I have a profitable, bootstrapped SaaS business based in US . It's not based on ads or selling data. I don't even have a freemium plan. Only a limited free trial after which you have to start paying. It's a trivial application that stores mostly already public data. Only email is required to login so that I can send password reset and other such communication.
I've been talking to a very well known giant corporation (also based in US, but has many global offices) for months. The VP and director love my product and want to start using it right away for their department. But their legal team is scared shitless with 4% fines in GDPR. They are putting some draconian clauses (various ISO certifications and such) in the contract that I, as a small company, cannot comply. That's their interpretation of GDPR. It doesn't matter whether it's right or wrong.
The VP and Director are really nice people and I've developed very good rapport with them. But I'm afraid their patience will run out soon and they'll go back to using spreadsheets. A lose-lose situation.
This is the side-effect of GDPR.
I'm all up for GDPR. I have uBlock, have blackholed all Facebook domains, etc. But don't assume that GDPR doesn't affect normal business transactions. Anyone who says, "Oh, how hard could it be?" has no idea what they are talking about.
I think once the dust settles and it becomes clearer how the law is being handled, it is going to get easier.
My first job twelve years ago was at a company similar to yours in Switzerland. A small bootstrapped SaaS targeted at enterprise and government. Switzerland is quite serious about privacy with strict laws regarding them, but since they have been around for a long time, nobody freaked out about it. It is just part of the daily business for everyone.
I can't remember compliance with such constraints being a serious competitive disadvantage for the company. In fact after Snowden the label "Made in Switzerland" and images of datacenters in mountain bunkers became an advantage internationally.
This is how "well known giant corporations" are. They have chosen not to understand the GDPR, gotten a lawyer to state that "ISO27001 certified vendors" will not pose a risk to them under the GDPR's security requirements, and so have set policy that they cannot purchase from vendors that are non-compliant.
Their policy office is probably still busy waiting for Y2K.
It sucks, but HIPPA was exactly the same, and I heard exactly the same complaint from tiny companies back then too.
You can get ISO27001 for as little as $5k. My advice is that if you can afford it, suck it up, if you can't, offer ISO27001 on-prem installation for an extra $10k. If they walk. They walk. You can probably get them later (see below).
But see, it's important to understand that you're wrong: This isn't a side-effect of the GDPR.
This is a side-effect of capitalism: With no laws requiring that they keep personal data safe, it is to their benefit to keep the data in as insecure a form as possible.
Look at Equifax[1], who have lost control of perhaps every single american's name, DOB, SSN, and address.
Data Protection laws are designed to protect people. Eventually, people will get used to them; the dust will settle. You'll have an opportunity to explain the actual risk/reward clearly to your potential customer's CIO office because the savings/efficiency you're promising will make it worthwhile.
But right now? Too much fucking hyperbole about the GDPR for anyone to be thinking clearly.
>It's a trivial application that stores mostly already public data
So wtf are you worrying about then? Only shady companies are afraid of GDRP, the fact that you look at GDPR as a problem is a huge let down in trust for your company
That's a gross generalization. In fact, the parent explained quite well why GDPR can become a problem for smaller companies.
It's not the law itself that matters in this case but the clients' (quite possibly wrong) interpretation of that law. As of now, GDPR unfortunately leaves a lot of room for interpretation.
GDPR has effects way beyond better user privacy. Sorry I've been pasting this in multiple GDPR related threads, but here it goes:
I have a profitable, bootstrapped SaaS business based in US. It's not based on ads or selling data. I don't even have a freemium plan. Only a limited free trial after which you have to start paying. It's a trivial application that stores mostly already public data. Only email is required to login so that I can send password reset and other such communication.
I've been talking to a very well known giant corporation (also based in US, but has many global offices) for months. The VP and director love my product and want to start using it right away for their department. But their legal team is scared shitless with 4% fines in GDPR. They are putting some draconian clauses, (various ISO certifications and such) in the contract that I, as a small company, cannot comply. That's their interpretation of GDPR. It doesn't matter whether it's right or wrong.
The VP and Director are really nice people and I've developed very good rapport with them. But I'm afraid their patience will run out soon and they'll go back to using spreadsheets. A lose-lose situation.
This is the side-effect of GDPR.
I'm all up for GDPR. I have uBlock, have blackholed all Facebook domains, etc. But don't assume that GDPR doesn't affect normal business transactions. Of course, blocking European users doesn't do anything for me since I want to do everything I can to protect user privacy.
But anyone who says, "Oh, how hard could it be?" has no idea what they are talking about.
Wait a minute… You provide a service, and your users are afraid the GDPR could come to them?!?
Please tell me I've read something wrong. Otherwise, this is just panic induced stupidity. I expect they will grow out of it (though maybe not before you go bankrupt, which obviously sucks big time).
