
Ask HN: How is GDPR affecting your business? - funfunfunction
GDPR will undoubtedly have an effect on most businesses. I&#x27;m curious what the impact has been. Is it mostly financial? Have you had to make changes to the services you integrate with or create new technology to service users looking to view or manage their data?
======
standyro
I work for a major news media company and our GDPR compliance has been
extremely difficult with our relatively small dev staff that manages many news
outlets so we've opted to block access from all of Europe. It's gotten a lot
of press, but it's an unfortunate reality. Most of our adtech and analytics
vendors we use have put the burden on smaller companies like us -- ripe for
disaster.

~~~
hankhonk
then stop using them, instapaper

------
hoborama
I work for one of the biggest (non-tech) companies in the world, and in many
countries we've been storing user data in spreadsheets all over the place and
often without consent. So it's been pretty frantic.

~~~
ASalazarMX
He asks "Have you had to make changes to the services you integrate with or
create new technology" and your answer has spreadsheets. I bet that was
unexpected.

------
drspacemonkey
Right now, it's not. Management has decided that we're going to keep operating
the way we have been as if the GDPR didn't exist, and hope nobody notices.
Which isn't a surprise, this company is very reactive. Proactive planning
doesn't happen.

~~~
geofft
Out of curiosity, what industry is the company in, and are you in Europe
(either physically, or do you have a significant European market)?

~~~
drspacemonkey
We're in fintech. And we're not in Europe, but we're about to start a big
project targeted towards European users.

~~~
jacquesm
Wow. That's a pretty interesting attitude to take. The consensus here among
the M&A crowd is that either fintech, medtech or social media will be the
verticals where one or more examples will be made. Best to hope none of your
users complains to regulators.

~~~
drspacemonkey
We've already got users who fall under GDPR protection. Not as many as we will
by the end of this year, but some.

And really, I've done all I can do. I've talked it up, given powerpoint
presentations, and emailed a comprehensive report about penalties for failing
to comply as well as a project outline for becoming compliant.

~~~
jacquesm
I believe you. I know a few other cases like that and I really wonder how we
got here. I've been CEO of a 25 people company with presence in both Canada
and Europe, I would never ever chart a course like that but maybe I'm just too
risk averse.

In the beginning of Camarades.com/WW.com we had a lot of interaction with LE
because of all the stuff our users got up to online and we tried very hard to
comply with the various laws. It did not always work perfect but it worked
well enough that we earned the respect of the various LE contacts that we had.
I can only imagine how it would have ended if we had thumbed our nose at them.
Going global means you need to change your attitude.

------
BjoernKW
I run a small consulting business.

It's been quite some effort but for my business so far it's been a net
positive because it made me rethink, clarify and streamline my processes.

~~~
anothergoogler
How does GDPR affect your business? You're not really responsible for
anybody's data, presumably you inherit the policies of your customers.

~~~
BjoernKW
First, I'm responsible for handling my clients' data, such as their email
addresses or phone numbers. It doesn't matter that they're business customers
rather than consumers. GDPR still applies.

Secondly, though not always the case, I might have to process their respective
customers' data in some way in order to do my job (by having access to a
production database, for example).

So, yes, GDPR absolutely does apply to my business.

~~~
BigMan555
So you're saying that you are asking consent to store the phone number and
email address of a client? And you'll provide clients with the right to be
forgotten, meaning that you're prepared to delete their contact information?
This seems like overkill.

~~~
BjoernKW
> So you're saying that you are asking consent to store the phone number and
> email address of a client?

No, I didn't say that. GDPR doesn't mean that you have to ask for consent in
each and every case. If as a business you have a legitimate interest to store
client data for a specific purpose you don't have to ask for explicit consent.
Being able to contact clients in the future who contacted you first
constitutes such a legitimate interest.

As for the right to be forgotten: Sure, why wouldn't I? If they don't want to
be contacted anymore and want me to delete their contact info I'm happy to
oblige.

~~~
anothergoogler
Past invoices will have names and addresses, will you shred them? Don't you
need them to file taxes?

~~~
BjoernKW
Existing laws and accounting standards still take precedence over GDPR. Past
invoices and accounting entries remain as they are.

------
jimnotgym
Very little if any change. We were not doing anything creepy with users data
and complied with the Data Protection Act of 1998. We updated our privacy
policy with new wording.

------
kenhwang
We just blocked European traffic. They're not profitable enough to be worth
the headache.

~~~
KirinDave
Can you please tell me who you work for so I can avoid using you?

I don't actually want to be profitable for you if I'm not paying for the
service.

~~~
kenhwang
Fortune 500 in the Oscars/Emmys winning business. We have European partners
and distributors for our stuff that Europeans are supposed to be using anyway.
"This content is not available in your region" will probably become a lot more
common. We'd prefer you pay for our content too.

~~~
KirinDave
It's weird how that isn't enough then, isn't it? There is some secondary data
moneiltizaton.

------
KirinDave
I work for an international education startup and while it was obnoxious to
get the technical groundwork and auditing done: it doesn't affect the business
very much. This shouldn't be too surprising; the GDPR is really only
problematic to businesses who's primary purpose was identity and interest
brokering. Most folks with actual products to sell aren't in such a bad spot.

Certainly, some folks have opted into some heroics getting all our
microservices and datastores audited. But it's good to do that periodically
anyways, so we made the audit a multi-purpose affair.

------
cyberferret
Not a great deal. Sure, more paperwork in terms of obtaining DPAs (Data
Processing Agreements) with some of the vendors we work with, as well as
preparing our own DPA for our customers, but overall not a huge impact as we
already value privacy highly in our SaaS app.

On the development side, we've had to accelerate some 'nice to have features'
that we had planned for later, to this month. Things like scheduled deleting
of old customer data, migrating to a more robust SQL system that supported
'encryption at rest' etc. Things that would have had to be done anyway.

------
was_boring
Nothing, but we are strictly located in the U.S. and only sell products in
local markets. I guess we could block non-U.S. access though.

------
linker3000
I work for a business that designs, builds and supports learning management
systems for corporate organisations. I also had the task of coordinating our
GDPR readiness activities.

As we are a 'processor' for our clients, we reviewed and updated some of our
existing infosec policies and procedures, and produced a very detailed set of
'GDPR' docs to satisfy customers asking for evidence of our compliance
efforts, and to provide data mappings, impact and risk assessments etc. We
already had most of this done internally anyway so we just needed to
'prettify' it and change the language/terms in our 'Electronic Information
Security Policy' document to match the GDPR.

We also wrote up a DPIA document about our internal systems.

All of this work took time - perhaps about the equivalent of 2-3 weeks to
plan, collate and draw the diagrams and workflows for things like our security
incident response plan and how we would sub-process subject rights requests;
like when a client receives a 'Right to erasure' request and asks for
assistance.

Overall that work was not difficult and did not cause any headaches. What has
been a pain has been responding to all the clients who send us various
compliance 'questionnaires' (spreadsheets) expecting tailored responses -
fortunately, in the main I was able to answer "see document ref xxxxxx,
section nnn".

What I am seeing now is the late-arrivals throwing in (demanding) 'for
compliance' every conceivable infosec feature they have read up about - one
today insisted we must now implement in-memory encryption! Many of these
recent demands are not mandated by the GDPR and so are being handled as
contractual changes and new feature requests so the sales team are having
discussions to explain our stance and see if the customer wants a quote to
amend their service and contract!

------
bowlich
Not a great deal. I think management got together with the lawyers to do a
cursory review but we've already been under similar legislation for at least
one of our European markets so code-wise we haven't actually changed anything.

------
teilo
We are one of the largest large format printers in the US, but our online
business does not intentionally market to the EU or accept payments in Euros,
so while I did a risk assessment for management, we concluded that we could
ignore it.

------
nhebb
One-man shop that sells desktop software. I made a few changes to my privacy
policy and called it good.

------
merinowool
My product collects limited number of personal information and in theory it
has always been compliant. Only thing I have doubt about is AdSense. I have
disabled personalized ads, but I have no idea if that is compliant. Also
working on data portability, so users can export their data. (Never got a
request for that though) If revenue from ads will go down I will be
considering closing the business. I don't feel comfortable going paid
subscription route.

~~~
Rjevski
Just curious, what does your business do?

~~~
merinowool
Niche Reddit like site.

------
LoSboccacc
we don't even use personal data we just need aggregated usage metrics but
google analytics was extremely convenient to collect those. under gdpr we will
need to waste lot of time moving event collecting into some other in house
solution like pwiki and make sure data gets aggregated and deleted properly.

not a load of work, but we have to pause some business development opportunity
so that we have hands to put on this.

------
stunt
Working for an e-commerce company in Europe.

We didn't have much trouble. Someone was assigned last year from our security
team to teach and consult other teams within the company to keep their
products compliance.

Even before going for GDPR everything about user data was very strict so don't
remember if we (at least my team) did anything new.

We always had data anonymization pretty much everywhere, no production access
even to our deployment team, no third party company is allowed to store
information or even cookies from our users, a clear and short page for our
users to tell them which companies have access to some of their data (ex.
delivery company). We always have been obligated to report a data breach to
the government and users if it happens.

It is a very long list, and goes down to stuff like even HR recruiter is not
allowed to keep applicant information after X amount of time.

All of that also means sometimes we are unable to do something fancy with
users data to improve our products. Or use some third party services because
the third party company doesn't look reliable or they want to access user
data.

------
mrweasel
We where already subject to much stricter rules, so we honestly didn't have to
do anything. We have started selling GDPR consulting, so it's only positive.

Both my colleagues and I have much stricter personal guidelines to data
protecting than required by our employer, our chief security office and the
GDPR, so it's not really an issue.

------
room271
We've had a fair bit of work around cyber-security - being a bit sharper on
checking project dependencies, encrypting all data (including things like
access logs) restricting firewalls even further, better audit trails, and also
things like automatic password rotation.

I'd say this is all good stuff, and in most cases we were already doing it,
but it is difficult to retrofit in one go.

Going forward it will be a lot easier though as new projects will simply be
designed better from a security-perspective.

------
rqs
Hey just one question: Remember the old days when many people still using
NTTP? Your email and IP address will be carried in every post you've sent, and
other people have to download the whole post (including your email and IP) so
they can view it.

Does GDPR made all NNTP services illegal?

I'm asking it because I was developing an online forum application that will
publicly display your posting IP and registered email address, and sync posts
with other sites.

If GDPR made that illegal, that could be a bad news for me.

~~~
geofft
> _I 'm asking it because I was developing an online forum application that
> will publicly display your posting IP and registered email address, and sync
> posts with other sites._

Please don't do this.

Apart from my own rational self-interest, I'm saying this as a subscriber to
various free-software mailing lists, which occasionally get requests from
someone to remove archives of support emails they sent 10 years ago. It's
pretty rude to publicize the problems someone had and their frustrated
response from years in the past, and make it Googleable by their name.

(Also, if by any chance you want to _publicly_ display this as a means of
deterring bad behavior of any sort, spam, rudeness, etc., it's unlikely to
work - the people intent on bad behavior have proxies and anonymous email
accounts, and the non-technical folks who never even thought of bad behavior
won't think to protect their identity this way, so it will only hurt the
people you don't want to hurt.)

~~~
rqs
The thing is that due to the synchronization, users post could be synchronized
to another site which they are not registered to.

Thus, a mechanism must be setup to allow users to manage their content on
other sites. The mechanism that I currently planed was to use email
verification (if (User's email === poster's email): They're the owner of the
post), which requires all sync sites knows the email address (as an universal
identifier) of the content owner.

To me, that means I need to share user's email with other sync parties which
may not under my control. Because of that, I think it's sanctimonious to tell
user that their email is under protection, I rather letting user be very aware
about their email will be publicly displayed.

Another reason to publicly display users email is because I don't want to
implement private message features (Which require to save private
information), so if user's can know each other's email, they could just make
content with their emails.

~~~
geofft
How does this handle people changing their emails? Can you do the same thing
with a cryptographic signing key or something, instead? It seems like this
could be implemented in a way where I prove control over the signing key (by
signing a challenge, for instance), but I don't have to reveal anything about
my identity besides "I have access to this key" if I don't want to.

(If you're worried about not just servers changing but clients changing, and
needing to get the key over, there are protocols for efficiently and securely
transferring information between client computers, using a very short password
that doesn't need to be kept private after the transaction. magic-wormhole
implements this sort of thing.)

This may or may not apply to your site, but, in general I don't _want_ other
users of a website to be able to PM/email me unless I specifically authorize
them to. Requiring that my email is public does not provide me this control.
You can do what HN (which doesn't implement PMs) does and let people have an
optional public profile, where they can list a way they want to be contacted
by other users if they want.

