among other actions.

The magic words here are "still stored", PII is a liability so you never want
to store it longer than absolutely necessary. Why are you hoarding this data
when you can't even retrieve it easily, what is the point ?

~~~
Silhouette
_Why are you hoarding this data when you can 't even retrieve it easily, what
is the point ?_

Do you have a filing system for every email you ever wrote? Can you identify
every backup copy, every forwarded message, every print-out, every excerpt
copied and pasted into a Word document? Can you remember or look up every
individual ever referenced in those messages?

Now, let's talk about letters. The paper kind. And faxes. Including
unsolicited ones that aren't part of any formal process where a customer
helpfully included their password so you knew it was from them. And mentioned
that it's their mother's birthday, in case you were wondering.

Have you ever written down an address or phone number on a piece of paper
because that was what you had to hand when someone read it out to you over the
phone? Or opened up a quick text file to keep notes from a meeting?

If you're a director responsible for a company of 2,000 staff, do you think
anyone else in your company has ever done any of those things, and would you
like to bet your job that no-one ever kept a record other than as part of your
comprehensive, perfectly-specified and loophole-free official processes?

If you're a director of a startup with 5 people, do you even have those
processes, or is almost everything actually being done with text files and
Post-It notes (or Slack channels and Google Docs, or...)?

This is not an easy problem. People have made very, very large amounts of
money building businesses trying to solve this problem, and the first people
who really nail it are going to make even more. You can't just hand-wave away
the possibility of having personal data that is not immaculately organised,
rigorously controlled and fully indexed in any organisation of significant
size and lifetime. A law that makes such a requirement is like a law that says
you can only ship software with no bugs, or a law that says all laws will be
unambiguous and enforced with zero tolerance.

~~~
marcus_holmes
GDPR wasn't put in place to monitor people scribbling down phone numbers on
pieces of paper. It was put in place to stop companies from hoarding vast
amounts of personal data and using it to infringe on people's privacy (as well
as making sure they looked after it properly).

If the regulator finds out that one of your staff scribbled down a customer's
phone number once on a piece of paper while serving that customer, they won't
care. If they find that your customer service process requires your customer
service staff to scribble down phone numbers on scraps of paper that are then
put out with the garbage, where they can be dumpster-dived, they will care
(and so should you).

This is not some huge regulatory over-reach that will force you to go through
every piece of paper in your organisation. It's a check on your data handling
that forces you to acknowledge the trust placed in you by your customers.

~~~
Silhouette
_GDPR wasn 't put in place to monitor people scribbling down phone numbers on
pieces of paper. It was put in place to stop companies from hoarding vast
amounts of personal data and using it to infringe on people's privacy (as well
as making sure they looked after it properly)._

Sure. The _intent_ of the GDPR has not received much criticism, at least not
that I've seen. The concerns some of us have always had are more about
ambiguity and interpretation, because on the one hand the law as actually
written doesn't allow for much leeway in some cases, and yet on the other hand
it has huge ambiguities in key areas hiding behind words like "reasonable" or
"legitimate".

It's easy to look at extreme positions, such as the example I gave above for
illustrative purposes, and say no regulator is ever going to expect all of
that. Probably you'd be right. The difficulty is that somewhere between not
doing much of anything to comply and the other extreme such as I described,
you cross an invisible line from being sufficiently compliant in the
regulator's view (or potentially a court's if it really came to that) to not
being sufficiently compliant _and no-one really knows where that line is_.

When you have not just the threat of fines but also potentially very
significant costs in adapting your systems and processes, that sort of
uncertainty is never good for anyone. That is particularly true in a case like
GDPR, because many of those adaptations are more about being _seen_ to comply
than about fixing any actual security vulnerability or abuse of privacy or
other tangible problem.

~~~
marcus_holmes
I get it. The best explanation I've heard is that this is a major difference
between EU(and UK) regulation and US regulation. In US regulation, the letter
of the law matters. In the EU the spirit matters.

The UK has had regulation like this for decades, and as loosely worded. The
regulator rarely imposes fines, and then only when forced to because the
infringer is refusing to change their processes. Almost always they give some
advice, sometimes a warning. This is done in the context of a conversation
with the regulator, like "hey, we've received a complaint, have you got any
reason why this happened?" instead of "we received a complaint, you're fined
$1000 for it".

It's not a revenue source for the government (which it would be in the US).
The wording is loose deliberately so that the regulator has the power to
enforce the spirit of the regulation without getting tied into knots by the
letter of it.

So yeah, I get that it's freaking people out. And there are costs in adapting
processes. But, to be honest, if those processes need adapting then they were
probably doing the wrong thing in the first place. Also, the EU gave everyone
years of warning, and nobody paid any attention to that.

------
robinjfisher
I'm surprised that the guide doesn't address automated decision making about
users. In my day job, we are using a scheduling platform for short-notice,
short-term work e.g. social care. A job is loaded on the sytem and pushed to x
users for acceptance (fastest finger first).

The system has a ratings module (not active yet) whereby clients can rate the
worker and vice versa. The system then makes decisions on future job releases
based on the ratings. Part of the reason for not having the module active is
due to the issue of communicating to the affected users how those decisions
are being made and providing them with a right of manual review.

As organisations increasingly rely on AI or ML to make decisions affecting
individuals, so the need for greater transparency into those decision making
processes so they can be communicated to the people concerned.

------
docdeek
>> The scope of this protection extends to any natural person in the EU which
can mean users, employees, vendors, partners, customers or even members of the
general public.

I hadn’t considered GDPR from the perspective of a company
collecting/maintaining data about employees (as opposed to clients, prospects,
website visitors etc.). Do the same rules apply inside a company for an
employee as they do for a user of a web service? Can I, for example, request a
copy of all identifiable data collected and maintained about me by my company
in the same way I might request it of Facebook or Twitter?

~~~
proaralyst
Yes. You can request a copy of any personal information held by any company.
This is a pre-GDPR right too.

~~~
docdeek
I was not aware of this - thanks for the reply.

------
dahart
> where your base of operations is in the EU; where you’re not established in
> the EU but you offer goods or services (even if the offer is for free) to
> people in the EU; or where you’re not established in the EU, but monitor the
> behavior of people who are in the EU (as long as that behavior takes place
> in the EU).

Question — IANAL, but I read a summary on a legal website (I’ll see if I can
find a link) of GDPR that said it applies to non-EU companies not when you
offer services to all people, some of whom might be in the EU, but when you
specifically target and advertise to EU citizens. It sounded like a web app,
for example, that is marketed generally toward anyone and allows connections
from anywhere, would not be legally subject to GDPR, whereas if I, say,
localized in German and had a campaign to get German teachers using my app,
then GDPR applies.

Aside from whether adhering to GDPR is a good idea anyway, and I think it is,
is that distinction correct? Can strict GDPR be avoided if I’m not targeting
the EU specifically, and my customers aren’t primarily EU citizens?

EDIT: here's the link: [https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/rules-business-and-organisations/application-regulation/who-
does-data-protection-law-apply_en)

Here's the text:

"When the regulation does not apply

Your company is service provider based outside the EU. It provides services to
customers outside the EU. Its clients can use its services when they travel to
other countries, including within the EU. Provided your company doesn't
specifically target its services at individuals in the EU, it is not subject
to the rules of the GDPR."

~~~
maaark
That doesn't sound right to me.

~~~
dahart
Care to elaborate? Do you have law experience or some sources that clarify?

