Hacker News new | comments | ask | show | jobs | submit login
The Nightmare Letter: A Subject Access Request Under GDPR (linkedin.com)
508 points by jjp 11 months ago | hide | past | web | favorite | 523 comments

Where's the problem? To me it shows what an excellent job the creation of the GDPR was. It makes companies think in depth about the data they hold on me and how they process it. It also provides clear ways to question and challenge it.

I've seen a number of articles trying to frame the GDPR as some kind of shambles. The shambles is the way too many companies have abused and mis-processed the data for too many years and somehow the EU lawmakers are bureaucratic imbeciles. Yet, everyone I know is fully in favour of this as consumers.

And, for context, I am the person who will have to deal with these at our company. Our customers are absolutely entitled to expect us to process their personal information is a responsible manner and I hope a number of these letters are sent to every company, it's about time there was a power shift in this area.

About 50% of small business survive their 5th year and roughly 30% survive to their 10th year. The concern is the drip/drip effect of more and more regulation making those numbers even worse. In addition you may be saying to a poor or middle class person that the money costs of starting certain types business are not longer in reach due to much higher costs. A large well established business is in a much better position to weather these costs so the wealthy get wealthier. What are the costs compared to the benefits?

You hear the advice for new startups; only recruit the best from the start, cut away the fat from your task lists to only focus on the critical issues that generate business.

Here's another, bake privacy into your company from the start. Create a culture that takes it seriously and threads it through everything it does. Once you have this culture you'll find it costs less than when you try to retrofit it after 3 years.

In terms of the benefits, I can only assume you're American to ask this. In Europe we view our privacy as a human right and that our lawmakers should protect that right, it's that simple.

> bake privacy into your company from the start. Create a culture that takes it seriously and threads it through everything it does.

Replace "privacy" with "security" above, and you'll get the widely accepted best practice approach: "you cannot bolt on security later", etc. Likely it will work for privacy equally well.

It also works for performance, reliability, UX quality, etc. What GDPR does is forcing business to make privacy their core concern. Since time & budgets are inherently limited, this will come at the expense of something else.

> What GDPR does is forcing business to make privacy their core concern.

Not really. It will mostly be a problem for companies which use a lot of SaaS services with no on-premise solution and companies in the business of selling their users data. Not gonna shed a lot of tears for those.

What's your beef with using "a lot of SaaS services, with no on-premises solution"? Why waste money by locking it into on-premises hardware?

You missed the entire point.

How do you guarantee that the SaaS you chose is enforcing the privacy of the data you're paying them to process?

In the same way that AWS wasn't originally certified for government work, and then developed GovCloud: they realized there was a lot of money in it.

If supporting GDPRs is a requirement for having European B2B customers, SaaS providers are going to start certifying against and architecting around that.

Actually what it did for me was allow me to ignore the EU entirely. This makes my implementation more simple since I don’t have to focus on the GDPR and can ignore the localization crap from having 2 versions of English.

Careful, the EU is a big market. If you exclude the EU, and get big enough, someone can just copy your business, but abide by EU law. Suddenly you have a compeditor who has access to a large market that you don't have access to.

As it should.

this is extremely true from a network security perspective for new ISP infrastructure as well. It is very "easy" to start forming layer-2 and layer-3 adjacency between things geographically distributed around a city/state sized area without much regard to security. Will create a huge amount of work to come back and fix later. Whereas if you design the architecture from the start with security in mind (how you're going to deal with your management VRFs, monitoring systems, OOB authentication, NOC and neteng access to stuff in private IP space, etc) it will be much easier to scale.

You can't engineer this sort of thing away. A business that gets 1000 of these letters will have to hire someone to handle it, regardless of how good a job they did designing things.

If you don’t keep the records of your customers, you’d answer those requests in no time.

Aldi has become extremely succesfull without knowing their customer. Ikea probably the same.

Wrong. Even if I didn’t store anything besides absolutely necessary (does your product involve usernames or emails - bam, personal information) and was absolutely above board, it would take me hours to respond to this.

You see: you should have read the law before assuming that requesting this information from the user is legal. It had to be stored in one, single place. Therefore answering this question shouldn't take more than 5 minutes, if you have anticipated GDPR.

What about their employees? Aren't employees, or ex-employees, also entitled under GDPR to be informed about what personal data the company stores or processes? Honest question!

Of course, but they're entitled to this under pre-GDPR legislation as well, as I understand it.

I mean, if those records are being kept, it shouldn't be that hard to make them easily user-accessible, right? Support people that got the letters could just give users the link to the page with the data.

It seems to me that could easily create a privacy issue of its own. Certainly just a link would be terribly insecure, you'd need to authenticate the user. And whatever you do, you've now created a web-facing portal to the private data you're supposed to protect. Seems risky to me.

My company (Aptible) makes a product called Gridiron that does this. All of the data that a requester is entitled to can be pre-structured and organized in a source of truth. That's what Gridiron is.

The first answer is long, the other ones should be quick as you already have done the work; and can be automated.

The answer is going to be automation. You don't hire a person to physically handle each of those 1000 requests, just like you don't have someone typing in each employee's pay stub and calculating their tax withholdings.

When the EU bans telemarketing or sending me junk mail without my consent, then I might think the EU cares about my privacy.

It already does. Go figure.

In practice, no. The legislation has major loopholes, such as allowing unsolicited business-to-business marketing. And spammers still send junk to individuals with a disclaimer such as "This message is addressed to a business, if this is in error click here to opt out". And they seem to get away with it.

My mailbox (the physical one) disagrees with your claim. There are mechanisms to opt-out (at the cost of uglyfying my mailbox with highly visible label), but they are not banned.

Neither of those represent threats to "privacy" in a typical legal sense. Both suck, but you're saying that you'll think the EU cares about car safety when they ban juggling.

Your logic applies to fire codes and food sanitary rules just as well.

Doing the right thing is a burden, that’s why it’s called the right thing and not the convenient thing.

Yes you are correct. What are the costs compared to the benefits? Is the additional privacy going to be worth it? If we discover a few years from now that European companies are sharing roughly the same amount of data with other companies as their American counterparts, just documenting it better, have you gained anything?

Yes, because I can request it and ask for deletion.

Are you willing to pay more for products and services? Because ultimately you will.

If hiring one person changes the calculus that much, it's nonetheless easy to afford if profitable companies paid their workers more instead of sending it to shareholders or doing stock buybacks. The proportion of wealth held by the managerial class exceeds the Roman Empire at its height. https://persquaremile.com/2011/12/16/income-inequality-in-th... For reference, the gini coefficient of the united states in 2016 was 0.48. Rome at its population peak was between 0.42-0.44 according to the article. A gini coefficient of 0 is a perfectly equal society and a coefficient of 1 is perfectly unequal.

Small startups also often get the benefit of reduced regulatory burden, which is fitting because they have less overall impact on society. Once they become large, it is fitting that they play by rules that benefit the majority.

How is a gini coefficient relevant to higher priced products due to regulatory overhead?

It seems you have an axe to grind and derailed the conversion to compare the US with ancient Rome. Please provide a citation showing a correlation between increased privacy regulations and reduced gini coefficients.

I was responding to the claim that increased privacy would lead to possibly unacceptable price increases. I accept as axiomatic that increased privacy reduces profits, because, for one, you can't sell data that is private let alone the regulatory burden. My position is that these vociferous critiques of even minor bequests to the public are ill founded.

You already are paying with your privacy. If you value it for $0 then you're going to pay more...

Another legitimate question is: is the fact that you are willing to pay more a good enough reason to force me to pay more? What if I don't care about privacy as much as you?

That's the real issue here. You can either decide that privacy is a basic right that everyone has and cannot be negotiated away, in which case this law makes sense.

Or you can decide that it's a decision each person makes, and let the market take care of providing options that are more vs. less privacy-respecting.

> You can either decide that privacy is a basic right that everyone has and cannot be negotiated away, in which case this law makes sense.

> Or you can decide that it's a decision each person makes, and let the market take care of providing options that are more vs. less privacy-respecting.

Or, collectively, a group of people can agree on a government that supports privacy protection for goods sold under its remit. Which is what's happened here. I get that it's not popular in the US, but privacy controls are quite popular in Europe, and the EU is in this case following the mood of its people.

Yes, "a group of people" acting through the government to support privacy protection is what my first sentence meant. Clearly that's what's happened.

Not sure why you phrase it "or"? I think we agree that that's one sensible approach to take (treating it as a basic right that can't be negotiated away, much like other things).

Yes, yes I am.

Nobody dies from Google Analytics. People die from failing to follow fire codes or food safety laws.

This is a false equivalence.

I find it quite worrying that 1) you are all over this discussion downplaying/minimizing the value and importance of privacy, and 2) you are the "founder of iCouch, a platform for psychologists, therapists and counselors".

Most people don't die from food safety violations, they just have a really bad day. I would say this is equivalent to the harm done by something like the Equifax breach.

> they just have a really bad day

And those who end up in hospital, in the US, possibly without insurance? I guess that, and the ensuing bills is "just" an _extremely_ bad day then?

Not a worry in most other developed countries.

Nobody died from detailed records of peoples religion and ethnicity in Germany 70 years ago either.

Such were held and enforced by the state, not by local businesses. Say, more or less the same people who run network-scale intercepts and tracking nowadays, and collect/access/process a lot of real-word records about you. Do you really think that as a EU citizen I can go ask TSA all data they have on me and why they opened my bag last time I flew out of the US?

Intersting question. How far into state agencies does the GDPR apply in the same way it does for businesses? Can i make a GDPR request to my city library, hosptial, police or secret service? Or maybe even to the state as a whole?

Yes, you can and you should. Every government should be able to respond. Nobody is bared on Data subject request

Google and Facebook analytics get people like Trump elected. Which is a far more dangerous situation than food poisoning or a building fire due to its long term impact.

People like Trump have been elected since there were elections. Keep the lame political statements elsewhere.

00N8 11 months ago [flagged]

of course they do! what magical kingdom of the future do you think you're living in, where economic ends have no bearing on survival?! your business on the brink succeeds or fails; a personal relationship blossoms or sours. sure, we mustn't rely too much one any one thing going a certain way on these kinda things that data sharing or Google Analytics can impact. but in aggregate these factors have significant bearing on one's access to medical, nutritional, & fitness resources & technology, even will to live, thus they do drive life or death outcomes all the same.


People subject to identity theft due to poor control of their data do indeed suffer real world consequences. I wouldn't necessarily want to argue it's a case of life or death - but there's undoubtedly actual harm in some cases ranging from social issues if their data is sensitive, right down to financial loss.

And if you wanted to examine whether it could be a matter of life or death, it wouldn't be that big of a stretch. Consider what might be the result of someone trying to escape from an abusive relationship having their personal data exposed. Or a whistleblower / political dissident. For example, imagine a Chinese dissident with a free-Tibet facebook record whose data gets back to the Chinese government.

I'd focus on China particularly because they're developing a system for working out how much people align with the state and it appears it may be partly based on the information they can find out about people's internet postings:


I wouldn't be at all surprised if it's actually cheaper for smaller businesses to properly handle personal data than it is for big ones. Big ones tend to have much bigger, more complex data systems that require complicated oversight and governance, and are presumably much more likely to engage in risky behaviors like dumping stuff into a data lake.

This might have an outsize impact on startups that deal primarily in data about people. I'm actually pretty OK with that. Some kinds of activities really should have high barriers to entry.

If a business cannot afford to properly handle and audit customer data then it should avoid any sort of collection. Businesses that produce value from customer data should be able to pay for necessary protections.

> The concern is the drip/drip effect of more and more regulation making those numbers even worse.

There are industries, like construction, that have a lot more regulations that this one. And small companies survive.

> What are the costs compared to the benefits?

Benefit: Citizens have the right to protect their privacy, to not be tracked without reason, to be notified when a data breach put their safety at risk, etc.

Cost: Companies need to have reasonable data governance that will increase short-term cost, but probably have a long-term positive impact on cost as bad data governance is just technical debt.

I don't give a fig about startup survival rates. I care about the fact that they're currently making money by externalizing costs.

Yes, it makes it harder to get into some areas. If that means a net positive for society, I'm surprisingly OK with that. There's no intrinsic reasons why we should care how many companies survive.

In general I strongly agree that regulations can be one of the slow drip/drips that crush a society over time.

However there are two forms of complexity at war here; complexity for business (regulation) and complexity for ordinary people (having data about you everywhere, about everything, forever). So we have to decide which kind of complexity is worse, or how to strike the right balance.

