
Ask HN: Have there been any serious consequences from GDPR yet? - AlphaWeaver
Often times reading here on Hacker News, users are quick to point out in the comments under an article announcing a new site or service how things are &quot;definitely not GDPR compliant,&quot; but I anecdotally see no major changes being implemented. If sites and major corporations are so often out of compliance, why hasn&#x27;t enforcement happened yet?
======
dx034
One thing I noticed (and I've worked with several companies to make them
compliant) is that many non-tech companies finally see data as something to
pay attention to. GDPR forces them to know what data they collect and store,
enabling other initiatives. Those can be to finally improve data quality (as
you'd otherwise have to expose invalid data to clients), better customer
service (self-service) and data analytics.

I'd say, for the companies I've met the cost they had with GDPR had a pretty
good ROI even if there was no enforcement of GDPR. Not all companies see it
that way, though.

------
krageon
Enforcement is happening, though unfortunately I don't have an actual source
on hand to show you.

Anecdotally, I enjoy being able to _finally_ tell companies to forget me and
stop sending me spam. It has actually worked very well for that. I also enjoy
being able to report companies blatantly and maliciously infringing on my
rights, because it finally makes me feel like maybe I'm not just some cattle
to be exploited for someone else's benefit.

Another benefit of having the right to be forgotten is that I (hopefully)
won't pop up in so many future data leaks. I've been fortunate so far that
nothing serious has ever been leaked about me, and I've insulated myself well
from leaking passwords because I use a new random one everywhere. I do however
know a few people who have been burned this way and subsequently become the
victim of identity theft. Being that the police lacks incentive and ability to
do anything about this (I know this from personal experience, I do not live in
a third-world country or even one that is moderately poor), the only cure for
this problem is prevention. It helps me to sleep better at night knowing this
risk has gotten smaller.

~~~
xcubic
How do you report a company?

~~~
krageon
This is a question I would encourage everyone to use a search engine for. To
answer your question: [https://edps.europa.eu/data-protection/our-role-
supervisor/c...](https://edps.europa.eu/data-protection/our-role-
supervisor/complaints_en)

------
preya2k
German Chat Community knuddels.de was fined 20.000€ for saving unhashed
passwords: [https://www.welivesecurity.com/2018/11/27/german-chat-
site-f...](https://www.welivesecurity.com/2018/11/27/german-chat-site-faces-
fine-gdpr/)

~~~
gingerlime
Very low fine considering how bad the breach was (and lack of basic security).
Any idea of how much revenue this company is making?

~~~
preya2k
Nope, since this is a GmbH, they don't need to publicly disclose their
numbers. But I read they have about 4 million members.

I agree on 20k not being very much given the circumstances. However this is
the first time that a company had to pay for a thing like unhashed passwords
at all. So I guess it's a step in the right direction.

------
trelliscoded
I know we've lost business because of it. We're a US company but a lot of our
customers are gigantic multinationals and becoming fully compliant would
reveal some IP that would be disasterous if it became public.

~~~
gravypod
This is an interesting angle that I've never considered. I know that you
likely can't talk about it but how could complying with GRPR expose IP?

~~~
tschwimmer
I'm imagining some sort of novel data structure or schema. If a customer
requested their data, you'd have to divulge the schema as well.

~~~
krageon
You are not obligated to provide the data in the way it has been structured at
your company. You are obligated to provide it in a machine-readable format,
and that is where the provisions end. It can be any format you want and can
contain the information in any way that you like, as long as it's all there.

~~~
tschwimmer
perhaps there's a score or some other proprietary statistic that is
technically user data but is not surfaced to the user. If the score is a
function of other pieces of supplied user data then perhaps they're worried
about leaking a proprietary formula.

This is starting to sound a bit thin, so I'm not really sure what this guy is
talking about.

------
nik736
What I still don't understand is how companies like MaxMind (basically a fraud
rating based on IP addresses and some other criteria that is mixed together)
or the german Schufa (credit rating) are still able to operate under GDPR. But
in general I feel the idea and effect it had is a good thing even though the
days before it went live were plain ridiculous.

------
znpy
Some us websites just plain refuse to serve me content just because I'm in
Europe.

On the other side, when something goes wrong shooting an email citing possible
gdpr infringement is now mostly enough to get an answer by a real human being.

So quite frankly, I see this as an overall positive thing.

~~~
bitfhacker
>> Some us websites just plain refuse to serve me content just because I'm in
Europe.

This happens to me too. I see this as a major negative thing.

The first it happened to me, I felt it as a type of censorship. In this
matter, GDPR raised a big wall between u.s. and europe.

~~~
paulcole
If it's censorship it's the EU's fault.

The website achieved GDPR compliance. End of story.

~~~
znpy
Meh, I'm fine with that.

------
ionised
Any company in violation will be given the chance to make themselves compliant
before fines are levied. The fines were never going to start right away.

~~~
gingerlime
Not right away, but wasn’t there a 2 year waiting period exactly for that?

------
willhallonline
I think that currently the serious consequences are the amount of businesses
that expended huge amounts of cash and time to getting towards compliance. It
has focused every business on the data that they generate and keep. Overall,
the main consequence that I see currently, is that almost every business has
some idea about GDPR and your data. Surely that is the largest consequence?

~~~
Someone
It also can cut costs. I know of a company that threw away hundreds of
terabytes of data from S3 because it didn’t need it.

~~~
willhallonline
I am pretty sure that for the amount of savings most companies can make
through removing data retention, working out what data to remove is far, far
more costly.

