Ask HN: What does my startup need to do to comply with GDPR? - hguhghuff
======
mtmail
[https://gdprchecklist.io/](https://gdprchecklist.io/) is a good start. For
many startups it's more than half the work is documentation, not changes in
what they do.

~~~
bulatb
I wouldn't recommend that checklist. It seems to be a list of every topic in
the regulation, whether it applies to you or not, presented as a list of
things required for compliance.

While technically not wrong, some of it is so misleading that the reader might
be _less_ informed about the law than when they started.

I wish I had a better option than just reading the text of the law, but most
explainer sites I've seen have been misleading, confusing, biased, incorrect
or generally not so good.

I've been using this[0] reference—basically the text, but better organized.

[0] [https://gdpr-info.eu](https://gdpr-info.eu)

------
BjoernKW
A solid answer would depend on:

\- what it is your startup does

\- how you process user data

\- what third parties - if any - you draw upon to process that user data

If you process any user data at all (of users currently located in the EU,
that is) the very least you need is:

\- a privacy policy

\- a list of your data processing activities

\- a list of your technical and organisational measures for protecting user
data

\- a data processing agreement with every third party that processes user data
on your behalf

------
icedchai
You probably don't _need_ to do anything. It depends on how risk averse you
are. Where are you located?

------
ocdtrekkie
Obligatory: This question is at least a week late. But you should've been
asking this far before then.

What's your startup? GDPR's burden on you is going to be different depending
on how much and what kind of user data you handle, why you handle it, and for
how long.

~~~
ryanwaggoner
You're not obligated to be a jerk. There's absolutely nothing this person can
do about the fact that they didn't address this before now, so why bring it
up? Just to scold? Helpful.