I usually register on non essential websites with a custome address like website.com@domain. Over the years I experienced several hidden data breaches as I look once in a while into my spam folder. This regulation gives me as a customer a good feeling as businesses are required now to think hard about their data protection strategy. As a business owner I have no problem answering these requests as I designed my software with data protection from the get go. Now it’s at least a requirement for all businesses which is good. This is a huge benefit for the consumer.

Yes, this also gives great insight on who's selling data.

If you have taken GDPR into account from the start, the costs are trivial, it only means you will organize data differently so this "startup worrying" thing is a nonsense. Those worries are trying to do PR from companies/developers that are used to capture as much as possible from customers (potentially also sell those data) and are basing their bussiness model on that.

The real cost comes in "old" companies. Those should complain, but those are also responsible for need for GDPR.

Everything there might be true. Everything might also be false. It might be cheaper to start a business because PPI information will be handled properly from the start and not be a cost centre. This might increase new business viability.

Maybe there are no "costs". Just benefits and benefits?

The benefits are to me as a consumer, of course. Just because companies would prefer to treat data and security as burdensome doesn't mean that I should let them. As an argument to reverse this regulation, this seems unconvincing.

Of those small businesses how many had business in Europe? You can aggregate or split by success/failure.

This website is inherently an egregious GDPR violation. It collects the most highly protected data category, political views, stores it forever, shares it with everyone on the internet, makes opaque automated decisions related to ranking, vote weighting, and anti-spam, and provides no mechanism for takeout or deletion. Because it's publicly available, an unlimited number of unregulated third parties can obtain your data and process it for undisclosed reasons without your opt-in.

Can anyone explain how it's possible to be positive about GDPR and HN at the same time? I'm not surprised that some people like it. I'm stunned to see them commenting here.

> It collects the most highly protected data category, political views

It collects user comments and posts. What you post to this website is entirely under your own control, and there is plenty of opportunity to meaningfully participate here while offering not much more than technical opinions.

Furthermore, none of the information you post here needs to be personally identifiable, under the definition of the GDPR. It is identified by a username, which can be completely arbitrary and unique. You could even use a new one for every post you make.

I'm pretty sure HN is holding onto PII, including IP and Email, which is enough to tie your account to others and de-anonymize you.

You don't have to tell HN an email address. They should have appropriate privacy protections in place for the PII they do store, but they should have that even without GDPR.

I do agree that we all can choose what to share on HN. Usernames can be as arbitrary as you like, and not linked in any way to meatspace identity. HN allows registration and posting via VPN services. And maybe even via Tor.

However, it does appear that GDPR will require that HN delete a user's posts upon request. It might even require that HN delete posts that mention other people, including nonusers.

Edit: Yes, also via Tor. It did ask for an email address, for password resets.

HN probably doesn't fall within the material scope of GDPR, unless they perform business activity that falls within the scope of EU law that I'm not aware of.

That would be different if they marketed/promoted/sold in the EU, offered European language or currency support, or somehow otherwise took action to position themselves for the EU.

As a thought experiment, if HN was regulated by GDPR:

1. Yes, all kinds of user generated content can contain GDPR Art. 9's special categories of personal data. HN would probably rely on the exemption in Art. 9(2)(e), which permits processing "personal data which are manifestly made public by the data subject." The purpose of HN is to let you share your own data on the Internet, that's the entire point. That's fine under GDPR.

2. HN would still need a lawful basis for processing under Art. 6. For a paid service, a Terms of Service would normally be fine. I don't think HN has or wants one of those, and they don't track users at all before registration, so they could collect an explicit consent from users on registration. If they did track prior, a cookie popup could collect the consent. Also, under Art. 8, the default minimum age of consent is 16, so we'd want to consider age confirmation too.

3. Archiving posts on the Internet forever is not a problem, if that's the intended use of the site, which it is. My guess is that deleting a user and their posts is feasible at the application/database layer. The problem would be deleting personal data from backups of the site if the user withdraws their consent and requests Art. 17 erasure. In that case, only retaining the backups as long as necessary and documenting that justification internally is probably sufficient.

4. Article 22 restricts "automated processing, including profiling, which produces legal effects concerning [the data subject] or similarly significantly affects" the data subject. Ranking, voting, and anti-spam probably don't qualify as weighty enough subjects to be restricted. Recital 71 ("Profiling" https://gdpr-info.eu/recitals/no-71/) sheds some light on what the EU is trying to prevent.

5. They'd have to get a data protection agreement or other Art. 46 agreement with hosting vendors. Cloudflare is on top of this: https://www.cloudflare.com/gdpr/introduction/ Not sure what other subprocessors are involved.

6. Being able to see most of your own data on HN means you have Art. 15 access, which is nice. I think they'd have to also give you any hidden metadata as well. Not sure what that might be (vote weight score?).

6. There's a bunch of other stuff they'd probably do, like appoint a data protection officer, publish a privacy policy, add the ability to delete your account, etc.

On HN you have no expectation of privacy, your comments are public.

HN does not require you to disclose personal information, such as who you are.

The GDPR doesn't use an expectation-of-privacy standard. Personal data is not just an explicit disclosure of your name and address, it's anything that can be used to identify you. Writing style and the sum total of comments indicating your experiences and the cities and organizations you've been attached to certainly fit that standard.

Well, Mirimir can just request that his posts be deleted.

However, I do see an issue: quotes by other users. That's one of the leaks that took down DPR. He deleted his old posts about Silk Road. But another user had quoted part of a post, which didn't get deleted.

GDPR puts the burden on the company to comply if it processes any in-scope personal data, regardless of whether it's possible for the data subjects themselves to minimize that data.

I'm a lawyer but not your lawyer and I have no idea about specific YC or HN details, so take this with a grain of salt, but I think the best argument for why HN is exempt or at very low risk for enforcement is that it does not hold itself out into the EU market for business and is not otherwise subject to EU law(as far as I know, and I have no special knowledge). Users may be from the EU, but HN has no particular nexus to EU law that I'm aware of.

This is important because Article 2 of GDPR ("Material scope") expressly says "This Regulation does not apply to the processing of personal data ... in the course of an activity which falls outside the scope of Union law"

To be completely honest, from everything I've seen, I'd love to see the GPDR be copy-pasted into US law and made a part of international treaties. It seems like The Right Thing to do.

There's a good chance that a lot of big US tech companies are going to apply the GDPR to everyone. It'd be too hard for (say) Facebook to have 2 databases.

That would be great because even we Europeans would profit from it: US regulators and law enforcement can be incredibly brutal.

GDPR does not apply for state actors.

I think he meant US law enforcement can be brutal against violators.

True, the only issue I see here is that big company will manage to adjust to GPDR rules or cleverly trick users of the service to allow for all they want (I guess the number of users who does not agree for changes in terms and conditions that keeps showing up on Facebook or Google pages is not large).

Small e-commerce sites (someone sells socks, hand made goods, used pianos, etc.) are different story here. Usually such sites were put together on some ready-made PHP + MySql solution hosted on a 100 bucks a year hosting and that was done by some small IT shop specialized in this kind of business.

Owners of such small firms are going to have really hard time with GPDR. I suspect there will be a lot of scummy law firms that will go after them and blackmail them either to use their "service to be GPDR compliant" or be sued under GPDR.

Such people are an easy target, they don't even realize that maybe software that was installed for them by some third party that no longer exists puts to logs customer first and last name, or there is somewhere backup with customer e-mails.

This law will have zero impact on say, Facebook, people would give them their data freely as they do now, average FB user will not risk to "get imperfect Facebook experience" (or some other similar clause that clever FB lawyers will figure out) if they block permission to be tracked and their data cannot be sold to advertisers.

One requirement of EU data protection law is "informed consent", which must be freely given. Pages of legalese that we all know no-one reads, then you could say it's not informed consent.

And you have to be able to revoke consent, at any time, and it has to be as easy to revoke consent as to give consent.

Reading through the "nightmare" letter, I was looking for something I'd consider unreasonable for a user to be concerned with or ask about, and couldn't find anything. Honestly, this seems like a pretty low bar. If you can't answer these questions about your business, I'd be loathe to continue doing business with you. I'd surely be reluctant to let you collect my personal information.

I'm not very familiar with the legislation. Is a company receiving such requests required to respond to them individually, regardless of merit? If so, it seems blasting a few thousand requests at a small company would be a fairly simple act of sabotage. Even if the requests are fake, it would take the company time to figure out that they don't have any relevant records and to figure out whether to respond and how to respond.

GDPR's "Right of access by the data subject" (Article 15) is here: https://gdpr-info.eu/art-15-gdpr/

The right can only be enforced against a "controller," which is the entity that "determines the purposes and means of the processing of personal data."

It's worth noting that GDPR does not give the data subject the right to request everything in the letter. Only a more limited set of things.

The practical effect for SaaS companies is that they should keep track of data and the systems and services where data is processed. With good preparation and a system of record for security/privacy management data, you can prepare for this kind of request very well. My company does just that - helps others prepare.

To create the data subject access request, you first need to understand your own internal process. For that, you need to comply with article 30 i.e. records of processing activities.

We help you create at that ecomply.io and then once you're done, we will help you create data subject access request as well.

>It makes companies think in depth about the data they hold on me and how they process it.

Except, of course, if your company is one of those favored with an exemption from the GDPR. Because we can't have everyone playing by the same rules in the EU.

> exemption from the GDPR

Who has received that? Can't find anything by searching.

Here's one set of exemptions: https://gdpr-info.eu/art-85-gdpr/

If you get a letter like this, reply in plain language:

Given that the "requests are complex or numerous", I will be responding within three months as recommended by the ICO[1]. Have a nice day.

You now have plenty of time to deal with it properly.

If you have a lot of data on someone, you can enumerate the categories (1) and then request they break it down (specifically request 1c; see Recital 63[2] of the GDPR for the exact language). Almost everything else should be in your privacy policy anyway.

If you do not have a lot of data on someone, then three months should certainly be enough time to properly respond to this.

Most businesses do not have any personal data on anyone beyond what you need for an invoice. If you have a dedicated CRM that contains leads of potential customers, or you use an online service like SalesForce, you can probably get their support in complying.

[1]: https://ico.org.uk/for-organisations/guide-to-the-general-da...

[2]: http://www.privacy-regulation.eu/en/recital-63-GDPR.htm

The GDPR gives you one month to reply to such requests by default, except if the nature of the request is so complex that you can believably justify why you'd need more time to reply to it. In general, I would recommend implementing automated procedures for answering such requests.

How many of these requests do you expect?

I imagine most companies might only deal with this once or perhaps twice ever, and if they do not keep very much personal data then automating it would not be very efficient use of their time. That's why in general I'd wait until you get such a request, ask your lawyer to explain it (will probably only cost a few hundred pounds), then decide what to do next.

Only very large companies (or companies that deal with a lot of personal data) will benefit from up-front automation.

Since the content of the request is very generic and applies to almost any individual and business, it's not unthinkable that it will be automated on the other end, so anyone can push a button and send the request to hundreds of companies of their choosing.

I certainly have several businesses in mind that I plan to send requests to once GDPR is in place.

EDIT: Although I suppose small, non-EU businesses that mostly do not deal with personal data are unlikely to receive any requests. So you are probably right that "most companies" are unlikely receive GDPR requests.

It’s already been automated.

https://selbstauskunft.net/ exists to allow you to send a BDSG §34 request (like GDPR request, but under the older German law for it) to basically any company. You select the company, sign it, and they automate all other steps.

I’ve sent dozens just this week.

Do you actually read the dozens of responses? Or are you just doing it to annoy people?

Yes, I read the responses and take action upon them. The last time I quit my bank account to move to a different bank.

Also, I'd recommend sending another request some time after quiting your contract with the company, just to make sure they give you a written guarantee that they deleted all data about you they don't _seriously have to_ maintain.

I intend to use it as well. Since I'm about to move, I wait until I have the new address. Yes, I'm interested what I will get in return.

I also consider it activism to keep companies aware of their responsibilities.

..and drive up the cost of goods and services.

Does anyone actually understand that this law will make things cost more?

Keeping my data private has costs associated with it? What a shocker!

Do you also argument against mandatory seatbelts? All they do is drive the cost of cars up. The justice system that works to enforce the laws brings the taxes up should we get rid of it too?

This guy being the equivalent of a car manufacturer in your analogy...

Maybe. But it's worth it.

I read them, and often I make decisions based on this — or can use it to convince e.g. my family to stop using payback (a discount scheme where a company logs all your purchases, even cash ones, and you get ~1% cashback).

