Hacker News new | comments | ask | show | jobs | submit login

Having just lead the GDPR effort at my company, I disagree. It's absolutely a burden. It slows down sales and makes customer relationships more difficult and expensive. Any custom integration we do needs to have a custom data processing agreement put into place and reviewed by a lawyer. I now find myself paying lots of new fees to various places: the ITA, DPA, the Swiss data authority, and organizations like ISSA. It forced us to get a more expensive insurance policy.

On top of that, the technical controls were actually expensive to implement. The issue is not that consent is hard to revoke or that data is hard to delete. It's that everything needs to be auditable. Under a strict reading, you need to have an audit trail of every processing activity. Anytime a user profile is edited for any reason, even just an automated removal of whitespace, is supposed to be auditable and made notifiable to the user. Anytime you refresh a user's Instagram stats, you need to have an audit of that. Most companies don't go this far, but it's a huge risk to do anything less because we don't know what fines are going to look like in practice yet.

Plus the fact that we just spent $15k in legal fees going over our new privacy policy, data protection policy, updated MSA, updated order form, new user agreement, etc, I can say with confidence that it is indeed expensive and burdensome.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact