[sobani]

Why do you equate startups with startups that finance themselves with private data?

Every piece of regulation is another headache for a business.

Take for example the combination of GDPR + backups.

If you have enough technical manpower, you can change the backups.

If you have enough legal manpower, you can argue that changing those backups counts as 'unreasonable'.

If you have neither you have a headache.

Don't forget that even usernames and IP addresses are part of the personal data that the GDPR covers. Are you sure those are not present on a harddisk collecting dust somewhere?

[madez]

I see zero chance for the argument that it be unreasonable to adjust backups. Either they are adjusted, or they violate the law, period.

Software projects like apache2, nginx, or your favourite website framework should adapt to the GDPR to make it easier for those who use them.

How things will turn out is not settled yet. If you are a small company not focused on handling private data, and documentedly continuously work on compliance, then I see little you must fear.

Usually, if your business is handling private data of others, then you must simply know exactly what you record where, and what you don't record. That is an essential part of your business.

[sobani]

> If you are a small company not focused on handling private data

I'll repeat myself a little bit: IP addresses and user names are also private data.

Please provide me with an example of an IT business that doesn't deal with private data. No real names, no user names, no IP addresses.

I haven't looked in to this example, but I suspect even the name of a client on a bill would be subject to the GDPR.

> continuously work on compliance

That's the big part of the headache. Even if you're a one man shop, you have to spend time and effort to get informed and deal with it. Multiplied by all regulations that might effect your business.

[madez]

> No real names, no user names, no IP addresses.

Well, don't record IP addresses in the first place? Or if you need ip addresses for protection against technical attacks like DDOS-attacks, then delete them as soon as possible.

What is so difficult about deleting a real name and a user name stored by you if the owner of that account asks you to?

> I haven't looked in to this example, but I suspect even the name of a client on a bill would be subject to the GDPR.

Common sense gives that data on documents you are legally required to store like for example invoices are exempted from deletion during the legal storage duration. After that, why not anonimize them or delete completely?

Things become pretty easy if the default becomes not storing any data, and only make exemptions from it after careful consideration if it's really needed, what private data it contains and how it has to be handled based on that.

Data is not just a resource, it is also a liability.