Why do you think otherwise?

I think if you can easily automate it this is the time to because it will make everything easier as privacy rights continue their spread to additional countries and on to the UN's charter on human rights. Granting the rest of your users the same rights before they officially have them seems the right thing to do because it does not seem ethical to only uphold some of your users privacy.

Won’t adding round trips to the process (by sending letters indicating you’re delaying) just waste more of your lawyers’ billable hours?

Anyway, the main target of this legislation are the hundreds of businesses you’ve never heard of brokering your personal information. I doubt they have salesforce leads for each person they track, and I think most people want to see that entire industry collapse.

Similarly (in terms of regulatory burden, not consumer sentiment), most legit consumer businesses rely on razor thin transaction costs. Spending any additional per-customer human time could be the difference between profit and loss.

To see the problem, consider what would happen if you walked into any store with affinity cards, and handed this letter to the manager.

> Won’t adding round trips to the process (by sending letters indicating you’re delaying) just waste more of your lawyers’ billable hours?

There are only four requests in this letter, and they were written by a PWC consultant to appear as intimidating and confusing as possible, so a small business that does not have easy access to legal advice would not find it difficult to convince a regulator as such.

That said, a lawyer can help you identify them and ignore the rest. For the cost-conscious, spending time on the ICO's website will also help you discover them so that when you talk to a lawyer you can be efficient with their time (and therefore your spending).

> most legit consumer businesses...

Most consumer businesses do not keep very much personal data, if the cost of understanding this letter within three months would cause a company to go into administration then they were going to fail anyway.

> the main target of this legislation are the hundreds of businesses you’ve never heard of brokering your personal information. I doubt they have salesforce leads for each person they track

I don't agree with this at all. Who do you think the "main target" of this legislation is?

> just waste more of your lawyers’ billable hours?

Why are you using lawyers to respond to DPA / GDPR requests?

If anything that can be automated and it will waste their lawyers time. Sounds fun.

Honestly... none of the questions in this letter are that hard to answer.

I really don’t see what the fuss is about if you run a semi-professional operation.

Then you haven't thought it through or don't understand the gdpr.

Though this letter doesn't mention it, you not only have to provide all data in your systems -- every single db inside your company -- but also data from every 3rd party system. Your transactional emailer, your marketing emailer, your billing system, your logging system, your retargeting system, etc.

Good. Stop casually aerosolizing information about your customers all over the cloud, and ignoring employees casually copying live databases here there and everywhere.

That’s not totally true. GDPR only applies if the data is stored in an “filing system”. Things like logs almost certainly don’t fall under that. (Unless you where feeding them into a data mining system, that would change things)

Believe whatever you want but (1) our lawyers disagree; (2) if you can query your logs, you have to (PS: you can; that's literally the point of things like sumologic); (3) the various privacy orgs that have published reasonable amounts of guidance -- notably ICO and DPC -- disagree.

If you ever log an email address then logs contain PII, and are therefore in scope.

So why not log just username or transaction id?

Because usernames are PII under de GDPR too.

True, but hidden IDs like the row GUID of the user are not, are they? They should be considered more like pseudonymous data[1] as they're meaningless outside the dataset.

[1] https://www.whitecase.com/publications/article/chapter-5-key...

Are you sure about logs? Kafka is in scope afaik.

I think so, too. Certainly, they should be in scope for the “data protection” part, or (extreme example) you would be allowed to log personal data to a publicly visible server.

To be clear, when I say GDPR doesn’t apply. I’m taking about information requests (the topic of the linked article).

The data protection part of GDPR of course applies to all PII regardless of how it’s stored. But that part is not new in GDPR, the EU has had strong data protection laws for a while. (Even if people didn’t talk about it)

Sorry, but ICO stands for "Information Commissioner Office", and they seem to be UK organization, having .uk domain and all that. How can they recommend anything with regard to EU-wide law? Or, stating differently, how their recommendation hold any value at all?

Each country will have a Data Protection Authority (DPA) which is the regulator in the country. The ICO is the one in the UK.

The last letter of the GDPR is Regulation. A regulation is very different than than a Directive (the pre-GDPR law is based on a directive). There is very little wiggle-room with a Regulation, even between countries. The ICO also works with other DPAs currently as part of Working Party 29, which ensures the DPAs are working in Sync.

So the ICO advice is worthy of close study, especially if your local DPA (assuming you have one) has not commented or given guidance on a certain matter.

To add, the difference between directive and regulation is in Article 288 of the TFEU:

To exercise the Union's competences, the institutions shall adopt regulations, directives, decisions, recommendations and opinions.

A regulation shall have general application. It shall be binding in its entirety and directly applicable in all Member States.

A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods.

Basically, a regulation is like a law. It’s directly binding as law.

A directive is something member states have to implement themselves, probably also by passing a law using their own national process for doing so. As such there can be (greater) differences in the different national implementations of the directives.

The ICO is the government regulator responsible for data protection in the UK, and as such the people who are going to be enforcing the GDPR here.

"The EU" doesn't enforce the GDPR, the Supervisory Authorities in each member state (like the ICO) enforce the GDPR.

The member states have agreed to abide by the GDPR, but their own specific data protection laws are allowed have slight variations, e.g. the specific age limit defining minor vs. adult.

The ICO is seen as a leading voice, with some very good guidance, e.g.: https://ico.org.uk/for-organisations/guide-to-the-general-da...

They're widely respected, but you're right it remains to be seen whether UK and EU enforcement will diverge.

There are a lot of businesses that market and sell in the EU, or that recruit or hire contractors in the EU. GDPR affects not only your CRM, but your marketing and sales stack, your HR stack, and any other part of your business that might touch personal data.

With a good system of record, you can track and manage all of the rest of the information and issues raised in the letter.

That said, in a large company with a lot of legacy systems, it may be tough to extract the actual data itself (or even know if your system of record is complete).

It's not baking security/privacy in from the start that's the problem, it's the need to have a "compliance officer" and have to handle these requests. Small companies don't have time or resources for this.

Look at the American Disabilities Act, an act that has done enormous good in many ways, but that has also lead to an entire industry of lawyers hassling tiny businesses over insignificant infractions. (e.g. https://www.mercurynews.com/2016/04/10/serial-ada-lawsuit-fi...)

Startups in the US won't have this hassle. You don't have to serve EU customers to reach mid size/product market fit, you can concentrate on iterating on your core product. When it's time to scale, then you can look at GDPR. So limited resources stretch further.

But if the lawyers in Europe start becoming a nuisance to startups there, it's just going to force more and more services to be located overseas, and more and more government complaining about the dominance of overseas tech, a problem they're probably going to make worse.

> Startups in the US won't have this hassle.

Startups in the US are what got us into this privacy nightmare in the first place. Of course, they are no longer startups, but they still didn't fix shit once they got bigger, so I don't see how this argument holds.

I like to think of privacy like internationalisation or security. When I started programming, Unicode/UTF-8 was niche and not well supported at all. Now, for new languages, it's a given. The same with decent crypto libraries. Databases now offer pretty great unicode support (except for the old ones where it had to be bolted on, coughMySQLcough). It isn't inconceivable that privacy tools become standard in databases and data processing frameworks.

Personally, I see this as a brilliant opportunity for people/companies who want to do the right thing for their customers (whether that's consumers directly, or a company using them).

My prediction is you'll see this with cloud providers strongest. Some are putting a lot of effort into GDPR, and a properly compliant provider will become a huge value-add, and not a liability.

> Startups in the US are what got us into this privacy nightmare in the first place.

Com'on. The internet and web when they started were a wild wild west that operated on the honor system. Most people were just starting to feel their way around what kinds of businesses could even exist on it. The Morris Worm was the canary in the coal mine about how the honor system wouldn't scale.

EU startups are no different than US startups, we just have more of them, there is a greater concentration of investment in that area here.

You don’t think BNP bank or AXA insurance play loose with sharing personal data? I had my Peugeot dealer share my purchase information with a third party “extended warranty” vendor without my permission. The vendor called me and sent letters. I never told Peugeot that they could sell my data. I have never given any business permission to call me — yet they do.

Blaming US tech is naïve. European companies have been engaged in non-digital forms of privacy invasion long before Google even existed.

I agree, but people on HN don't seem to care about those as much as US startups. Plus who is worried about car dealerships going under just because they can't pass on your data to some scummy vendor? (Also, some countries have laws close the the GDPR already, where this wouldn't fly.)

Having said that, shunning one car dealership is way easier than trying to stop Facebook or Google slurping your data, even with ad blockers et al.

> Startups in the US won't have this hassle

If I have a choice between an US startup that has no pressure to handle my data responsibly, and an EU startup that has a legal requirement to do so, I would choose the EU startup. The US startup may claim it takes care of my data and ask me to trust their word, but I know that the EU startup is forced to by law.

Perhaps it could end up as a competitive advantage for EU businesses.

You don't have to hire someone new. You just label an existing employee "compliance officer" and give him the relevant authority. Chances are he won't have to reply to a single letter, because unlike the web board imaginations, next to nobody will be motivated enough to actually send such a letter.

And all bigger companies already have a data protection officer, so he just gets this new job title.

If you look at what google does, they already offer you an admin panel where you can see all the information recorded about you, and you can download it, etc.

How is this much more of a hassle than being required to send people are receipt as proof of purchase...

Ensure customers can see what you record about them when logged in (probably in their user profile), then minimize what you record to what you need.

Every time any new regulation comes out, doesn't matter what law it is, Small Business™ trots out the same sob story: "Woe is us, we are too small to follow this new burdensome law!" I get it--it's going to be costly. This cost is one of many that founders will need to consider when they decide between go and no-go. If founders can't afford to follow (and prove they follow) the law, I think they should re-think their start-up idea. The ADA has done enormous good, in part, because of that industry of lawyers keeping a close watch for opportunities to sue. Same is probably true for HIPPA. Same will, hopefully, be true for GDPR.

The cost of compliance will fall drastically. My company (Aptible) started in HIPAA and is doing a lot with GDPR. They are very similar in a lot of ways, including the emergence of new systems of record for privacy and security management data.

The data protection officer does not have to be a full-time role. It can be part of someone's other duties, or performed by a contractor (Art 37 ¶ (6): https://gdpr-info.eu/art-37-gdpr/).

"Just look at the GDPR when you get above a certain size" probably won't be so easy. You'll have already committed to lots of things, lots of services, business model(s) etc. It's much much much easier to think about it from the start.

The reason why this is such a great letter is because it questions the competence of the recipient DPO. The data subject has a right to some of the information, but by no means all of it.

If the DPO complies with all of it, they will breach the GDPR (e.g. Request 9b). Of course a data subject also has no right to know what security controls (request 8) you have in place, other than they are 'commercially reasonable'.

A regulator can require this information, but not a consumer (data subject). This could be the basis of a great interview test for selecting your DPO.

The request themselfs are legit. E.g request 8 is aiming at the ISO 27001 which state that the information policy is to made public to stakeholders.

Request 9b is a bit tricky since the regulator have to be informed but not per se the data subject. Only if there is a risk for the data subject they have to be informed.

The letter is carefully worded itself. The parts the data subject does not have a direct right to know are friendly request (eg 4 vs 8b).

You can answer 8b just with one word: Yes. (Well or No)

The takeaway here:

If you give this letter to you technical personal you will get a detailed overview of the infrastructure they use.

If you give the same letter to your lawyer you would get a very polite letter with the bare minimum of information.

Example for 8b would be this: "We have technology in place which allows us with reasonable certainty to know whether or not you personal data has been disclosed"

I found this part interesting: «Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions.»

Do you know if there's really a requirement to provide requestors with your beliefs about the law, or with legal advice you've received?

This language refers to the specific grounds established by chapter 5 of the GDPR under which transfer is allowed. The data subject is expecting you to point at the specific clause that provides legal grounds in your case.

> Example for 8b would be this: "We have technology in place which allows us with reasonable certainty to know whether or not you personal data has been disclosed"

Arguably, such technology doesn’t exist (at least when plugged into a computer network). What penalties are in place if you lie in the response?

I'd expect "with reasonable certainty" to mean something different to pedantic lawyers/regulators than to pedantic cryptographers. Although perhaps an actual lawyer might suggest another phrase there, like "industry-standard measures" or something.

Yeah I think a lawyer would write something even more nebulous... We minimized the risk according with our assessment with industry standard measures in accordance with our threat model to a reasonable level of safety as defined in the international standards taking in account user experience and the requirements of our partners all in accordance with local and EU law...

