I have read the law, read the guidance, been through the GDPR compliance process for a data-heavy product, have talked to lawyers about the same, and my partner has drafted GDPR policies for several large tech firms. I don’t know everything, but I’m reasonably well-informed.
I’m confident that compliance is:
- Straightforward for any non-tech firm;
- More complex but not that hard for most tech firms that handle data;
- Far more complex for large organisations than small ones;
- Basically only a real problem for fly-by-night tech companies that want to operate by reselling personal data.
I’m not sure what your motivations are it making it seem disproportionately burdensome to comply with, but I don’t think they’re good.
I completely disagree. Implementing GDPR compliance should be straightforward for most startups and small businesses. Much easier, in my experience, than doing so at a large company.
I absolutely agree though, this argument is extremely weak, like a developer being asked to step outside their comfort zone locking up and declaring something unknowable levels of complexity so they don't even have to try.
The GDPR is extremely easy to understand. It's not always trivial to comply with, because we all know that enterprises are held together with instant glue, a networking VM in a basement nobody has logged in to for 10 years, at least 3 layers of management between a DPO and feature teams and one all-knowing employee everyone hopes will never leave or take too much vacation because things will slowly crumble in their absence. It's pretty hard to be absolutely compliant in that environment. But if you're a startup, or even solo? You can absolutely design your app to not have these issues in the first place.
I just want to add for the record that I am not a fan of very complicated principles based legislation (which GDPR is) by myself. It is not easy to comply with and it has clear drawbacks.
But now we have GDPR I wanted to state facts (as I understand them) so people can get a more nuanced view of what to expect and hopefully help them with how to deal with compliance in a reasonable manner.
I’m sorry, I have a great deal of difficulty believing this.
there are essentially no situations in which GDPR compliance should be particularly onerous. The principles are pretty simple, and while it will take some time until there is clarity on edge cases, most actions required should be straigtforward.
I’d be fascinated to know what product you build that is so inextricably tied to user data that it will cost “millions” to comply.
I looked up information on how to legally comply with GDPR and it's a lot more complicated than you're making it out to be. You have to show regulators the well-defined pipeline for any personal data, and justify to them why that data is being collected.
There are also extra procedures you have to follow that could be really complicated depending on the business. This is even worse for small businesses. I can definitely understand those people who want to just wash their hands of it, especially if they don't get much business from Europe.
I mostly agree with you, but the penalties for non-compliance are so staggeringly large, the requirements are so vague, and the EU's love of fining American tech companies is so great that Id' be awfully nervous about GDPR if I were a large American tech company.
I'm running a small startup and finding GDPR compliance is small beans compared to the tax code and employment law, both of which we have no trouble complying with.
There's a lot of uncharitable talk in this thread, where comments like yours assume bad intent on behalf of businesses who find GDPR compliance challenging. It's a giant body of regulatory law, of course it's complicated! The GDPR probably _isn't_ hard to deal with if you don't actually care about privacy; it's easy to just not follow the law and hope you don't get caught. But if your company respects individual privacy, and collects personal data only with a lawful basis, and needs to make assurances to its customers that all the regulations are being followed, there's a lot of work you have to do to demonstrate compliance, and many specifics (for example, with regards to personal data erasure in backups and archives) are completely unspecified. How uncomplicated is that issue?
It's really not rocket surgery to be compliant with the GDPR if your business model isn't to sell (or profit from) targeted advertisements.
It's not rocket surgery but it's also not trivial. Every time GDPR comes up on HN there are always people saying something very similar to "GDPR compliance is easy if you don't do dodgy stuff" and implying that anyone who thinks it's not a trivial matter must be doing something bad. This is dismissive and often seems to be based on wishful thinking about what these contributors wish the regulatory requirements said instead of what they actually do say.
The GDPR is nearly 100 pages long, in the standard English language printed version, just for the main document without all the supporting material or any additional material published by the individual regulators.
It contains ambiguities that invite broadly applicable questions like what "legitimate interests" actually means in practice.
It contains requirements to document various information and processes and to share that documentation with various parties under various conditions.
It contains provisions that could potentially conflict with other good practices (for example, the use of tamper-proof data structures for auditing or the use of diverse backup strategies for resilience) again with ambiguous if any guidance on how to reconcile competing good intentions. You can argue that this point is a stretch because it's unlikely any regulator would actually go after a data controller or data processor that was obviously doing reasonable things and trying to comply, but we are talking about legal obligations and the penalties that can be imposed are an existential threat to any small business so I think caution is fair here.
Ask a lawyer -- a real one who is an expert dealing with these kinds of regulatory compliance all the time -- how easy it is for any organisation to be sure it is fully compliant in this kind of environment, even if it has no interest in doing anything that anyone is actually likely to object to, and even if the people responsible for running it have nothing but good intentions. I doubt you're going to see the kind of one-sentence "It'll all be fine, just don't do anything dodgy" reaction we often see posted in HN discussions about the GDPR.
While i agree with your last 2 paragraphs i don't agree with the rest. I have a small team (2 fulltime devs and a designer) and we have no problem achieving GDPR compliance.
No. Compliance with GDPR for a small company is relatively straightforward if you aren't doing anything shady with private data. It's not even an unknown.
If that's all it was, it would be easy. The problem is that GDPR compliance is a negotiation with lawyers and an ongoing threat of lawsuits for any precieved misstep. It means maintaining a legal entity (your Data Privacy Officer) who either reviews everything or who sets internal policies (both approaches have risks). For some companies it is worth it. For some it is not.
It only seems complex because everyone has been implementing user-hostile datamining operations for years before GDPR was enacted. So for every external service you use, you must make sure that they implemented GDPR compliance or not. If GDPR had been a law since the beginning, it would be much simpler.
Although I'd like to know, what difficulties have you been facing in your startup, exactly?
For various reasons I am and have been deeply embedded inside the process of making a medium-large sized business (if you really look you may be able to figure out which one it is - in case you do: My opinions are my own and do not reflect those of my employer in any way, shape or form) GDPR compliant. I have heard proper lawyers explain the terms to different kinds of people and found their conclusions match my own, coming from the literature. I feel like that allows me to talk a little bit about what this legislation means.
Given what you have said, perhaps the literature is not as obvious as I thought. As far as this model is concerned, it would not be compliant with the law as I read it and as I have had it explained to me. I don't deny that a party with enough money might be able to muscle a reading into existence that allows them to do this anyway, but that is I think an established risk of the legal system. For now we must operate with the law as written and broadly interpreted inside the EU.
I'm mostly for privacy laws and recognize the importance. But I am also a data scientist and I have been involved in corporate compliance to GDPR for relatively small businesses, and it is definitely a pain.
Maybe even more so for those small businesses who perhaps just want to send out a newsletter. That compliance is pretty expensive, and it contributes only very little to the individual privacy.
Again, I'm mostly in favor of privacy regulations, but gosh, it's annoying at times!
I work for a startup in the EU and will be affected by GDPR. It's a nuisance but not a disaster. In fact, any small company that really can't employ good enough processes to comply is probably doing something very, very wrong.
I’m confident that compliance is:
- Straightforward for any non-tech firm;
- More complex but not that hard for most tech firms that handle data;
- Far more complex for large organisations than small ones;
- Basically only a real problem for fly-by-night tech companies that want to operate by reselling personal data.
I’m not sure what your motivations are it making it seem disproportionately burdensome to comply with, but I don’t think they’re good.
reply