
Ask HN: GDPR for solo founder - video-host
I run a small SaaS from outside the EU but with few clients there. I collect names and some physical addresses. It’s nearly impossible to know what I should do for GDPR:<p><pre><code>  * is a message about using cookies enough?
  * do I need a privacy policy
  * ...</code></pre>
======
ColinWright
I don't know either, and this is not legal advice. The regulations[0] are
actually pretty clearly written, and not actually that long. Make yourself a
good coffee, and read them in a few sittings, thinking about your specific
context, and taking notes.

My understanding, based on my reading and your comment, is as follows:

* You are retaining personal information - this requires consent.

* If you do something with the information you have, it requires consent.

* If you don't do anything with the information, and you are not legally obliged to retain it, you should delete it.

* When an individual asks, you must be able to tell them everything you hold on them, and where you got consent.

* When an individual asks you to delete their data, you must be able to do it within a short time-span (unless legally obliged to retain it).

* Consent _can_ be implicit - for example if someone signs up for a service.

* You absolutely need a statement saying what information you hold, and what you do with it.

* If you can't say when, where, and how someone gave consent, you should seek to obtain explicit consent with an "opt-in" email.

Some of the above will probably be wrong, but I don't think anything is _very_
wrong.

[0] [https://gdpr-info.eu/](https://gdpr-info.eu/)

------
downandout
Stop accepting EU currencies and don’t offer any locally translated content.
GDPR doesn’t actually apply to all businesses worldwide. It applies to those
that are directly targeted to EU residents. Some of the things that can make
you subject to the GDPR include having a European domain extension (eg. .de or
.co.uk), offering content that is translated to languages commonly spoken only
in the EU, and accepting payments or listing prices in EU currencies.

If you are based outside the EU and do none of these things, GDPR generally
does not apply to your business.