Such technology can't exist, because it is fundamentally trying to prove a negative.

There are technologies you can use (with varying degrees of effectiveness) to reduce the risk of data leaking by monitoring or intercepting specific mechanisms through which leaks can occur, but you can never have reasonable certainty in this respect.

You can get most of the way there though: https://diogomonica.com/2017/10/08/crypto-anchors-exfiltrati...

Yes and no. That is the kind of measure that can help, but it's going to be very difficult to keep all relevant data within such a tightly controlled environment.

At some point you will probably need to work with the real data to do anything useful with it. There are situations where you really can operate on obfuscated/encrypted data, such as comparing password hashes, but these tend to be the exception rather than the rule.

And so, if you're compromised at a point with access to the raw data, or anywhere else from which access to such a point can be gained, you've still lost control of the data.

I am not Sure what penalties there are for lying. I bet it's expensive ;)

And with lawyers and words I like to think of this quote:

"It depends on what the meaning of the word 'is' is. If the--if he--if 'is' means is and never has been, that is not--that is one thing. If it means there is none, that was a completely true statement....Now, if someone had asked me on that day, are you having any kind of sexual relations with Ms. Lewinsky, that is, asked me a question in the present tense, I would have said no. And it would have been completely true."

The GDPR explicitly states that companies can prove their adherance to best practices using certification (https://gdpr-info.eu/art-42-gdpr/), so it usually would be sufficient to show a certificate from an accredited source to "prove" that data is handled appropriately. Don't forget though that the user also has the right to know which other processors or joint controllers have a copy of his/her data, so companies will have to provide a list with all of the services they use.

Technical types seem naively optimistic about how GDPR is going to work out.

Businesses will do enough to pass the sniff test of proper compliance with GDPR, and no more. I've worked with enough to know most mid sized orgs are far too reactive, too technically incompetent, and far too busy making money to do a proper job on adhering. Most flout existing laws already, I don't think they'll be scared of disregarding elements of this too.

I work at a BigCorp and we are taking this very seriously, adding processes and new retention policies to all internal datasets, and reconsidering our interactions with partners.

Was going to say the same thing. I work in ExtremelyBigCorp, and people are obsessing over GDPR.

Similar BigTechCorp, everything around me has been GDPR for almost a year. Deadlines are coming up, there are entire teams dedicated to following them up.

A slightly different point of view: I work for a company whose one of our products is related to identity and access governance and we have a large number of ExtremelyBigCorps from all around the world throwing A LOT of money at it (except Oceania, I don't think we have any clients there).

Maybe. Maybe not.

I know that there is a HUGE concern about the fines that can be used to backup GDPR.

I know of US companies that have a EU presence legally (but with little income from EU) that are considering just blocking EU traffic as a way to stay safe and smallest over-head.

Or you could just run a semi-competent data operation...

That really isn't the only reason the gdpr can cause headaches you'd rather avoid.

That's fine, businesses have that choice. Hopefully, GDPR gives people a choice w.r.t what happens with their data.

Many countries in the EU have a great standard of living by focussing on individual's rights vs companies. Well, I say focussing. From our perspective, it's just normal and a good balance. But if you live in a country where companies can screw you over in a million ways ("at will" employment, arbitration, NDAs, etc.), maybe such rights might seem a bit alien.

No, I mean my understanding of the law is unclear because the law itself is. It'll take a few court cases to hammer out most of the clearifications. Once it's better understood or made to be like the pci that literally spell out steps to take for minimum compliance it'll be a headache at best.

Fair enough, although how is this different from other laws? If laws were obvious, there'd be no lawyers or judges.

And if you've tried to comply with the law, but unintentionally fail to handle some edge-case with low impact, the sanctions are pretty light (e.g. a warning letter). It's not draconian, as long as you don't cut corners.

Most laws aren't so far reaching and the vast majority in terms of regulatory scope have been flushed out. These same issues do happen with any new broad far reaching regulations. This is one of the first that is both a significant increase in regulatory burden and that deals with, ostensibly, the global tech market.

Also, the fines here can be real money, which also isn't often the case. That plus the lack of clarity are why people are concerned about it.

Basically they're worried that you can do everything right and still be wrong because everything isn't well defined and is very difficult to define.

As a citizen of an EU country, I’d prefer to have the choice from as many companies as possible, and to decide myself whether I do or do not mind sharing my data with a company. This will reduce my choices.

I also disagree with you that the EU regulations are a good balance - it’s skewed way too far towards over-regulation.

That's just a band-aid though: they're effectively gambling that data protection laws won't ever come in effect in the US and Canada, all the while locking themselves out of expanding into the EEA market.

After the Equifax thing it's not looking like a very solid bet.

Would that be sufficient? I would think a EU citizen interacting with such a company from within the US would open the company for GDPR requests. Enforcing them might be hard, yes, but it could be enough of a nuisance.

I think this will change the world, just as the EUs push for lead-free soldering did.

You right businesses will do enough to pass the sniff test, the sad thing is that is more than what they have been doing.

GDPR has teeth.

While some outfits may blithely whistle past the graveyard - do you want to become the precedent that starts paying the % of revenue fine for non-compliance?

I'm just a random privacy-centric geek, and I'm getting spam about GDPR compliance.

Reading this actually makes me feel pretty good, my team & I have been working on GDPR tooling for our app for the past couple of months & combined with the fact-sheets we've prepared answering such a letter while complying with the individuals rights would be pretty straightforward.

I was thinking the same thing. Wouldn't be too hard to give that to a support person and get good answers. After the first one, a lot of it is reusable. And then a lot of it is already in the marketing materials we use for selling our services!

It seems to me that this letter is similar to a denial of service attack in the way that, although a valid request, it places an impossible burden on the recipient.

If so, the GDPR is similar to a broken protocol.

Maybe the people who designed it assume that it will never be misused. Anyone with experience designing protocols could tell them how dangerously naive that is.

If you can't answer those questions in a few button clicks, then you probably can't be trusted with my personal data.

We keep being told that "data is the new oil". It is. Not for money making opportunities, but because you have to handle it responsibly and if it leaks it will cost millions to clean up.

Or you are an early-stage startup with just a couple founders trying to do everything.

Early-stage startups with just a couple of founders who are too overworked to give a good answer about data protection are probably too overworked to actually protect the data itself, law or no law. We generally don't think it's reasonable for an early-stage startup to be too overworked to get their security right - you still have to write secure code, patch your servers, set up HTTPS, etc. Why is this different?

> you still have to write secure code, patch your servers, set up HTTPS, etc. Why is this different?

It's very different. Here you're requested to answer fairly detailed and potentially tripping questions with potential legal implications on your business. This has little with how you secure things technically. It's all about jumping through some bureaucratic hoops, and wasting your time doing it. Answering those questions won't in any way, shape or form improve the security of your business. It's pure distraction.

> It's very different. Here you're requested to answer fairly detailed and potentially tripping questions with potential legal implications on your business. This has little with how you secure things technically.

The difference is that you know offhand how to do one of these things but not the other.

> Answering those questions won't in any way, shape or form improve the security of your business. It's pure distraction.

Answering the questions is not intended to improve the security of your business, it's a form of serving your customers.

I think the legal implications people talk about are overwrought. Regulators are more interested in chasing down people who open flaunt the law, rather than repressing startups that can’t cross and dot their legal t and i’s.

My personal experience with the ICO has shown their quite lenient to mistakes, if you can show that you’re your honest best, and getting better.

No point crushing companies that are trying, better of getting the ones that just don’t care.

I certainly hope so. I'm not sure about Germany though. I have a feeling they're much more sticking to the rules (My company is based in Germany, but I'm not German, so it's kind of an outsider's observation).

But it's not even just about getting to a point of getting fined or under some kind of investigation or audit. It can be all those clever customers who would use some automated service or a template, just to waste your time ... At least that's what the original post is about, but I hope it won't be too common.

If the law relies on the regulator being in a good mood and be sensible, it is a badly written law. The law should give the regulator strict mantinels, not be subject to broad leeway in interpretation.

Around here, regulators are prone to scoring easy points by going after the small, naive fish. All it takes is the wrong incentives: the department needs to show results, so it gives bonuses, or establishes quotas for successfully handled cases. Bam, your small business is now investigated because a government employee needs to meet a quota and correctly guesses you can’t afford competent legal defense.

It's not designed to help you. Improving the security is your job. It's designed to reveal, through your answers, whether you're doing it right or not.

Early-stage startups with just a couple of founders who are too overworked to give a good answer about data protection are probably too overworked to actually protect the data itself, law or no law.

People keep making this kind of argument, but it makes no sense.

Personal data isn't protected from leaks and privacy intrusions by documents or emails. It's protected by encryption, or only being processed by software with a clear purpose, or simply not being stored in the first place.

I suggest that it is not only possible but also quite likely that a reasonably diligent startup will be taking reasonable practical steps to secure personal data but will not have formal documentation or automated processes in place of the kind that would deal with a SAR like this.

I agree that it is likely that a reasonably diligent startup is generally doing the right things just out of general competence. But I disagree that they are reliably doing the right things.

We expect programmers to write working code out of general competence (and we even make sure they know how to write working code in the interview process), but we still write tests and insist that they pass. We expect finance folks to handle money correctly out of general competence, but we still have written policies about how money should be handled. The reason we do these is that good, well-intended people occasionally make mistakes, and in both of these cases, the mistakes have real consequences.

A written policy about how you handle data isn't going to save you if you're messing up in general. But it should be easy to write, and it will save you from "Wait, why did one of our interns add a library that sends stack traces and local variables to a third party? How did this code review even get approved?"

The documents don't protect your users' data. Your general technical practices protect your users' data. The documents protect your general technical practices.

That seems like a reasonable argument, but I can't help observing that when we write code, documentation is generally viewed sceptically because it so easily gets out of sync with the actual behaviour of the system. Automated tests have become a more trusted check on whether code is doing the correct thing, because they aren't vulnerable to that same effect, but there doesn't seem to be any direct equivalent in this context.

So I think I would still argue that the security benefits of this law in terms of any documentation and processes it requires are at best unproven, and that a startup could be doing the practically useful things needed to protect personal data regardless of how compliant or otherwise they might be with any documentation requirements.

I wanted to send you an email or a twitter DM, but your HN profile doesn't list contact info. (I'm anonymous because I am a moderately visible figure in the tech community and don't want what I say to result in my company getting flamed.)

I wanted to tell you how impressed I am with how patiently and clearly you've responded throughout this comment section.

I likewise think the intent of the law is admirable: prevent future Equifax-es, give people control over their data, and centralize the requirements so that companies need to comply with a single EU standard, instead of 28 country-specific ones. But the amount of discretion left to regulators and the lack of any sort of proportionality built into the law make this all very scary. We are expecting a fifteen person small business to have a totally impractical degree of _documentation_ and _formal_ processes, which are 1) very expensive to produce, 2) totally unnecessary for an otherwise reasonable and well-intentioned group of people, and 3) crucially, basically orthogonal to actual data privacy and security best practices.

And even if you comply with the letter of the law, just reading and understanding an email like the one in this post will require hundreds of dollars of company time – beyond reading it, it will need to be escalated, someone will need to loop in a few other people to help with any new technical details, and so forth. If the fully-loaded cost of a white collar employee is $75/hr, this all gets expensive very quickly, and that cost can be levied on a company by an email that can be sent in one minute. Nobody is going to bring down Google with GDPR-spam but it would not be hard to do serious damage to a company of ten people.

There are a lot of well-meaning thoughts in this thread from people who are frustrated at the status quo but unfortunately don't understand how little this law will do to change it and how huge its costs will be.

When you try to deliver a novel product and build a business around it, you are forced to develop a strong sense of practicality and an understanding of the machinery of a business. Most people have never done this. Despite being very intelligent, a lot of these people haven't experienced the realities of creating a business, and as a consequence they don't really understand just how harmful this kind of law can be.

I admire how patient and articulate you are. (And I think your thoughts are clear and your point of view is correct and badly needed.) Would love to buy you a beer sometime.

Couldn't agree more. It's not just that I can totally relate to everything Silhouette was saying, but he/she definitely presented their thoughts calmly and thoughtfully, even in the face of quite blatant trolling in a few instances.

Since Silhouette (and gdpr_throwaway) want to keep their anonymity, I opted for virtual beers by upvoting :) But happy to convert those karma points to real food or drink -- and hopefully an insightful conversation -- if you feel like getting in touch (my details aren't so private).

