Hacker News new | comments | ask | show | jobs | submit login
GDPR compliance checklist (gdprchecklist.io)
146 points by gcatalfamo 9 months ago | hide | past | web | favorite | 30 comments

This is very useful, thank you.

One request I have (to anyone out there who is listening) is a checklist focused on common small business tools and workflows.

For example, if I use Google Analytics on my website, or I advertise on Facebook and use the Facebook tracking on my website, do I need to do anything to be compliant. Same question for Mailchimp mailing lists, Square payments, Shopify e-commerce, etc etc. I get these questions from friends and clients all the time, and I struggle to give them a clear answer. I'm sure specialized consultants could, but small businesses often can't afford those.

Most of the resources I see are either aimed at larger companies, or tech startups. But the people most badly in need of guidance are neither.

> if I use Google Analytics on my website, or I advertise on Facebook and use the Facebook tracking on my website, do I need to do anything to be compliant

If you use these you can do two things:

1. avoid sending GA events with user data in them (e.g. user ID).

2. ensure your site doesn't have pages containing personal data in the URL path

Squarespace, Shopify, MailChimp, as hosts, should be providing their own customers with guidance for each case.

Unfortunately, as far as I've seen from Google, the guidance they're providing on GA seems to basically amount to "if you use our service, it's your responsibility to audit what you send to us", and not much else. Which is... disappointing but unsurprising.

UI feedback: The "Select your organisation's role" widget is confusing. The phrasing suggests you click on the the role you have, but then that gets un-hilighted suggesting I just removed it from the set of roles my organization has.

Should just be a checkbox, yea.

Really nice idea. What immediately jumps out is there are checkboxes for tasks that don't apply to everyone. For example, most companies won't need a Data Protection Officer (DPO).

Still, the world needs more clarity on GDPR, and this helps.

yes, the checklist is in my point of view wrong there!

I agree, and not only that, our solicitors advised us that by appointing a DPO when it's not needed we assume the responsibilities of companies who do need a DPO.

In other words, if you don't need a DPO you definitely shouldn't just appoint somebody because that feels like the right thing to do.

> you should assign a representative in one of the member states for your business. This person should handle all issues related to processing.

Am I reading this wrong? It seems like if every country adopted laws like this, so you would need to have ~200 different representatives across the globe to have any kind of online business.

Would this mean hiring local companies to rep you like registered agents? Sounds super prohibitive to small businesses. Also seems if true to be a decent business opportunity.


It's like handling mail to abuse@<domain>. You sort of have to do it, but noone forces you to have different employees handle mail to abuse@<each domain>, or to have people in different countries do it. The people who force you to handle abuse@<domain> may or may not have the power to make you do it, which is another similar aspect.

What you can not do is answer the phone and say "uh, I'm not sure who's in charge of that... let me put you on hold..."

"one of" is different from "each". Which is the law?

A Question: is there a way to block your website from being rendered in Europe, if you aren't sure if you comply with GDPR?

The decisive factor for GDPR is whether you offer your service in the EU, not where users are (technically) accessing your service from. Think of a EU resident using a US VPN, thus having a US ip address.

What about a company which offers a worldwide service, but whose market is 99.99% outside europe?

I run a site targeted at north americans. However, each year I usually get 1-2 sales within Europe (mostly UK), and a very small number of visitors from EU countries.

If you are processing data of EU residents that you are offering business to, then they can hold you accountable for GDPR violations. This also applies to the UK, as the UK is (still) part of the European Union.

I see. I'm assuming "processing" includes stuff like including it in google analytics reports or having a database of EU users who signed up for a free account.

EU is basically inconsequential revenue for me. What would be the minimum required?

1. Shut off sales to EU, or 2. Shut off free account creation and/or email list signup to EU + shut off google analytics for EU, or 3. Block all EU IPs

It's not worth figuring out how to comply. I make less than $500 from the EU each year.

"Ignore it" doesn't seem like a good move as the fine is very large.

It’s hard to give general advice without knowing your specific situation. Ignoring GDPR has serious risks, though, as you already said.

In my company (Germany) we work together with an external data protection officer, who was of great help for us dealing with the GDPR requirements. So maybe you find it worth talking to one, just to get a better understanding of the matter.

I'm Canadian. It sounds like the GDPR affects business globally though.

You could use an IP -> geo lookup, and block EU countries.

Would it suffice to post a popup in your UI, "This website is not certified for the EU. If you are in the EU, you MSUT NOT use this website. Click HERE to certify that you are not in the EU" ? Or are website operators responsible even if unauthorized attackers hack in to their system and leave a "personal data" trail?

if you do not visibly offer services in EU you dont have to comply to GDPR.

There are few examples in the law of what visibly means, such as having prices in euro or having EU contact numbers...

Would having a run-of-the-mill SaaS where users can sign up from wherever mean that you have to comply?

I would say no, but I am not a lawyer and there are really no precedents for this at current time.

This is really nice.

Two notable points:

1. It is relatively short and well-categorised. I've seen scare-mongering blogposts exhaustively listing all the worst-case edge cases you could possibly have to consider, whereas this is a common-sense high-level overview.

2. There are links to relevant articles on each point to provide quick clarity. For example: "Your company has appointed a Data Protection Officer (DPO)" links to Article 37 which clarifies that this requirement is only for "public authority or body"; "regular and systematic monitoring of data subjects on a large scale"; or "processing on a large scale of special categories". Other similar clarifications for the other points are helpful too.

If I got a potential customer that was in the EU, I would simply not do business with them to avoid anything to do with GDPR. As a small business owner, I don’t have the resources or time to devote looking into anything related to GDPR. I guess GDPR is mostly targeted at larger companies? Anyone else feel this way?

Can you be exempted or protected from the GDPR by asking your users to explicitly certify that your service is not being rendered in the EU? The EU is annoying, skittish, and expensive to do business with, so for some businesses I can imagine it's just not worth the hassle.

If in the future you want to expand to the EU, and can afford it, it would be nice not to already have a bad relationship with their regulators.

whats the point of a checklist that says things like: (it’s GDPR issue not the check lists)

“When providing services to children, the privacy policy should be easy enough for them to understand.“

how do you explain to a 7year old how you handle data in mysql (which is mentioned in another point) or how do you do it for a 13 year old? actually how do you do it for 33 year old?

i’d love to see examples of this.

"We keep your email and its password so we can tell who you are when you visit again. We also keep your email in case we need to contact you, in case people see your information who are not supposed to."

You are conflating unrelated points. No one said you need to explain MySql in your privacy policy for adults either. They are talking about using common sense language, not legalese.

Glad something like this turned up.

A productive approach to a real problem people have.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact