[Analemma_]

We'll have to wait a while before we know for sure, but one loser might be technology startups, especially European ones. As much talk as there has been about the effects of GDPR on huge companies, the fact is, they're not too concerned: they have enough lawyers to throw at the legal issues and enough engineers to throw at the technical issues. Smaller companies without these resources are going to see their lives get harder.

This is a pattern you see across a lot of regulation, even when perfectly well-intentioned: it tends to favor giant companies over smaller ones, because the big ones can devote lots of manpower to the complicated legal and technical challenges the regulation sets up. That might be a worthwhile tradeoff, but it's not the same as saying "the winners are everyone".

[madez]

Why do you equate technology startups with startups that finance themselves with private data (mis)use?

Instead of taking profit out of private data one has, it's possible to charge for the service. Alternatively, one can use the data to finance the business but also follow the rules and regulations. I don't see the big issue here.

[sobani]

Why do you equate startups with startups that finance themselves with private data?

Every piece of regulation is another headache for a business.

Take for example the combination of GDPR + backups.

If you have enough technical manpower, you can change the backups.

If you have enough legal manpower, you can argue that changing those backups counts as 'unreasonable'.

If you have neither you have a headache.

Don't forget that even usernames and IP addresses are part of the personal data that the GDPR covers. Are you sure those are not present on a harddisk collecting dust somewhere?

[madez]

I see zero chance for the argument that it be unreasonable to adjust backups. Either they are adjusted, or they violate the law, period.

Software projects like apache2, nginx, or your favourite website framework should adapt to the GDPR to make it easier for those who use them.

How things will turn out is not settled yet. If you are a small company not focused on handling private data, and documentedly continuously work on compliance, then I see little you must fear.

Usually, if your business is handling private data of others, then you must simply know exactly what you record where, and what you don't record. That is an essential part of your business.

[sobani]

> If you are a small company not focused on handling private data

I'll repeat myself a little bit: IP addresses and user names are also private data.

Please provide me with an example of an IT business that doesn't deal with private data. No real names, no user names, no IP addresses.

I haven't looked in to this example, but I suspect even the name of a client on a bill would be subject to the GDPR.

> continuously work on compliance

That's the big part of the headache. Even if you're a one man shop, you have to spend time and effort to get informed and deal with it. Multiplied by all regulations that might effect your business.

[madez]

> No real names, no user names, no IP addresses.

Well, don't record IP addresses in the first place? Or if you need ip addresses for protection against technical attacks like DDOS-attacks, then delete them as soon as possible.

What is so difficult about deleting a real name and a user name stored by you if the owner of that account asks you to?

> I haven't looked in to this example, but I suspect even the name of a client on a bill would be subject to the GDPR.

Common sense gives that data on documents you are legally required to store like for example invoices are exempted from deletion during the legal storage duration. After that, why not anonimize them or delete completely?

Things become pretty easy if the default becomes not storing any data, and only make exemptions from it after careful consideration if it's really needed, what private data it contains and how it has to be handled based on that.

Data is not just a resource, it is also a liability.

[catdog]

> We'll have to wait a while before we know for sure, but one loser might be technology startups, especially European ones.

Or it may be a great opportunity for them to differentiate developing not privacy invading business models protected from being undercut by "free" (because we sell your data) competitors.

[MaxBarraclough]

We already know that at least some small US companies can't justify the cost of compliance, even if it means cutting out the EU.

https://news.ycombinator.com/item?id=16114530

[tripzilch]

Well that's ... kind of the point, isn't it? If they're not going to be compliant and respect our privacy, or even if they kind of would like to be sort of privacy-respecting in a sense except that their business model precludes them from actually being able to be compliant however since business models are rather subject to change especially with the SV "get venture capital and break stuff" mentality, such that even the "in a sense" part is exceedingly likely to become unjustifiably cost-inefficient as soon as the business gets big enough to believe they can get away with it (like, you know, Facebook, Google, etc), ... then, good riddance, right?

I mean, just because a company believes they can claim to "respect your privacy" without actually being compliant to the EU regulations specifying they should do such, let's call it a cultural difference then.