~~~
rqs
> How does this handle people changing their emails?

It can, as long as the email change request can be synced as well. It may have
some security problem need to be resolved, but I think it can be worked out.

> Can you do the same thing with a cryptographic signing key or something,
> instead?

It's actually an better idea. If I can implement something like PGP (With
maybe WebAuth), then user only needs to submit their public key. When
authentication is needed, server will sends challenge (Message encrypted by
user's public key), then user decrypts it with their private key, send the
decrypted message back to server for verification.

However, I'm still figuring out the whole WebAuth thing, so no decision is
made yet.

> This may or may not apply to your site, but, in general I don't want other
> users of a website to be able to PM/email me unless I specifically authorize
> them to.

I actually like to encouraging user to make contact by themselves with their
emails, because service email is decentralized and controlled by users (At
least they have better control of it than a website). Also, user may left a
website but still using their email.

However, I know in real world, people don't like to be bothered, so make their
email public could be a problem. I guess I need to rethink it a little.

------
lrem
My favourite is:
[https://www.reddit.com/r/ireland/comments/8m078i/gdpr_well_p...](https://www.reddit.com/r/ireland/comments/8m078i/gdpr_well_played_cartellie_well_played/)

They're actually not hurt by doing this: their business model is selling you a
pdf report in exchange for money. The transaction handling is literally only
reason to touch any personal data.

------
bonniemuffin
Large tech company: it took tens of thousands of jira tickets and umpteen-
trillion human-hours to become gdpr-compliant in preparation for today.

------
zachruss92
It doesn't affect me hugely. The biggest impact was that I had to spend time
to define these processes and outline my privacy policy. I didn't need to go
and redo all of my forms/consent flows because all the data I collect is
reasonable and necessary.

------
acatton
Not at all. I'm working in Germany. The GDPR is basically the same as the
_Datenschutzgesetzt,_ which is the German law.

The only difference is that we will have higher fine if we don't comply. And
we have had an external Data Protection Officer for a long time already.

------
cflat
the biggest impact is all the navel-gazing time we have spent trying to
decipher what _is_ personal data and what are our obligations to our
customer's and to their user. The actual work has been the easy part. We will
never get back all the lost hours spent on debate, clarification, re-
clarification, non-answers, vague-answers, more debate.

------
kull
US based SaaS company. We just don’t allow for now anybody from EU to be on
our mailing list or sign up

------
falcon620
We've gone through a couple of audits from customers' GDPR-compliancy
consultants.

As a result we have have been triggerered to perform some well-over-due
security reviews, thinking about security processes and data
compartmentalization, documenting some procedures etc. I think it's by far a
net-good, even as relatively small company.

------
dvdhnt
It has been 24 hours since GDPR came into effect. To be blunt, if anyone’s
business has been affected dramatically, then their business is likely too
brittle or unethical. If that’s the case, you should rethink your business
model.

~~~
ebiester
Alternatively, some part of your business has spent the last X months
preparing for this so that their business won't be affected dramatically.

I am easily tracked to my place of employment so I don't want to get into too
many details, but we were doing things ethically but still had a non-trivial
amount of going through, dotting our i's and crossing our t's, making sure
that there weren't pockets of unknown data, putting together plans in case
someone asked for data retrieval or deletion, etc.

The longer a company's been in business, the more onerous the task is. I can't
imagine what it would be like for a large company with mainframes still
around.

~~~
KirinDave
If this is the case, then being transparent about it is a good policy. I hope
your employer is committing to compliance publicly and apologizing to its
customers for the delay.

~~~
ebiester
We don’t have a delay in our case.

------
jacquesm
The only recent change for me was that I entered into a DPA with the
bookkeeper and the payroll company everything else was already done (and long
ago, not last week).

It helps that collecting data on individuals was never a part of our strategy
to begin with.