Thank you, that's nice of you to say. The ability to contribute honestly to this sort of controversial discussion is exactly why I have a pseudonymous account, so sadly I won't be able to take you up on that beer, but I do appreciate the thought.

I disagree with you in the burden that GDPR places on a company. If a company takes data protection seriously handling such a letter would be a matter of minutes because they already have the processes in place. The GDPR is almost two years old now and it's just an update of the DPR which has been in place since the mid-90s: nobody should be caught by surprise by now except companies that deliberately decided that making sure you're compliant with the law is something that should be ignored right until the cops are knocking at your door.

What exactly about being a startup makes this a lot harder? I'd expect a startup would in many cases have a fairly easy time answering requests like this, since it won't have built years worth of legacy systems, half-abandoned projects, weird cross-department data accesses etc that could catch a large company here. You'll likely have fairly centralized storage and a reasonable number of service providers you use for specific purposes. + the typical startup has more or less the same relationship with every customer, so it should be fairly easily repeatable once you've documented it once.

For the few small companies I've worked for, this would have been a bit of work once (document the dataflows), and then a fairly easy set of queries to be repeated each time.

It's not just about answering the questions. It's also about answering them in a legal-safe way that won't put you in more trouble than not answering them at all. And any small variation in the questions can require someone with legal experience just checking this, which costs money.

To add to a sibling comment, Google can afford a big enough legal department for estimated 0.00000x% of their turnover that deals exclusively with these.

For smaller organizations, this becomes more like 0.x% of turnover...

Not to mention the distraction and plain overhead when you're juggling so many other things.

> It's also about answering them in a legal-safe way that won't put you in more trouble than not answering them at all

By that logic don't you need a lawyer to handle all customer support interaction?

Couldn't you get sued to fraud if you fail to document purchases in a legal-safe way?

Having fewer people. The task may only be 1/100 as hard for a startup as for Google, but there are 1/10,000 as many people to perform it. If so, the burden on the startup is 100x greater than on Google.

If you work with data security departments at large companies, you get these types of questionnaires all the time already. And every single question has been answered a dozen times before, but each new request's questions have subtle nuances such that it's impossible to build up a FAQ comprehensive enough that a non-technical person could copy-and-paste answers in a legally safe way. You'd think it would be possible, it just isn't.

The part that's not clear about the GDPR is whether you're obligated to manually answer any data-related question a user has, or if you can just post a comprehensive FAQ + data export / account deletion tool, and auto-respond to GDPR requests with links to those.

Looking this over, and looking at the startups I've either worked for or applied at, I really don't see how it would take more than a couple of hours to fill out the bulk of this form (the parts that would be reusable for every request after it), and then a couple of database queries for the specific data for the user.

Hopefully if you are a company that small, you haven't had time to develop multiple data warehouses. You can write up a script to query your single warehouse to get the necessary data. You won't create a unique response for each letter, except for filling in all the user's personal information. Instead, you'll write a letter like:

Here is a listing of everything you have a right to know about our company and processes under GDPR:

<huge info dump>

Here is all of the personal data we have about you:

<very long CSV file>

Ideally, the most time-consuming part of responding, after the first such letter, will be verifying the user's identity.

Or just one of the almost-all companies that never grows beyond a handful of staff, for that matter. People talk about regulatory matters like the GDPR as if all businesses grow to become large, but here in the UK for example, only about 1 in 25 businesses has more than 10 staff.

Just because you're an early-stage startup (or virtually any entity really) you're entitled to not protect my data?

Incidentally the minimum viable products that the early stage startups with two founders are kicking off are the ones that are most likely to put your data at risk. This is fair and just.

> Or you are an early-stage startup with just a couple founders trying to do everything.

Then limit what you record. What do you need to store that isn't visible from peoples user profile when logged in?

Why would this be harder? Wouldn't such an early state startup with two people likely have much much fewer users and by extension actual GDPR requests?

The entire reason the tech startup thing works (to the extent that it does) is leverage: each employee serves a very large multiple of users. Anything that changes that calculation has the potential to eliminate the value proposition.

The context is an "early-stage startup with just a couple founders."

It's unlikely that the number of requests of the type referenced in this article would be sufficiently large enough at that stage that it wouild "eliminate the value proposition."


You know that the GDPR violation fines start at 10m or 2% of worldwide revenue, whichever is higher, right?

These are up to limits, not start at. The second class is 20 million/4%, but still up to. And given the long list of factors to consider for the fining authority, they can't just slap close-to-max amounts around without supporting evidence for why that's appropriate.

In the Netherlands we have a similar problems due to the "Wet Openbaarheid Bestuur" (Law of Open Administration)

Basically, you can request any non-sensitive information from any government agency and they have to provide it within a reasonable term or pay a fine to the requester.

This caused people to request all calibration reports of a speed camera if they got a ticket, because for quite some time the government would waive the ticket if you stopped the request.

When it got abused too widely they automated the process and now it's not a problem. This is also how large coorporations should handle this problem.

Large corporation have the resources for this. Small startups that are built on an ecosystem of services do not.

Oh another startup that wants to track-all, profile-all, sell-all the data they can get about me and not even bother with basic information security?

Can't feel too sorry for them

Then they either shouldn't process private data or should only work with services that can provide such information. No one needs to process personal data - if you don't the answer is a matter of seconds.

Then you have a government enforced monopoly for large companies in the personal data space.

Which is a good thing.

If you phrase it as "large companies," then it sounds bad - but it forbids incompetent large companies too. It enforces that only companies that are competent enough to answer questions about data protection can be in the personal data space. If a small company is inherently incapable of answering those questions or handling the data properly, it shouldn't be allowed in that space.

It's like saying that there's a "government enforced monopoly" keeping newcomers out of the food business by not letting them just make things in their apartment and hand them to Uber Eats. It is a technically accurate description, but most people who believe that government has any legitimate functions at all see health inspections as a good thing.

You just have specialization. Most places I've worked that deal with card payments, for example, opt for payment processors that lets them tokenize payment data because it means they don't have to store it with the according additional risks of having a copy of the payment data in their database. There are still plenty of payment provider options.

Not really. You have what already exists for handling investments, e.g. you pay Yomoni (a tiny startup) to make decisions for you but your money is handled by one of the big banks e.g. Crédit Agricole. Your point is somewhat valid, but also amounts to "there is a government-enforced monopoly for large companies in the airliner production space". Damn right there is. For the same safety reasons.

Nor do small startups have to fear request traffic that's in any way comparable to what a big company can expect.

We've had something similar in the UK for a long time, but it actually works pretty well.

There will always be a few people out to cause trouble with excessive requests, but I don't think we should let that block access to non-sensitive information for things we as the tax payer have paid for.

The regulators aren't stupid and have thought of this.




You can wait 3 months (not one).

You can charge £10 if the request is complicated.

A £10 fee for a ridiculous fishing expedition which would likely require at least one person-day of work, with that person probably being a knowledgeable and key employee?

A $1000 fee would seem a little bit more fair.

This might seem fair to the person incurring the direct cost of the response, but is markedly unfair to the person earning minimum wage who is concerned about the handling of their personal data.

The law needs to be applicable to everyone, and imposing high costs is generally considered to do the opposite: http://www.bbc.co.uk/news/uk-40727400

A person earning minimum wage may be concerned about all sorts of things, and the degree of his concern can be entirely unrelated to (1) the likelihood of the concern being legitimate, (2) the potential monetary harm to the person, (3) the cost to society of investigating and reporting on it, and (4) how fairly this cost is allocated.

It is utterly unfair to compare subsidized access to an employment tribunal (potential harm: months of undeserved unemployment, loss of home and possessions; cost of investigation: spread across the entire nation's taxpayers) to almost-free access to your GDPR privacy report (potential harm: a little bit of mental discomfort; cost of investigation: borne by one organization, potentially ruinous for a small business or solo project).

As said in other comments there is no obligation for any company to store personal information, and without such information the request can be easily dealt with by a simple form letter.

Companies storing and losing PII have a huge negative impact on the affected users, like e.g. credit card fraud or tax refund scams. This bears a huge actual cost to the victims, either because they never get back the stolen money, or because they need to invest significant time and expenses to fight for it.

A company trying to make money of my PII should better be prepared to handle it securely and to delete it upon request. Handling of GDPR requests must be calculated by them as part of the data handling expenses.

Consider: - A landlord holding incorrect data on rental payments. - A company holding personal financial data.

In both of these cases if the information is misused it has consequences for the individual, and (relatively) higher cost for the individual on minimum wage.

In the former, this can affect your future ability to find housing. This potentially leads to extraordinary stress.

In the latter the consequences again affect both wealthy and poor, but the person living hand to mouth faces much more serious consequences if their wages are adminstratively docked to pay for costs fraudulently registered in their name. Further, they're unlikely to be able to pay an expert to resolve this or take time out of work to do this themselves.

Legislation compliance should be built in as part of your product offering. If you don’t that day’s work is just technical debt you chose to take on immediately.

Thus giving companies a strong incentive to clean house and make sure they have a good amount of control over your private data.

If you can't answer these questions promptly, preferably with a form letter referring to the self service features of your website, then you are setting yourself up for this.

> it places an impossible burden on the recipient

Which items do you feel are an impossible burden?

From what I see most of the items pertain to one of two possibilities:

1 - General procedures or information about the company (keep this updated and it's the same for all requests)

2 - Information about the subject (export their data in an automated fashion)

The thing about 'decisions based on their data' might be tricky, but I guess you can share what you concluded from it and the overall rationale (for example, Facebook's "Why am I seeing this" over an ad)

You don't even need experience with designing protocols to understand that. Real-life experience with how law is practised in some EU member countries is enough.

There are law firms whose sole business model is targeting small companies for not complying with certain regulations like legal notice requirements or disclaimers on websites.

Only time will tell if this will be the case with GDPR but there definitely is a risk that this new regulation will be abused by dubious players.

Its looks especially damaging to the already frail EU startup ecosystem.

>".. it places an impossible burden on the recipient."?

Impossible? Why is it not possible?

What provisions are there in place for a company receiving this type of request to confirm the identity of the requesting party? Are companies expected to be able to properly identify a citizen, in order to not disclose possibly very sensitive information to someone else impersonating them? In a lot of cases the company might not even have enough information stored in order to know who the owner of a given account is. How do you prove "abc123@example.com" is Mr. Smith, if your service doesn't ask them for names? Or if it does, which Mr. Smith do you have on record? Email original senders can be spoofed.

The first thing I'd do if I was a black hat type attacker would be to submit GDPR information requests to all internet companies I could think of in behalf of all my targets.

I haven't seen this reasonably addressed in any of the discussions, or org-based-presentations thus far. GDPR compliance itself basically ensures you cannot collect enough information to even defend against this type of attack vector.

This is mentioned in the recitals: you can request additional identification, in fact you should if you can't identify the subject [1] and if you can demonstrate that you can't identify the data subject (with reasonable effort), you don't have to comply to the request. [2]

[1] https://gdpr-info.eu/recitals/no-57/

[2] https://gdpr-info.eu/art-12-gdpr/ (point 2)

What frustrates me the most about the GDPR is that a single person building a mailing list for a $19 ebook launch is just as affected and burdened as any other company. A side-business that might make you $30,000/yr is now no longer worth pursuing because of the costs of working with a lawyer to make sure you are GDPR compliant and have all of the right policies in place.

It raises the barrier to entry for small one person businesses even more, forcing out anyone who can't justify the costs of compliance.

If you're building a mailing list for your ebook, won't you just need:

1) Allow people to login and view their personal information: name, email. 2) Allow people to delete the profile.

And don't retain any data other than (1) or (2). If you want to track users to see if they clicked links and what countries they are browsing from then: (A) anonymize it or (B) make it visible in the profile information (1).

If all you record is name and email, you won't need a lot of infrastructure. Your policy might say you transfer email addresses to AWS when sending emails.

Perhaps services that help build mailing lists will offer a feature of handling GDPR requests on your behalf.

The comments are an eye opening experience, amazed to see how so many people think they don't have a huge responsibility to the owner of personal information. More of a reason why GDPR is needed.

I’m amazed people think they own personal information at all. As if writing their name on something makes it their property.

While you may be amazed, this is literally now the truth in EU.

The right to control such information is established as a right of the individual; and if you have possession of some information about me, then yes, I have more rights to control what you are allowed to do with this information in your hands than you, and that information can never in any way fully become "your property".

As if possessing something makes it your property - property is a legal notion and (in democratic countries) means just what people want it to be.

