Hacker News new | comments | ask | show | jobs | submit login

I have seen this narrative parrotted quite frequently, but it's false. GDPR isn't as crushing as people currently feel it is, but it will force companies to adopt better policies to avoid problems. Startups right now are best positioned to make the transition whereas the behemoths will be forced into significant spends on legal fees or insurance - not to mention scandals such as the Facebook debacle that has so many people up in arms.

Disruption is startup paradise.

Having just lead the GDPR effort at my company, I disagree. It's absolutely a burden. It slows down sales and makes customer relationships more difficult and expensive. Any custom integration we do needs to have a custom data processing agreement put into place and reviewed by a lawyer. I now find myself paying lots of new fees to various places: the ITA, DPA, the Swiss data authority, and organizations like ISSA. It forced us to get a more expensive insurance policy.

On top of that, the technical controls were actually expensive to implement. The issue is not that consent is hard to revoke or that data is hard to delete. It's that everything needs to be auditable. Under a strict reading, you need to have an audit trail of every processing activity. Anytime a user profile is edited for any reason, even just an automated removal of whitespace, is supposed to be auditable and made notifiable to the user. Anytime you refresh a user's Instagram stats, you need to have an audit of that. Most companies don't go this far, but it's a huge risk to do anything less because we don't know what fines are going to look like in practice yet.

Plus the fact that we just spent $15k in legal fees going over our new privacy policy, data protection policy, updated MSA, updated order form, new user agreement, etc, I can say with confidence that it is indeed expensive and burdensome.

I have seen this narrative parrotted quite frequently, but it's false. GDPR isn't as crushing as people currently feel it is

You’re saying this based on what exactly? Have you actually been in charge of trying to comply? I have. For us, it was going to be a 7 figure endeavor (upfront, and then 6 figures/yr for ongoing compliance, insurance, etc.) and we are pretty small (a few million visitors/mo spread across several sites). We made the decision to just block EU traffic, even though we have been advised that GDPR probably doesn’t apply to us anyway. I can’t have one of the 28 countries that GDPR applies to randomly decide that it applies to me because they’re a little short on tax revenue that month, then have an expensive legal fight that will end in a multimillion-dollar fine anyway.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact