The local startup community is great. There's certainly not as much venture capital available as in Silicon Valley but first not every startup needs extensive funding and secondly the availability of VC has been improving in recent years, too.
There's more red tape involved in setting up a company than there is in other countries but you only have to go through that once.
However, GDPR currently creates a lot of uncertainty. Unfortunately, we'll have to wait how that works out in the end. Maybe, everyone involved will act reasonably and it'll prove to have been a storm in a teacup but it's really too soon to tell.
So, on that grounds I can't really recommend Europe and Germany in particular right now.
If you have an ethically sound company and comply with these rules you have nothing to worry about.
Berlin is awesome, I'd choose it over Amsterdam (I'm Dutch) because of the insane rents. I've also heard good stories about Krakow and Bucharest.
However, the implementation of these laws so far has been less than stellar, to say the least. There's a lot of room for interpretation and some rules are left vague - sometimes intentionally in order to avoid having to constantly update the regulation. Given the huge, potentially ruinous fines associated with GDPR you'd want laws to be as explicit and as specific as possible in order to avoid ambiguity and profiteering.
What's more, different European countries have implemented GDPR differently - or not at all. Privacy (or the lack thereof) - in the EU of all places - shouldn't be a competitive advantage or a bargaining chip.
How is it creating any uncertainty? Just make sure you use opt-in and be ready to scrap the data.
Even if you are doing business in U.S. and want to have EU clients you have to take GDPR into account. How is it related to Germany or Berlin?
- have data processing agreements with every 3rd party that processes personal data for them
- document technical and organisational measures with regard to privacy and security
- have records of data processing activities
While these are useful - GDPR or not - many aspects of those are left intentionally vague. In the past few months, data protection experts and company owners alike have been racking their brains as to how to implement the details entailed by those requirements.
A government spokesperson only just recently has been quoted that although there's "some uncertainty" regarding the implementation of the new regulation the government doesn't intend to do anything about that right now but rather wants to wait and see how civil servants and courts are going to interpret the new law. In my opinion, that's a recipe for disaster waiting to happen.
On top of that, Germany is particularly notorious for its 'liberal' regulation regarding cease-and-desist letters. There's a whole industry of shady lawyers that make a living by sending these out en masse to small companies that supposedly don't comply with regulations such as the equally notorious legal notice requirement for websites. They're perhaps already waiting with bated breath because GDPR opens a whole new 'market' for them.
Many of my fellow entrepreneurs are worried about this right now and these are people who are both well-prepared and normally not easily spooked by bureaucracy.
It's odd to me that, in the lead up to GDPR, so many people are making these exact same FUD-like arguments on the exact same kinds of questions, worded in remarkably similar English (down to agreeing that the law could be a good thing), on a variety of social sites. It makes me wonder if I'm watching a foreign power trying to undermine the EU.
> In the past few months, data protection experts and company owners alike have been racking their brains as to how to implement the details entailed by those requirements.
If this is true, they're not experts. Or rather, they're the kinds of experts who say they're experts on Twitter. Nothing in GDPR is particularly complicated.
Many of the questions the owners of these companies are facing right now haven't even been considered by legislative bodies. These are questions such as:
- How will I be able to operate my small company website in the future in a legally compliant manner? Some companies even consider turning off their websites completely and - of all things - only use a Facebook page in the future. Hence, ironically we might very will see GDPR actually benefitting companies like Facebook at the detriment of small companies that consequently won't have complete ownership of their content anymore.
- In which way will I still be able to store data for contacting my existing B2B customers (such as email addresses and phone numbers)?
- Will I still be able to use anti-spam and security plugins for my website? These tools might store users' IP addresses, which in some jurisdictions are considered personal data.
Dismissing these very real concerns by very real people as FUD or even suggesting a foreign power might be trying to undermine the EU is nothing but a preposterous conspiracy theory.
This isn't much of an argument - every single law that impacts a business falls into this category. Tax law is the classic example. If you happen to own a huge company, you'll have more resources with which to comply with regulation. The tradeoff is that as your company size increases, the chances that a bad actor is doing something fucked up that your compliance team won't find about until too late increase. That's just how business works.
Nor do I find small business owners struggling to remain compliant a particularly compelling argument. I'm a Canadian small business owner and yet I've managed to educate myself about GDPR. Hell, GDPR has been around in draft state for six years and there are tons of very well written resources available. The process of learning GDPR has been quite pleasant.
And then, I add in the facts that GDPR isn't even a particularly big change and that again, these are all fundamental ways to protect your clients, I have even more trouble feeling the pain.
Specifically consider these concerns that you cited. When I copy/paste your questions into Google, add an occurrence of "GDPR" and search, I get solid answers on the first page.
What exactly worries you here? If you could be more specific I'd be happy to try and answer your questions.
The GDPR provides a list with the information that you need to provide to a subject when processing his/her data (also look at the other articles of the same section):
I think a simple text with clearly stated information is sufficient and I don't think that you'll get sued if you ensure that the information is accurate and complete, which shouldn't be too difficult for small websites.
> - In which way will I still be able to store data for contacting my existing B2B customers (such as email addresses and phone numbers)?
In a nutshell, you will need either their consent or a legitimate interest (as you do now as well): https://gdpr.dpkit.com/gdpr/chapter-ii/article-6.html
Communicating with your existing business partners (e.g. to inform them about new products or ask them for feedback) is a legitimate interest so you can still contact them without asking for permission first. They can tell you to not contact them again though (which isn't really new either).
> - Will I still be able to use anti-spam and security plugins for my website?
Yes, spam protection and security are legitimate interests and even required to comply with the GDPR (reasonable technical and organizational measures), so you are allowed to process and store IP addresses for that as long as the processing is commensurate (i.e. you should store the addresses for a limited amount of time and delete them as soon as you don't need them anymore). Here the GDPR is very similar to the BDSG as well in the sense that it allows processing of personal data if there's a legitimate interest, and ensuring the security and integrity of your service is a highly legitimate interest that can override many of the normal restrictions imposed by the legislation.
Hope this clarifies some things, would be happy to hear about your other concerns / questions as well!
If GDPR was that simple and clear these questions shouldn't even come up. There are a lot of people like yourself who try to help others but there's only so much we can do.
I agree with everything you said on the matter. However, even lawyers, data protection experts as well as officials and high-ranking civil servants seem to disagree on at least some of these points, which doesn't really help with reassuring people.
But then also, we just need AWS, payment processing (stripe) and a bank account.
24/7 power, high-speed internet, hardware.
Every service is dirt cheap compared to the US.
Hookers are beautiful.