> Wait a minute… You provide a service, and your users are afraid the GDPR could come to them?!?
Yes.
It's not unreasonable, because GDPR has components that require vendor assurance (more or less). So the megacorp with a point-of-presence in the EU has to be cautious about what strictly-US SaaS services it uses if there's any potential for data crossing into the SaaS.
This is almost certainly exactly what GDPR is intended to do. It aims, in part, to make sure companies can't shirk their responsibilities by handing everything over to vendors who will ignore GDPR.
Again, makes total sense from the perspective of an American legal department. They're falling back on the tools they know to de-risk vendors, which is formal certifications and accreditations. ISO, SOC, etc. The lawyers are going to be extra twitchy because of how vague and hand-wave-y GDPR is.
An actual compliance audit from an accredited auditor, paid for by the SaaS offering of course, is not going to be cheap or easy.
Depending on exactly what the service is, this makes total sense under GDPR.
The GDPR regulates both Data Controllers, and Data Processors
Suppose I'm excited to hear about Hats.example, a site that sells hats. I visit, but they don't have any hats for my ostrich. Damn. But, they do have a box where I can leave my email address "to be contacted about future products". Great, maybe they'll introduce Ostrich hats. I fill out the box.
Hats.example uses famous email deliverability company WeSpamPeople.example to ensure their marketing emails have "industry best in class reach". I soon get an email every week featuring different styles of hat, but they're all for people, disappointing.
But then, WeSpamPeople's VC runs thin, and they cut a deal with OutrightFraudAndScams.example, which tricks people into making dubious "investments" and wants a lot of "leads". Now as well as the hats newsletters I asked for but don't really care about, I'm getting stuff inviting me to invest in Venezuelan Bitcoin mining and a project to make "Green cyber-organic goats for the blockchain". Ouch.
Hats.example are a Data Controller. The GDPR says they are responsible for looking after the data that I gave to them, even if "technically" that form I filled out is a Javascript frame injected by WeSpamPeople.example, it's part of the Hats.example business, so it's their responsibility to ensure my email is not abused by a processor like WeSpamPeople.example, for example through contractual terms requiring WeSpamPeople.example to delete my email, never to send it elsewhere, etcetera.
WeSpamPeople.example are a Data Processor because they were given my email address and other details to send me "marketing" information. They have a duty under the GDPR to get reasonable assurance that this was OK with me, for example maybe Hats.example did some paperwork that promised they're legitimate and they got sign-off for these email addresses. Regardless of whether they were given terms requiring them to do so by the Data Controller, the GDPR says they have to take care not to abuse the data, for example they can't sell it to anybody, since they obviously don't have permission to do that.
OutrightFraudAndScams.example are also a Data Processor, and maybe also a Data Controller they know they didn't have permission to touch this data, but presumably they also routinely violate all sorts of other anti-fraud or anti-scam laws. Maybe the GDPR will help add to the fines and charges and put them out of business.
> But then, WeSpamPeople's VC runs thin, and they cut a deal with OutrightFraudAndScams.example, which tricks people into making dubious "investments" and wants a lot of "leads". Now as well as the hats newsletters I asked for but don't really care about, I'm getting stuff inviting me to invest in Venezuelan Bitcoin mining and a project to make "Green cyber-organic goats for the blockchain". Ouch.
Just so it's clear, you're positing that when WeSpamPeople breaks every existing contract they have, that those on the other side of said contracts are now liable?
Of course it could happen, but I don't see the EU fining those on the other side of the contract as long as they moved to another DP and alerted their users when the breach of contract was discovered. Both actions should happen regardless of GDPR.
I agree with you up to a point. Diligence is going to come into this as it does with Bribery where again laws in one place target crime everywhere. How diligent were Hats in picking WSP to deliver email? You don't have to have done a rectal exam of every employee, but if it was obvious to half the world what was going to happen, a prosector might be able to get a jury to conclude Hats should have known too.
Sure, but the original comment alludes that the emailer is a best in class in the industry, and not some Nigerian fly by night company. Obviously there is still some due diligence to do, but I wanted to spell out what was being implied so that the unlikliness was also shown.
TBH, email is a bad example anyway because good providers are already pretty quick to boot bad actors so they don’t end up on blacklists.
It's pure FUD and panic. I think the only item most people have actually read is 4% revenue or 20M fine which ever is greater. It's unfortunate, but was the only way to get the Googles and FBs of the world to pay attention.
> The VP and director love my product and want to start using it right away for their department. But their legal team is scared shitless with 4% fines in GDPR. (snip) That's their interpretation of GDPR. It doesn't matter whether it's right or wrong. This is the side-effect of GDPR.
I understand it's frustrating on your side, because you have no control over the response of your customers. But understanding what GDPR is (and not falling for FUD) is why the VPs and Directors get paid the big bucks and get the fancy titles. If they can't or won't work with legal to become compliant, they should resign and let someone else do the job properly.
I'm not saying, "oh it's easy" -- it's not easy. But that doesn't make the law wrong either. And it's not OK to blame GDPR as being "bad", when those rules are mostly just putting some real enforcement around stuff all moral and ethical organizations should have already been doing anyway.
It is your opinion that the law is not "bad" because you view the positive intentions of the law as bigger than the negative unintended harmful effects is has.. on people exactly like the OP.
Your points don't "make the law right". In whose view? Right or wrong for whom? In his example he listed all the ways he is handling user data in a respectful way. And yet, he is still harmed by this law.
That the VP and President may be doing their jobs wrong (in your view) is no recourse for OP, he is harmed all the same.
And ... are they doing their jobs wrong? At the end of the day, they are limiting their risk. What threshold of risk of harm to their business and livelihoods would you feel is an acceptable tradeoff to comply?
It doesn't make the law right either. Also, those VP's might be doing their job perfectly and the net effect could be that they cannot share data with any non-EU companies stifling their competitive advantages.
There are many real world effects of GDPR and we are just starting to see the pros/cons of it.
If you judge a law on what its effects should be rather than what they will actually be when applied to imperfect people, plenty of terrible laws will look good.
And the GDPR is the side-effect of people running hog-wild with PII etc. I feel for you but I see your situation as collateral damage of the privacy crisis.
The loudest GDPR advocates don’t care about you. 90 years ago they would have been the ones helping collectivize the farms, unintended consequences be damned.
And this law’s effects are all about the unintended consequences. Anyone thinking government regulators are reasonable and benevolent has never dealt with said regulators beyond any trivial level. To make it more fun each member country handles enforcement, so now you have a risk of 28 different interpretations of the law. It’s madness. Even if you do everything right there is still a compliance risk. It’s like HIPAA in the US — HIPAA is pretty “easy” to comply with, but the consequences are so severe that it necessarily drives up operational costs significantly. Unless Europe is a significant part of your revenue, better to block Europe and decrease your risk to near zero rather than have a potential risk of catastrophic, company-ending fines. Because the fine isn’t against profit, it’s against total, worldwide revenue. So unless your European profit exceeds 5% of your worldwide revenue, no sane person would take that risk. Even without the enforcement risk, you still have to deal with potentially hundreds or thousands of information requests — even if you are doing everything by the book.
That part is spot on, he's showing how history rhymes. It's an example of humans historically making the same mistake of not reasoning about unanticipated consequences.
I have a profitable, bootstrapped SaaS business. It's not based on ads or selling data. I don't even have a freemium plan. Only a limited free trial after which you have to start paying. It's a trivial application that stores mostly already public data. Only email is required to login so that I can send password reset and other such communication.
I've been talking to a very well known giant corporation for months. The VP and director love my product and want to start using it right away for their department. But their legal team is scared shitless with 4% fines in GDPR. They are putting some draconian clauses, (various ISO certifications and such) in the contract that I, as a small company, cannot comply. That's their interpretation of GDPR. It doesn't matter whether it's right or wrong.
The VP and Director are really nice people and I've developed very good rapport with them. But I'm afraid their patience will run out soon and they'll go back to using spreadsheets. A lose-lose situation.
This is the side-effect of GDPR.
I'm all up for GDPR. I have uBlock, have blackholed all Facebook domains, etc. But don't assume that GDPR doesn't affect normal business transactions. Anyone who says, "Oh, how hard could it be?" has no idea what they are talking about.
I have a profitable, bootstrapped SaaS business based in US . It's not based on ads or selling data. I don't even have a freemium plan. Only a limited free trial after which you have to start paying. It's a trivial application that stores mostly already public data. Only email is required to login so that I can send password reset and other such communication.
I've been talking to a very well known giant corporation (also based in US, but has many global offices) for months. The VP and director love my product and want to start using it right away for their department. But their legal team is scared shitless with 4% fines in GDPR. They are putting some draconian clauses (various ISO certifications and such) in the contract that I, as a small company, cannot comply. That's their interpretation of GDPR. It doesn't matter whether it's right or wrong.
The VP and Director are really nice people and I've developed very good rapport with them. But I'm afraid their patience will run out soon and they'll go back to using spreadsheets. A lose-lose situation.
This is the side-effect of GDPR.
I'm all up for GDPR. I have uBlock, have blackholed all Facebook domains, etc. But don't assume that GDPR doesn't affect normal business transactions. Anyone who says, "Oh, how hard could it be?" has no idea what they are talking about.