Devils advocate -- if I write a poem for instance, and post it online, then copyright law still gives me control over uses of that information. People don't have the right to do whatever they want with that info. Is this so different?

Similarly, companies often include EULA and shrinkwrap contracts governing what users are allowed to do with information accessed on their webpages. So why can't users collectively write a similar contract pointing the other way?

The name itself is what is owned. You agree, since you just said "their name," i.e. "the name owned by them."

If this kind of request is a "nightmare" or too much of a burden, they should automate it.

"We put lots of engineering effort into mining your personal data and selling bits to other people, but we can't be bothered to put any engineering effort into disclosing on your profile or account-settings page what we're doing with your data."

A lot of the questions are answerable generically (no differences between users). You can't tell me that writing a data privacy FAQ with those answers in clear, simple language, once, with a link on every page and on users' profiles, is an excessive burden. These companies just don't want to have even that minimal burden and process to ensure that changes in usage of personal data get documented and updated on such a faq.

The GDPR applies as much to a startup or side business as it does to Facebook and Google.

A letter like this would be a hugely disproportionate burden to a small business like that. It would take many hours, if not days, to reply properly to all of those points, even for a business that is doing nothing shady or unusual.

You can't just write "automate it" as if that has no cost.

What's an example of a start-up collecting personal information, using it in a complex way that can't be summarized in a few paragraphs, but being unfairly burdened by this?

If a start-up is doing things with personal data so that answering those questions takes more than a few paragraphs, isn't the start-up pretty much a personal-information-processing business, and doesn't it deserve to have the burden? Doubly so because start-ups often leave security considerations for later; any personal information they collect or share may not even meet the minimal industry standards and expectations of larger companies (not that such informal standards are adequate—those larger companies are often incompetent themselves).

What's an example of a start-up collecting personal information, using it in a complex way that can't be summarized in a few paragraphs, but being unfairly burdened by this?

It doesn't have to be doing any of that. Just the time and money to have a lawyer review this letter and identify the actual obligations is already a significant burden. For example, notice that just replying with everything requested here would in itself potentially breach data protection law.

A lawyer? Don't you think that's just a tad excessive?

Maybe for routine requests, but not when you get a letter on a legal matter from someone who is clearly looking to cause trouble.

Making sure your company isn't screwing me over by throwing my personal information around willy-nilly isn't "looking for trouble"

Perhaps, but making sure a company isn't screwing you over by throwing your personal information around willy-nilly doesn't require opening with a direct threat and then listing 40 or so different demands for information, several of which are technicalities which have little relevance to determining whether or not the data is really being handled safely and responsibly anyway.

A normal person who really was worried about how their data was being used would probably write a polite letter asking what data was being stored, how it was being used, and maybe a couple of supplementary points if they had particular concerns or perhaps had heard a warning about some specific practice that could be dangerous.

Why do companies deserve the benefit of the doubt anymore?

Why are you getting lawyers to review the letter?

Because it's hard to correctly understand. That's the point of the letter, it's called nightmare letter because it was specifically crafted to be as confusing and hard to understand as possible.

It's not hard to understand. It's only hard to understand if you've built your business around slurping people's data and using it without consent - something that's already mostly illegal in the EU.

A lot of GDPR is not new. It's just clarification of existing law.

Not true. You're right in case of Germany and some other western countries, but it's completely new for most countries, especially to the east.

I think it's very clear written. It's a nightmare letter because it ticks all the boxes, so to speak -- author asks all possible GDPR-related questions he can ask and business is legally required to respond to.

All you’re telling me is that your Agile Startup doesnt have:

1) an updated Asset Inventory

2) a Data Classification Scheme

3) Data Labeling Policy & Procedure

Those are basic components of an InfoSec 101 course taught by Community Colleges and the top basic items GDPR is wanting.

Yes, I can just imagine this is the first thing I'd do when starting a business. /s

Okay, that's fair.

Don't do those things when you start a business.

But, then, don't have your business collect and process data on individuals.

> Don't do those things when you start a business.

> But, then, don't have your business collect and process data on individuals.

Aren't those two statements together effectively equivalent to "don't ever start certain kinds of businesses"?

Yes. That's the policy goal. Don't start businesses that are inevitably going to hurt people.

There are lots of other profitable businesses you're not allowed to start, like "an agile, disruptive restaurant that cuts costs by never cleaning" or "an investment advisor that front-runs their own customers" or "a healthcare startup that runs on unpatched Windows XP" or "a company that helps you get work visas for nonexistent jobs" or whatever.

“Don’t do those things” isn’t advice here, it’s shorthand for “you can refrain from doing these things, but in that case....”

In other words, some businesses have requirements. If you don’t want to follow those requirements, don’t go into that business.

No, they say that you can either run a fly-by-the-seat-of-your-pants startup, or handle private data, but not both at the same time.

If you want to be entrusted with people's private data, then the table stakes are much higher than simply starting a business, and you have to be prepared to invest the time and resources to do it properly, or you're not allowed to do it at all.

Billing and marketing (such as double opt in lists) data is private data.


Don't start certain kinds of businesses without being willing to deal with the reasonable requirements of starting businesses of that kind.

If I start a biotech startup, then I need to make sure I'm keeping all health data I encounter well protected. This _does_ mean it's harder to start a business in this space—but not impossible

If you're not willing to make that tradeoff, then don't start that kind of business.

We don't let you start a medical practice without licensing either.

That’s the goal.

My data is my data, not the fundemental requirement of some businesses.

I certainly respect your desire for no businesses to have certain pieces of of your personal data, but there's a difference between "I don't want to be a customer of certain kinds of businesses" and "such businesses shouldn't exist at all".

And beside that, regulations that effectively result in prohibiting certain kinds of businesses even though they don't explicitly do so are bad regulations IMO.

> but there's a difference between "I don't want to be a customer of certain kinds of businesses" and "such businesses shouldn't exist at all".

There are companies tracking the SSID of my phone with wifi beacons to find out which stores I was physically visiting. How do I opt-out of that?

Sorry to bring the tired "you're not the customer, you're the product" line, but the way the industry is set up today, I'm starting to doubt there is so much difference between the two options.

Tracking and data collection is baked into so many services nowadays that you'd have to be extremely attentive as a consumer to avoid any tracking - also be prepared to face a lot of inconveniences and restrictions. If possible at all.

I understand your sentiment, but we’ve swung so far towards the unrelenting abuse of consumer data, I’m supportive of regulation through any means necessary.

To your point, if a business is not explicitly banned, but banned because of regulation about what that business can do, that’s exactly the sort of regulation we want. We don’t dictate your business specifically, just what you can and can’t do with the data. If you can operate within those regulations, congrats!

* MAC, not SSID. Pardon.

If you don't have basic infosec when starting a business... Don't start a business. It's 2018. Companies get hacked for a ton of reasons, it's redicolous how badly companies exploit customer data and then fail to protect it. Companies need to be held liable for that

GPDR does not, and government checklists can not, ever, cause companies to have acceptable infosec. Any attempt at security-by-bureaucracy is inherently doomed to failure. This is why business consulting groups’ “security” divisions are the butt of countless jokes among security researchers. No bureaucrat, executive, or politician can ever make enough forms and flow charts to secure data.

Exactly, GDPR is only asking for Security 101 Basics.

* Data Classifications

* Privacy Impact Assessments

* Log Reviews

* Incident Reponse

The GDPR is an EU regulation, but you appear to be adopting some US(?) based conventions and terminology, and then posting a string of buzzwords that have little if any connection to the subject at hand.

Also, are you seriously suggesting that in response to a formal legal communication it's a good idea to reply without having input from a lawyer?

You probably need a lawyer to help you write the document the first time, and to update it when you make new partnerships or develop major new pipelines for data. You probably don't need a lawyer every time you receive such a letter.

You probably don't need a lawyer every time you receive such a letter.

For routine enquiries, maybe not. For a letter like this, from someone who is clearly intending to trip you up and cause trouble, our lawyer is the first call I'm making, every time.

And that initial conversation is already going to cost me hundreds of pounds and a half-day of work, even if I already have reasonable answers to anything we are actually required to respond with under the GDPR here.

> For a letter like this . . . our lawyer is the first call I'm making

/shrug It's your money. You could do that, or you could even light it on fire if you wish. It's no skin off my back. If your company is profitable enough to eat this self-imposed overhead, then its owners will just make less money. If it's not, then leaner competitors will replace it. I'm fine with either outcome.

In this area, we have no idea which overheads are actually going to prove justified and which are just throwing money away. That's one of my main points here. As I've argued several times on HN recently, a big part of the problem is that if you're running a small business that isn't handling large amounts of personal data but obviously is going to be subject to the GDPR like everyone else, there is no clear indication of what you have to do to be considered reasonably compliant.

The GDPR itself is very heavy and has little in the way of moderation for small-scale data controllers/processors, so in practice it's going to come down to interpretation by regulators (and potentially anyone who has rights under the GDPR and wants to make trouble, as in the example we're discussing). If you don't do enough, you potentially face even greater overheads due to formal audits, financial penalties, etc. If you do too much, then as you rightly point out, you leave yourself at a disadvantage compared to competition who don't do as much (and this remains the case even if that competition is knowingly breaking the law as a result, and that in turn doesn't matter if they face no meaningful penalties for it).

> we have no idea which overheads are actually going to prove justified and which are just throwing money away

Life is risk. I contend that if you make a good faith effort to comply with this law (i.e. consult with a lawyer, once, to develop those eight documents you mentioned in another part of this thread) and generally practice good private information hygiene (wipe out old data, don't log private info, don't retain logs or emails too long, etc.), you're probably going to be fine. This is probably not going to be in the "inner loop" of risks your small business faces.

In every regulation, there are winners and losers. Some of the losers didn't do anything wrong, but are just losing because that's the nature of designing laws that factor in disparate interests. At this point, it's the law, and your only choice is how you're going to handle it. And my contention is that, if your small business is receiving letters like this with any regularity, calling a lawyer and spending half a day on it each time is not among the reasonable spectrum of risk-mitigating responses.

To be fair, the EU introduced a two-year transition period with the express purpose that businesses should update their processes and basically identify and prepare for potential problems such as this one.

This transition period is ending this summer. Why is this discussion taking place now?

I'm involved in GDPR-compliance taskforce in our company, and I can answer this question.

GDPR is very broad and open to interpretations, which will happen only when someone got caught, i.e. during first legal battles.

So, transition period does not really help, be that 2 years or 4. We need to see how this law gonna be enforced by regulators, and which common IT practices constitute breaking the law and which are not.

This transition period is ending this summer. Why is this discussion taking place now?

Because no-one thought to inform most of the businesses affected by it before, and awareness has only grown in recent weeks (and even then probably only among business people who frequent forums like HN where the subject has come up).

> (and even then probably only among business people who frequent forums like HN where the subject has come up).

Every business I've worked with over the last couple of years of consulting have had sessions on GDPR entirely without any technically minded people having to bring it up.

I'm sure there will be people caught by surprise, by what I've seen has been very promising.

Every business I've worked with over the last couple of years of consulting

OK, but if you're going into a business and consulting, that already suggests both a certain scale and a degree of awareness within those businesses, so this isn't likely to be a representative sample.

I'm not consulting on the GDPR, and my clients range from 2-person companies to 2000 people with most of them being much closer to the low end than the high, so while it certainly will be a biased selection in other respects (e.g. they're companies with a certain degree of technical complexity) I don't think it says much about awareness (other than already having more tech staff) or scale.

Additionally, most companies without much technical infrastructure are less likely to be affected much in the first place.

> there is no clear indication of what you have to do to be considered reasonably compliant.

This is just untrue. THere are fucking reams of advice to small businesses.


Unfortunately, that guidance still doesn't provide specific, actionable advice in even a lot of everyday areas, as we've seen in just about every HN discussion on the GDPR in recent weeks when recurring themes like backups or log files or payment processing services come up.

Also, having "fucking reams of advice" is not a good thing. To be practically useful for the kind of organisation we're talking about, advice needs to be clear and concise. A starting point that will take days just to read through and understand isn't very helpful.

> Also, are you seriously suggesting that in response to a formal legal communication it's a good idea to reply without having input from a lawyer?

You don't need a lawyer to reply to GDPR letters. You do need to comply with the law when you collect personal data. What you're saying is "I should be free to ignore the law until someone writes to ask about my compliance, and when they do it's burdensome for me to get legal advice to respond to that letter".

I'm saying no such thing, and it's neither courteous nor constructive to twist words like that.

You keep asserting that it's not necessarily to have a lawyer review a letter, despite the letter being legal in nature and in this case clearly coming from someone who is looking to cause trouble. Clearly you and I have very different attitudes to risk in this respect.

In any case, an obligation to comply with the law is self-evident. My objection is that the law itself is poorly implemented and that what is necessary to comply is ambiguous.

Everything you do with customers is legal in nature - what do you think governs your relationship if it's not legislation?

Your repeated scare mongering around GDPR is fucking tedious, especially since almost everything you've said about it is false.

Everything you do with customers is legal in nature

But most interactions with my customers do not begin with a multi-page letter that literally opens with a direct threat and then proceeds to demand a response on 40 different points.

Your repeated scare mongering around GDPR is fucking tedious

I run small businesses, and we have been dealing with GDPR issues. The ambiguity and overheads I have been talking about in this discussion are costing us time and money right now. Dealing with a letter like they one we're discussing would cost us more time and money. Apparently we aren't alone in these respects.

Some of the GDPR's supporters have argued that the lack of proportionality in the actual regulations is not a problem because the regulators will enforce it pragmatically. I have personally heard such arguments made about onerous EU rules before, and through my own businesses I have been on the receiving end of government mistakes and their rather unpleasant consequences. And again, that wasn't some freak unlucky event: thousands of other businesses are known to have been subject to similar problems, in more than one incident, involving more than one government authority.

A few people have suggested that involving lawyers in response to a letter like this is unnecessary. Clearly it's going to be a matter of risk assessment, but I don't think it's unreasonable. Once again, I have personally seen (at a former employer in this case) how much time can be wasted if a company gets caught up in formal legal proceedings even having done nothing wrong.

In short, there are people out there dealing with the issues you call "scare mongering" every day. These are not just hypothetical problems. Maybe you've never been caught up in them yourself, but sadly not everyone is that lucky.

especially since almost everything you've said about it is false.

If you're going to call me a liar, please at least tell me what I've written anywhere in this discussion that was false so I can set the record straight.

Aren't those letters already pretty standard anyway? I was sending those to various places > 10 years ago using the existing privacy/data protection laws in the country I was a resident in.

(you get fun stuff back, I got all the logs from my public transit card that way)

You don't need a lawyer when you talk to the police, you just need to not break the law.

Well yes, if you've built a business around illegally using personal data you may need to get a lawyer involved.

It would be better to get the lawyer involved when you start your business so you know you're complying with the law.

And almost everything in GDPR comes from existing laws (IN UK the data protection act and PECR), so if your breaking the law under GDPR you're probably breaking the laws that exist now too.

>Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.

Data Classification

>a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.

Data Classification

>b. Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored.

Asset Inventory

>2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.

Privacy Impact Assessment

>3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.

Privacy Impact Assessment

>a. If you cannot identify with certainty the specific third parties to whom you have disclosed my personal data, please provide a list of third parties to whom you may have disclosed my personal data.

Privacy Impact Assessment

>b. Please also identify which jurisdictions that you have identified in 1(b) above that these third parties with whom you have or may have shared my personal data, from which these third parties have stored or can access my personal data. Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions. Where you have done so, or are doing so, on the basis of appropriate safeguards, please provide a copy.

Asset Inventory

>c. Additionally, I would like to know what safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data.

Access Control

>4. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.

Data Retention

>5. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.

Data Collection

>6. If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.

>7. I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.

Breach Escalation

>a. Please inform me whether you have backed up my personal data to tape, disk or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal data from loss or theft, and whether this includes encryption.


>a. What technologies or business procedures do you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through e-mail, web-mail or instant messaging, or otherwise.

Log Review

>c. Please advise as to what training and awareness measures you have taken in order to ensure that employees and contractors are accessing and processing my personal data in conformity with the General Data Protection Regulation.

Security Awareness Training

>8. I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal data, such as whether you adhere to ISO27001 for information security.

Get an ISO audit.

I'm sorry, but this comment reads like something written by an academic with no real world experience of data protection issues and running businesses at all.

You should be able to provide this from a SQL query.

Please tell us all what that query should be, then, and how it's going to cover the relevant data stored in log files, emails, remote services used for payment processing, off-site backups, etc.

That's just a very minimal set of other places that almost any new online business is likely to be working with on day one.

Data Classification Plan

Asset Inventory Plan

Privacy Impact Analysis

Privacy Impact Assessment

Access Control Plan

Data Retention Plan

Data Collection Plan

Breach Escalation Plan

You're suggesting that in order to handle this kind of request -- which none of my businesses has ever received from anyone in many years of trading -- we should write up 8 different formal policies? These businesses probably don't have 8 different formal written policies in total at the moment. This is just totally detached from the realities of running small businesses, though it does reinforce my point about disproportionate burdens.

[The parent comment appears to have been edited after I wrote this. The terms above were in the original.]

>The parent comment

I wasn’t finished writing.

>we should write up 8 different formal policies?

Yes. That’s obvious.

You're making the parent's point. This is disproportionately burdensome to companies that don't have people dedicated to writing policies or lawyers dedicated to reviewing them.

Then refrain from collecting and processing data on individuals.

How is that a useful solution to anything? Almost any business will handle some form of personal data, and as such will have some degree of compliance overhead.

More overheads are generally bad for business. In the run up to Brexit, and given figures from the Chancellor's statement just this week showing relatively low productivity and growth in the UK economy, it's remarkable how many people don't seem to have a problem with increasing those overheads and thus negatively affecting the creation and growth of businesses.

There is a balance to be struck here. Protecting privacy is important, but not regulating in a way that introduces excessive burdens is also important.

If you want to collect and process data on individuals, then start implementing Security 101 basics:

* Data Classifications

* Privacy Impact Assessments

* Log Reviews

* Incident Reponse

An ISO audit takes how long and costs how much? Do you expect every company that handles email addresses (that's PII) to perform an ISO or SOC2 audit before accepting customers?

The answer every single time is:

A) You are using personal data in good faith as part of and don't need a lawyer. Just reply. I work for an organisation at the larger end of the SME scale and wont be using a lawyer. Like I don't use a lawyer for routine contractual disputes like debt collection until the debtor refuses to pay.

B) You are walking a fine line and relying on the exact wording rather than the spirit of the law. You are not acting in good faith and trying to make money out of customer data. You need a consultancy firm and lawyers and you wont get any sympathy from me.

I'm not sure whether you are serious or this continues your repeated anti-EU comments on HN, Silhouette. I find it OT and I hope the moderators do to.

Option C is that the letter was written in bad faith, and the sender intends to "rely on the exact wording rather than the spirit of the law" in order to get me in legal trouble.

That's why the regulator can, must and will exercise judgement. They can't sue you for $bignum after getting your response, they can point the regulator towards you and claim that they've been abused, but if they are the abuser, then that's not going to fly.

Being the target of a government investigation is in and of itself an expensive process. You have to spend a bunch of time preparing your side of the story in exacting detail. You probably need to put a freeze on any changes which might make the regulator think you're trying to cover up previous misconduct.

And of course, if people find out out you're under investigation, a lot of people are going to just assume you did something wrong. You won't be able to fix that no matter what the regulators conclude.

I'm not sure whether you are serious or this continues your repeated anti-EU comments on HN, Silhouette.

To the extent that I am anti-EU in some respects, particularly around the areas of small businesses and excessive regulation, that is born of experience. As I have mentioned in previous comments, which apparently you might have seen, I have been on the wrong side of EU rules being over-zealously applied before, and I have been on the wrong side of a government regulator that is for most practical purposes above the law making a mistake before. Some things that some commenters tend to dismiss as hypothetical, I know from direct personal experience to be real threats, and I will challenge bad laws that allow scope for such threats to exist.

I find it OT and I hope the moderators do to.

I'm sorry that you feel censorship is a useful response to someone with different experience and views to your own. I like to think that HN is a forum where people can discuss such differences of opinion openly and intelligently.

>I know from direct personal experience to be real threats

Access Controls, Data Classifications, and Privacy Impact Assessments requested by GDPR are not a threat.

That’s just security 101 basics.

No, the threat is having rules that are ambiguous and subject to interpretation by regulators with the power to at minimum cause serious disruption through a formal audit and at maximum impose fines that pose an existential threat to a small business.

And as I said elsewhere, if you think that threat is imaginary, please look at how many different national tax authorities have started large numbers of incorrect claims procedures against small businesses who had done nothing wrong just because the officials made mistakes with the new VAT rules and got their own records in a mess.

I'm pretty sure that most side businesses and microSaaS developers don't even know these terms.

Take the simple and common case of a startup storing personal data on an AWS-hosted service. Can you account for who at Amazon has access to that AWS instance, how many physical copies of the data may exist in Amazon's data centers, how you can assure that deleted data is really deleted, and so on?

This one's on the easy side.

The company is the controller of the data, and Amazon is the processor.

Here's Amazon's declaration and stance, stating they are GDPR-compliant both as a company (when they are the controller - of their direct customers' data), as well as then they are a processor (infra for use by others who control private data): https://aws.amazon.com/compliance/gdpr-center/

There's generally no need for a controller who relays data to a processor to understand the intricacies of the implementation on the processor's side (is deleted data really deleted ?) - what's more important is the processor's self-declaration for GDPR compliance.

The above is my personal $0.02 as I've been spending quite some time getting into GDPR recently. IANAL

If you're using AWS for your business/startup to store customer information and you don't have good answers for this already, then you aren't doing your due diligence.

To be clear, many businesses may not have good answers right now. Their response should not be "this is too much of a burden" but instead "wow, we really need to find this out ASAP".

I just read through this "Nightmare Letter" and while the cost is definitely non-zero, a conscientious startup will have the same answer for each user for almost every single point and can have a boilerplate response ready to go in those cases.

Where it gets complicated, i.e. where they buy your data from 3rd parties, I don't have a lot of sympathy for any of the complications involved. Most of the rest can be automated, not for a non-zero cost, but for a relatively low one if a startup goes in with these questions in mind, prepared to answer them when they come up.

a conscientious startup ... can have a boilerplate response ready to go in those cases

I have businesses that don't do anything shady at all with personal data, and I'd like to think we're conscientious about handling what we do have. We follow general good practice in terms of encryption, hashing passwords, and so on. We've never had any sort of request for information under existing data protection rules, nor complaints under any other regulatory regime for that matter.

So, how much time and money should we spend putting together that boilerplate, just to tick a legal box? How much of the documentation formally required under the GDPR should we actually write, given that on the evidence of several years of trading so far it has literally no value to anyone? How much should we spend on things like getting lawyers to review the contracts we have with the small number of outside services we do use, which might have access to some personal data in connection with the services they provide for us, and how often?

If you actually follow the letter of the law here, the costs of compliance would be astronomical by small business standards. There is little proportionately built into the GDPR itself, so we are reliant on regulators to introduce it, and that's not a good position to be in either legally or practically.

That's what bothers me the most about the GDPR. There's total lack of proportionality.

Here's how the potential fines are defined:

Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).

whichever is greater... So since my company's turnover is order of magnitude less than €20 Million, I guess this means we can get totally buried??

Depends on who you ask. Those who trust government will tell you that you can count on the subjective enforcement not to go after you as much, and of course the good ol "don't break the law and you have nothing to worry about". The rest of us that understand government incompetence/corruption and risk mitigation would tell you that you have to weigh whether these risks are real enough to you. I would tell a non-growth-focused early stage company uninterested in locale variety with limited resources (e.g. bootstrapped company in beta) to avoid EU customers since there are only downsides.

> avoid EU customers

If anyone from the EU visits your website, and you're collecting server logs or analytics with IP addresses in them, you're now processing personal data of EU citizens and subject to the GDPR. They've written this regulation such that pretty much everything on the internet is subject to it.

How about email? If someone from the EU sends me an email, their IP address will likely be in one of the received-from headers, and will be in my SMTP logs.

Note that even if I don't have an email server, relying on my ISP to handle that, desktop email clients download the headers from the server.

A lot of small businesses have no idea that they are storing that information.

Well geo IP blocks are much easier than fetching those logs by user on request. This will happen if EU citizens overly burden companies with these letters... but not until then probably. I definitely wouldn't want to jeopardize my future EU prospects by ignoring the requests for info.

It may be a bit of an unlikely scenario, but people should remember their opinions on region-specific content blocking even if they think their region has enough leverage to make everyone bend to their will.

If I don't need an adblocker because all the adtech companies already preemptively block me, I personally could live with that and would consider the GDPR to be working as intended.

It doesn't have to come to this, at least from adtech's side.

