
Ask HN: How can I comply with GDPR as a solo founder? - sjroot
I am based in the USA, and am hard at work on building services for my company. My goal is to launch and have customers by the end of the year.<p>While I 100% support GDPR, I do not know anyone within the EU who could act as a Data Protection Officer or EU representative for privacy concerns. I am funding myself at this point, and don&#x27;t really want to shell out hundreds of dollars to some law firm just because they have an address within the EU. Outside the EU, I plan to handle support concerns on my own (for the time being).<p>What are my options here? My initial thought is that I will just have to prevent those living in the EU from using my service, which is unfortunate.
======
dimitar
You most likely don't need a DPO: [https://ec.europa.eu/info/law/law-
topic/data-protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/rules-business-and-organisations/application-regulation/do-
rules-apply-smes_en)

Check out the rest of the website, it is pretty helpful.

Don't worry too much, GDPR is both common sense and designed do go after the
big companies. Some rules are intentionally vague in order to be hard to
circumvent using armies of lawyers and/or technical 'innovations' in
exploiting personal data.

~~~
grimjack00
> Some rules are intentionally vague in order to be hard to circumvent using
> armies of lawyers

Because lawyers have never been able to turn vague rules and regulations to
their advantage.

------
Deimorz
The Data Protection Officer doesn't need to be located in the EU. You may also
not even need to appoint one, depending on what exactly your company does.

You should read through the following sections of the GDPR carefully,
especially Article 37 to determine if it seems to apply to you (the
requirements are vague, but you should at least be able to get a general idea
of whether it seems to apply to you or not):

Article 37 - Designation of the data protection officer - [https://gdpr-
info.eu/art-37-gdpr/](https://gdpr-info.eu/art-37-gdpr/)

Article 38 - Position of the data protection officer - [https://gdpr-
info.eu/art-38-gdpr/](https://gdpr-info.eu/art-38-gdpr/)

Article 39 - Tasks of the data protection officer - [https://gdpr-
info.eu/art-39-gdpr/](https://gdpr-info.eu/art-39-gdpr/)

Recital 97 - Data Protection Officer - [https://gdpr-
info.eu/recitals/no-97/](https://gdpr-info.eu/recitals/no-97/)

~~~
sjroot
Thank you for those links! I was more concerned with Article 27 but that
website also helped mediate my concerns with that. Much appreciated.

------
mrgreenfur
It's a great question and one of the common complaints to the wave of privacy
regulations. I believe that it's not a ton of work, but may be a bit of
legalese to wade through and should be basic due diligence for collecting
personal information.

There is a lot in GDPR, but here's a list of possibilities that will honor the
spirit of the law and be huge steps forward:

\- Privacy policy: Write a human-readable privacy policy and publish it. It
should declare what you collected, for what purposes, how long it's retained
and how to contact the privacy office for data subject requests.

\- Conduct an internal Privacy Impact Assessment: an inventory of personal
data collected, for what purpose, what is it's risk/danger level, what lawful
reason is it collected/processed, where is it stored and what is the retention
policy.

\- Lawful processing: For each of the types of data collected, determine the
lawful umbrella for collecting and processing it; GDPR defines a bunch but
most people use only "legitimate interest" or "explicit consent". If you need
to use consent, find a vendor to help you manage it.

\- Honor data subject requests for access/portability/erasure. Doesn't have to
be fancy, can even be just a mail to privacy@yourdomain. Don't forget to
authenticate/vet the requestor to avoid leaking data.

\- Vendors/3rd party companies you use: Inventory them and record what data is
going to them. Will likely have in contracts their obligations under GDPR, and
will define their role ('processor' or 'controller').

~~~
dyeje
This is a good start. I wouldn't worry too much about GDPR compliance starting
out. Follow this advice and when customers start asking questions about your
compliance, you can invest in a more robust ISMS.

------
rfergie
[https://ico.org.uk/for-organisations/guide-to-data-
protectio...](https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-
gdpr/accountability-and-governance/data-protection-officers/) says you only
need a data protection officer in some circumstances. You don't say what your
startup does, but unless you are processing a lot of data or sensitive data
you probably don't need one.

I'm also not sure that your DPO needs to be European or based in Europe

------
icedchai
One option is to just do nothing about it.

~~~
sjroot
I want to be able to tell customers that my service is GDPR-compliant. (Plus
I'd rather not pay fines!)

~~~
fipanitope
This makes me wonder if we should also be proactive with following Korean,
Singaporean, and may even Chinese laws?

------
throwaway40324
On a technical level: have a process for gathering and sending responses to
requests from EU users for their data. Have a process for being able to hard
delete that data, and a user's account. Dont store anything you dont need, not
even in logs (IP addresses), and dont send that data to third party providers.
Don't use third party monitoring, and analytics services that aren't GDPR
compliant. Keep a constantly up to date document of cookies your site uses,
and whether they're essential or non-essential for your product/service to
operate. Lastly, learn exactly what is considered PII and not. This is a non-
exhaustive list of things you should start with, and then go with common
sense, and legal counsel as you can begin to afford it.

Edit: Following up, I say on a technical level, because much of this you can
do yourself via having some scripts and report generation in place.

------
ReD_CoDE
As I know GDPR is for startups and companies with more than 50 or 200?
employees.

It means that the majority of startups and small companies don't need it,
until becoming a firm that can afford the costs of GDPR consultants

There are a lot of websites that generate GDPR templates free of charge for
startups and small companies and those templates are enough

~~~
Someone
That’s incorrect. The GDPR applies to every company (it has to, as otherwise,
shady companies would create small sister companies for doing the work they
aren’t allowed to do because they’re too big).
[https://gdpr.eu/faq/](https://gdpr.eu/faq/):

 _”Who must comply with the GDPR?

Any organization that processes the personal data of people in the EU must
comply with the GDPR. “Processing” is a broad term that covers just about
anything you can do with data: collection, storage, transmission, analysis,
etc. “Personal data” is any information that relates to a person, such as
names, email addresses, IP addresses, eye color, political affiliation, and so
on. Even if an organization is not connected to the EU itself, if it processes
the personal data of people in the EU (via tracking on its website, for
instance), it must comply. The GDPR is also not limited to for-profit
companies.”_

~~~
ReD_CoDE
"Those companies with fewer than 250 employees are required to hold internal
records of processing activities if the processing of data could risk an
individual's rights or freedoms, or if it pertains to criminal activity.

For those with more than 250 employees, more detailed records need to be kept.
These include the name and details of your organisation, the name of your
assigned data protection officer, the reasons for processing the data, a
description of the categories of data being processed, details on the
recipients of the data, how long it will be retained, details on transfers
outside of the EU, and an overview of the security measures your organisation
has put in place." \- [1]

[1] [https://www.itpro.co.uk/data-protection/29123/gdpr-for-
small...](https://www.itpro.co.uk/data-protection/29123/gdpr-for-small-
businesses-what-it-means-for-you)

------
Nextgrid
Think about what you’re doing that has GDPR implications. If you’re not doing
anything creepy then the GDPR is as easy as providing/deleting subjects’ own
data upon their request.

~~~
EpicEng
"but your honor, this doesn't fit the legal definition of 'creepy'!"

------
jiveturkey
As a solo founder, don't worry about it.

> shell out hundreds of dollars to some law firm

hundreds? LOL! $10,000 to get a DIY kit.

From one of your replies:

> I want to be able to tell customers that my service is GDPR-compliant.

This isn't possible with a one-man company. Rather, it's possible to tell them
you are (there is no certification body) but it's not possible to be compliant
if you don't already have expertise.

> DPO

I don't know why others are mentioning a DPO. You won't need a DPO.

The easiest route to compliance is to not collect Personal Data.

~~~
sjroot
> I don't know why others are mentioning a DPO. You won't need a DPO.

After reviewing those parts of GDPR a bit more, I agree. I was thinking of the
EU rep for businesses outside the USA.

> The easiest route to compliance is to not collect Personal Data.

The product I am working on has a social aspect. That said, nothing -
particularly the data the GDPR defines as sensitive - would be collected
without explicit consent from the users. Actually, nothing is really collected
without their opt-in.

> As a solo founder, don't worry about it.

Thanks for chiming in! It is good to hear from someone in a similar situation.

~~~
jiveturkey
> nothing is really collected without their opt-in.

opt-in is the least thorny aspect of GDPR.

but honestly, you don't have to worry about it.

There are 6 bases for collecting Personal Data. You should review them and see
if something besides explicit consent (opt-in) is more suited. Opt-in is a
trigger for other things. Avoid it if you can.