Generally, your device is instructed via a publisher's site/app to reach out to ad tech servers either directly (firstparty), or indirectly (firstparty->thirdparty, firstparty->RTB exchange->thirdparty).

Due to the "chaining", GDPR is particularly onerous on the adtech industry. Granted all the data is keyed by semi-anonymous IDs (cookies, IDFAs, IPs), the concerns for consent, retrievals, deletions, in a cascading manner, are an industry-wide problem requiring collective action. The IAB proposed something for the RTB side, the publishers don't like it, and it'll be tense until and through May 25th :)

Having said that, nobody wants to shut-the-whole-thing-down. While all these servers may refuse service based on fuzzing the request as originating from the EU, they may also decide to serve as-best-as-possible and minimize logging of the sensitive fields - it may be better, for example, to lose some functionality for European devices (behavioural targeting, for example, the idea of showing you an ad for the Widget you just looked at over and over), than to serve nothing at all.

Who said anything about adtech companies? I'm talking about risk mitigation here, even for fully compliant companies.

Um, nope. Go ahead, try applying EU law to a US website. I run a few, by all means, knock yourself out. It's hilarious and baffling at the same time that you think the EU can write laws for other countries.

If you are selling things to people in country X, you have to be very careful if you decide to ignore X's laws for such sales. You and your company may be beyond the legal reach of X, but your suppliers and service providers might not be.

For example, if you decide to ignore tax laws in X, X might put pressure on your credit card processors to stop aiding your tax evasion. If the credit card processors respond by cutting off your ability to processes card, they might not bother just cutting you off from accepting payments from country X. They might cut you off completely. That would be pretty annoying.

That's a feature. I want to know if the people I do business with are applying laws to me that do not apply.

Too "bad" about the US dropping the TPP, I assume that was the backdoor planned for "compliance".

If you have users in the EU then the laws do apply to you, even if you insist they do not. If you don't then you have nothing to worry about.

By your logic, any country can make up a law, go to my US website, and demand I follow it.

Demand all you want, this is the point of national sovereignty.

By your logic, you should be allowed to go to Ladbrokes.com and put some cash on tonight's NBA games. I could if I wanted to, and I'm sure Ladbrokes would love to take your bets if they could. But you can't, because countries can make laws about selling to their residents. Ladbrokes blocks you, because US law says they must.

I'm sure you can rely on your site being too small for EU regulators to bother with, and I'm sure it would be hard for them to enforce if you have no operations in the EU, but the fact you ignore the laws doesn't mean they lack jurisdiction.

Irrelevant. Ladbrokes is not a US firm, I don't know, need to know, or care what their legal system is. It's entirely possible their laws require them to comply with US law, or that they have assets in the US.

A website hosted in the US, owned by a US citizen, residing in the US, is not subject to laws written in other countries.

The reason I used the example of a gambling website is precisely because the US has history of prosecuting the operators of non-US websites for allowing US residents to join. There's nothing in UK law that says they can't let Americans bet. Didn't stop US authorities arresting several bosses of EU gambling websites. If you do a bit more research you'll learn that the US uses extra-territorial jurisdiction more than anyone.


Sure, that's true. It's a different subject. If one's country allows a foreign system to operate outside of it's own legal system, it's about as strong of a sign as I can think of that the people do not actually control their government.

As a US citizen, I am strongly against our interference in other countries, but even if/when we fix that, it wont matter if the root problem is not fixed, since another outside power could do the same thing.

I'm sorry but no, it's the exact same subject. It's country A prosecuting a website in country B because they did something that's illegal in country A but legal in country B. The US does the same for copyright laws. Or is it OK if it's team America thats acting as world police?

I live in the US, _good luck_ enforcing foreign law on me.

It's a sign that the people here have the most fundamental control over their legal system. It's not my problem if country B cant do that, but I would REALLY like country B to have the same power over their legal system.

I could go into the real tests and what it means to have a legal system where the individual has so much power, and how to achieve that, but you are ignoring the distinction between enforcing foreign laws on a US citizen and a citizen of country B.

You are implicitly admitting the asymmetry, but instead of fixing country B, do you want country A to weaken it's system so that it has the same foreign influence bug as country B?

Like I said, your argument boils down to "we're American: we'll enforce our laws on everyone in the world, but if you think you can tell us to obey your laws when we sell to your country, you can F off." Which is fine: you're welcome to say that because a law is hard to enforce you won't obey it. Just don't pretend you're not breaking the same principle that your government relies upon: that if you're serving a country's residents, you must obey that country's laws.

So that's a "yes" to my question?

They can't enforce them on other countries but they can:

- Have their ISPs block access to your network

- Have their banks not process payments to you

And if you really want to generalize it to "laws" they can emit an arrest warrant: good luck ever travelling to another country that has an extradition treaty with any EU country.

They can't prevent a business in another jurisdiction from operating but they sure can prevent your business from being conducted with any EEA entities.

Very true. All that is good and the way it should be. Markets of ideas are a good thing.

Yes, so what? Did you know that as an individual, you can literally be imprisoned for decades for violating the law? Why is it so shocking that a company that violates the law can be forced into bankruptcy?

The key term there, of course, is "up to". You don't get fined the maximum amount for the smallest violation. It's a range, depending on the severity of the violation, and probably whether there was gross negligence and/or maliciousness.

There are sentence maximums for different crimes for a reason, and often people are unjustly sentenced to the maximum level. With your analogy we should just have the option to sentence everyone to life for any transgression and then just tell everyone "but they won't".

I don't understand why this is constantly handwaved away with statements that claim to tell the future. If you are correct that the violations aren't as large in some cases, that can codify it a bit better than "trust us".

To reverse your argument: without data protection laws we're just trusting corporations that they won't commit any transgression. Your "worst case" description is exactly the current scenario that we have in place being practiced by corporations who have your private data: all you have from them is "trust us".

What makes you say they aren't codified better than that?

If you look at enforcement under current regime in eg UK the ICO has never used their maximum fine.

If this is carrot and stick the stick is fucking tiny and hardly ever used.

How much personal info that you have, do you actually need? I don't know your business, and I don't particularly want to, but this is a good opportunity to review how much of the data you retain you even should be retaining.

If the amount is anything substantial, more than contact information and whatever data customers might choose to be hosting with you, then you are exactly the right target for GDPR and you should be spending whatever amount you deem necessary to avoid the fines.

It's harsh, but it is true that software and service companies in general, maybe not you, maybe not your company, are far too lax with personal info, and so now legislative bodies like the EU are choosing to address that issue, and the easiest way to be in compliance is to not have anymore customer data than you actually need so when you do get hit with a letter like the one linked here, you have a much easier time responding.

Will this strangle some businesses? Even prevent some from even getting started? Undoubtedly, but that is a trade-off I'm willing to accept in this world where every incentive is stacked against the integrity of my privacy.

Well, speaking just for my own businesses, we've always minimised how much personal data we use, and all the processing we do is for good reasons that are directly related to what we're offering as a service. This wasn't due to any legal obligations, just basic good practice in terms of security and what I consider an ethical stance regarding the privacy of our customers.

I suppose this is why I'm so frustrated by this whole issue. I have a lot of sympathy for your argument that some businesses exploit personal data in ways we might well agree are abusive, and that something needed to be done to curb that. But as someone who does try to do the right thing both ethically and legally, this is just another set of regulations that is going to cause compliance overheads for my own businesses while offering little if any real benefit to anyone in our case.

Meanwhile, if the risk of significant enforcement action against smaller businesses really is low, the door is open for competitors to take their chances and gain an advantage over us, particularly if they're not in the EU themselves. So it also seems to be a case of no good deed going unpunished.

I'm sympathetic if your practices are already good, but the balance of power between an individual and a corporation is too far on the side of corporations as things stand. This levels things out for individuals who otherwise have to depend entirely on the goodwill of corporations.

That includes you, the individual as well, and I hope it works out for you the corporation.

If you can't already answer these questions you're probably already breaking EU law.

There's been a round of companies "reconfiming" email lists "because GDPR" - but if those companies can't show clear opt-in before sending email they're already in breach of PECR.

A conscientious startup would probably not start up under these conditions. Every regulation that creates risk reduces the number of people willing to invest and enter the market.

You could say that having to follow tax regulations also reduces the number of people willing to enter any market. Should we also drop requirements for pharmaceutical companies to do their thing? I'm 100% certain we'd have thousands of new "pharmas" popping up within a short amount of time.

Obviously this is a silly simile but the point remains: certain types of business have certain regulations, in this case if a business relies on keeping your private data then they have to follow the appropriate regulations, like most other fields.

How many cures have not been discovered because of the cost of regulation? Does every regulation save lives? Please. There is a balance between serving the public interest (safety and feel good theatrics like GDPR) and what is actually the public's interest (cure to cancer, the internet, etc...).

We had bad pharmaceuticals despite regulation. As well, there are many promising (tested on few individuals) pharmaceuticals which did not survive broad clinical trials.

I don't know, would it really be so complicated for most businesses? Taking my former SaaS business as an exmaple, I would have needed to gather the required information from two sources basically:

- Our database (containing user data like login, e-mail etc.)

- Our third-party SaaS providers such as Mailchimp (e-mail address and name), Mailjet (no personal data stored directly there) and Stripe (transaction history).

Automatically pulling together the necessary information from these sources and sending it to the user seems totally doable and not overly complex.

In general, I think the whole idea behind these rights is to incentivize companies to implement well-documented and automated processes for dealing with user data, and to keep the data in as few places as possible.

BTW I'd be very interested to hear from people running startups how they process user data and how many different data stores / services they use to manage that data!

In general, I think the whole idea behind these rights is to incentivize companies to implement well-documented and automated processes for dealing with user data, and to keep the data in as few places as possible.

That in itself is reasonable, but it lacks the proportionality aspect that is so important. My own objections to the GDPR aren't about the spirit in which it's intended; while you might not guess it from my comments on HN today, I'm generally a very strong advocate of privacy safeguards. Instead, my concern is the amount of additional red tape and ambiguous obligations that the GDPR appears to be introducing for what ought to come down to simple questions like whether you are using personal data only for legitimate purposes and you are storing it safely, which plenty of us already were anyway.

I'm kinda in your boat. IMHO, GDPR needed something for small businesses. If you're doing reasonable, expected stuff with your small businesses and you reply as such to the example letter, there should be no need to use a lawyer. And it should be codified in the law, rather than relying on prosecutorial discretion.

There should be a distinct "If you adopt these reasonable policies, you are legally in compliance with GDPR".

How would you ensure that a company is only using the data for legitimate purposes without resorting to some kind of control mechanism?

We do have control mechanisms, but they are practical measures. Data of a given type is kept in one primary location with systematic backups. Processing of that data is typically done by programs that all use a specific related module in the code to access the data so they're easy to review, except for things like email where the nature of the processing is obvious anyway. Only a limited number of people have access to the relevant code or data at all, and everyone involved knows everything that is going on and could immediately describe exactly what data we store and how it is used. The privacy policy discloses our practices accordingly. What we don't currently have is a lot of the formalities that may (or may not) be required once the GDPR comes into effect.

I commend your organization: by following some good practices when it comes to data collection and storage it's already very far into the process of being GDPR compliant, it looks like all you all are missing is the documenting it part of it where the processes are clearly defined and nominating someone to be the data protection officer.

He was asking in general however, without a mechanism to control that corporations are doing what yours is already doing, how would we verify compliance?

I imagine most small companies would have you as a single joining key in a MySQL database somewhere. Most of those answers would be the same for every customer anyway.

This looks like a fantastic opportunity for startups to help automating the process.

I actually started thinking about this and have tested an idea for answering data portability requests (https://www.dpkit.com) for the German market, so far there's not much interest though.

Which aspects do you think would be interesting to automate or are particularly painful from your perspective?

I’d pay for a browser plugin that sent this to every company that attempted to set a third party cookie on my browser, but I don’t live in Europe and doubt that’s what you meant. ;-)

After this whole process of ineffectual, burdensome regulation followed by inconvenient, expensive, mediocre regulatory automation, how much better off is society?

You’re saying the following from GDPR doesn’t help?

* Data Classifications

* Privacy Impact Assessmemts

* Breach Escalations

* Access Controls

That’s more like Security 101 Basics to me.

> how much better off is society?

We should ask that to the dozens of millions of Americans who have their private data for sale even as I type this after the Equifax breach. Bonus: we can literally buy it and use that data to contact them directly and ask :)

Are you willing to bet money on there being no data breaches from GPDR compliant companies in the next N years?

Are you sarcastic or do you mean it?


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact