[boggio]

God damn it EU, all these regulations make it impossible for small companies, indie developers to cope with all the bureaucracy.

The VAT for digital products, now the GDPR.

10 more years of regulation and you will spend 90% of the time working on implementing legal requirements and 10% on the actual product.

[lucideer]

GDPR—while vastly different to what has become the defacto standard practice in most companies—is largely simple, basic, common decency and common sense. My very tiny startup won't have any problems complying because we've actually given a smidgen of consideration to our users' privacy up until now.

In fact, I foresee it being a much greater tax on large corporations: the work in GDPR is not compliance—that's relatively easy once you have procedures in place—the real work is converting existing non-compliant systems to bring them into compliance. This is going to be much easier for those maintaining relatively small, simpler systems, and easiest of all for brand new startups.

[davnicwil]

From what I have seen and understood about the regulations and the spirit of them this is basically right.

If your system was intentionally designed with both privacy and the ability for users to own their data (i.e. edit & hard delete whatever, whenever for any reason) in mind, then GDPR should be essentially complied with already 'out of the box'.

If this was not the case, either for cynical reasons, simple disregard for the importance of these things, or a decision to not prioritise these things in favour of shipping more features faster, and you just essentially slapped a checkbox with some legal copy over your signup process and thought you were done with all that pesky user data privacy stuff, well, you're in for a pretty bad time now.

Maybe my reading of it the regulations is naive and it won't be so easy in the first case and will be easy to subvert anyway in the second case. But if not, to be perfectly honest it seems just like what good regulation should do - incentivise good behaviour - allowing businesses that behave well by nature to thrive without too much extra hassle introduced, and suppress both the bad behaviour itself and the general productivity of the business behind it where that's not the case.

[crazygringo]

I'd hardly say that. "Forget me" can take a lot of design work (can introduce a ton of edge cases). "Export data" requires building an entire information processing pipeline.

Larger corporations have the resources to dedicate to this. But for a small startup deciding between spending 4 dev-months on "forget me" and "export data" versus on enabling the top 3 new primary use cases users are asking for, I understand how this could feel really difficult.

I really wonder if it wouldn't be better to make some of the requirements only for companies above a certain revenue threshold or the types of data collected. (E.g. export data is critical for health or finance-related sites, probably less so for a meme generator startup.)

[geocar]

I would. I'm doing some GDPR consulting at the moment and most of my conversations are "I don't think it's as complicated as you do". Americans tend to read law very pathologically unless they are familiar with how European legislation works, and every programmer out there thinks they are an armchair lawyer since there are "obvious" skillset similarities between decoding software and decoding law.

"Forget me" is very simple: If someone calls you up and asks you to stop using their data, you stop using it and remember that they've done this.

You do not have to:

- Destroy invoices

- Delete web logs

- Delete the record of them asking you to stop using their data

- Reprocess all of your backups

- Recall any reports you might have sent out

Or anything else that is silly. But your salespeople aren't allowed to see that person's details in your CRM anymore.

"Export data" is also very simple for most companies. If you have a CRM containing information about a person, then that person can ask for that information.

> probably less so for a meme generator startup

What possible "personal information" do you think a meme generator startup actually has to collect on individuals that aren't their customers?

They should have a CRM containing companies who are purchasing advertising space on their meme generator startup, and perhaps leads that they have obtained through various incremental marketing sources. They probably do not have any personal information on their users, or if they do, their business will not be impacted by simply not collecting that personal information.

But maybe I don't understand what a "meme generator startup" would do because I'm not in their target market.

[Silhouette]

You keep mentioning how you're consulting on this issue at the moment and claiming that those of us more cautious than you just don't understand how European law works. Would you mind sharing a little more to justify that authority -- what qualifications do you have that we don't, what sorts of business are you consulting with and how much is compliance (including your advice) costing them, and why is your interpretation of the GDPR reliable in cases where a literal reading either clearly contradicts you or contains significant ambiguity that you imply doesn't matter?

[geocar]

Hi Silhouette,

I'm not claiming anyone more cautious than me doesn't understand how European law works. That's just silly.

I also don't know what qualifications I have that you don't. What qualifications do you have?

The sorts of business I am consulting to are sales and marketing agencies based in the US. As an SME I work with their in-house council to help them understand what the business is doing. I also help define process designed to make compliance obvious and transparent surrounding areas of my expertise.

I have no idea how much compliance is costing them. I don't know if they look at it this way.

Your last "question" consists of some more straw man and a little too much hand-waving: By all means, feel free to point to any contradiction with a specific recital and I can try to address it. If you have another source who claims to be an expert, I can also try to explain why I may have a different opinion than them.

[Silhouette]

First of all, please let me apologise if my previous comment came across as unnecessarily aggressive. Looking over the thread today, it could be read as quite hostile, which wasn't my intent.

My concern here is that in this discussion (and indeed in other recent HN discussions around the GDPR), you have on several occasions relied on your role as a consultant to support statements that various actions weren't necessary because of the GDPR, and to dismiss some of the potential legal arguments/concerns that several of us have raised suggesting otherwise as if they are some sort of legal trickery and EU courts/legal systems would not like them.

I claim no special qualifications in this area. I'm just a guy who is running businesses that might be affected by the new law and wants them to do the right thing, but wants that right thing to be practical and to know that we're on safe legal ground with it. Naturally I also talk to others in a similar position from time to time, and occasionally with consultants or lawyers active in the field, and so I know that many others share similar concerns and are asking the same sorts of questions.

What I'm seeing is that most of the experts are arguing for things like a "risk-based approach", which is the standard CYA consultant/lawyer answer to almost anything where they can't say "We don't actually know either, but you'll probably get away with it if you don't rock the boat". My point is that this is not good enough. The EU and member state authorities have form, as I've written about elsewhere, for introducing overly broad laws with insufficient safeguards and insufficient consideration for small businesses, and for then causing real and sometimes very serious damage to those smaller businesses in practice afterwards.

This is why I'm arguing that the GDPR as it stands is a bad law. This is why I want to see clear, concise, unambiguous answers from authoritative sources on issues around backups, log/journal-based records, and the like. And this is why I'm asking what your own qualifications are and what you know that we don't, given that just a couple of comments up you have casually dismissed concerns that many of us seem to have as being "silly", when those concerns are based on reading what the GDPR actually says and the ambiguity that we're hearing from other experts who don't seem to share your clear view of the subject.

[FooBarWidget]

Interesting. Do you have a link to your consulting company? Do you have a blog on GDPR related topics?

[geocar]

I don't operate a blog, and my primary function at my company is as an SME, so I mostly consult to our customer's in-house legal. That said, my contact details aren't difficult to discover, so by all means reach out if there's something specific you want to talk about that you don't want to share publicly.

[rectang]

It wasn't the company's data to begin with. Modern businesses have caused harm to countless individuals by treating data cavalierly.

The GDPR puts things right. It brings the externality into the market, and now the market can correct.

Businesses that rely upon slinging private information around irresponsibly need to adapt. If they can't, their failure in the marketplace is just.

[dagmx]

I'm not sure I've read anything in there that is hard to implement, other than retroactively.

I'm sure as time passes there will be frameworks and best practices developed for conforming to these regulations, but I honestly don't see anything egregious or complex to develop in there.

[mycall]

So what's the alternative? Completely lose all of your privacy? It is only developers who can fix this massive PPI leaking.

[nawitus]

There's plenty of alternatives. The main problem with GDPR is not the goal of advocating privacy but the details. I would have done it like this:

a) bring out regulation gradually instead of in a single big change like GDPR to have companies time to comply

b) don't write vague laws

c) give specific examples of what GDPR means in practice

d) be more lenient on smaller companies

[bozho]

a) companies had 2 years go comply. Furthermore, the guidlines of the European Commission are clear that the process should be gradual - inspect, write recommendations, small fines, bigger fines. Nothing like "20 million in June"

b) the law had to cover a lot of usecases and in order to do that concisely, it may sound vague in places. I also don't like (developers never like uncertainty), but there's established practice already in regulators and courts about what is considered "adequate", "appropriate", etc. I agree it could've been better though.

c) that is happening already, e.g. ICO (the UK regulator) has a pretty good set of guidelines and examples. There's also the process of "prior consultation" where if you are not sure about something, you go ask your regulator for a decision

d) this is exactly what the "proportionate", "adequate", etc. are in for. If you are a small company with 2000 data records, you are not posing a high risk for the rights and freedoms of data subjects and so most of the things are not a strict requirement

[nawitus]

a) The problem with this is that this practical guide was released in November 29, 2017. And this is unofficial. EU should have released a practical guide two years ago in my opinion.

If the process is gradual the law should reflect that.

c) Good to hear :). Apparently it's this: https://ico.org.uk/for-organisations/guide-to-the-general-da... - I hope it's not written from the perspective of the UK legislation.

d) The law should clearly define what is required for smaller companies and what is not. There's some disagreement if this is the case in GDPR articles too.

[AlphaSite]

Every country has a slightly different implementation of the directive, so I don't think the EU will have a single example to give.

[nawitus]

However, GDPR is a regulation, not a directive. I haven't seen that countries pass their own implementation of it.

[x0x0]

a) The regulators had 2 years to write final regulations. They didn't do that either. Apparently it's too much to ask to have eg final guidance more than 3 months before the implementation deadline.

aa) In actuality, the ICO has made it clear that grace periods are not part of their regulation strategy. See eg speeches by senior regulators.

b) hahaha go spend a pile of cash on lawyers (we're at roughly $50k) who are familiar with 30-ish countries privacy regulators. American companies are quite unlikely to have a lead regulator.

d) proportionate and adequate are words that create giant legal bills, because the gdpr naturally declines to spell out in any concrete fashion what those mean.

[jimnotgym]

a) It is not a big change from the 1995 regulation. It is incremental. There is a feeling that the previous regulation lacked teeth with the multinationals, some of whom have chosen to ignore it. Facebook have lost two cases over aggregating data in Belgium and Germany in the last month.

b) I don't know if you are familiar with European law, but what you see as vague is what others see as flexibility. Laws setting out the spirit of what you are trying to achieve tend to age better than a rule based approach.

c) They did [0]. Because of b) it is not part of the regulation itself.

d) They were under the existing regulation, so why wouldn't they be now? The 'vagueness' as you put it gives a judge considerable flexibility to see if the steps taken to safeguard privacy were appropriate to your size

edit:add reference [0]:https://ec.europa.eu/info/law/law-topic/data-protection/refo...

[nawitus]

Well, I personally don't like laws to be vague.

[skrause]

> a) bring out regulation gradually instead of in a single big change like GDPR to have companies time to comply

GDPR wasn't announced yesterday. The time span between announcement and implementation date is over two years. Of course if you only start now there isn't much time left, but then that's your own fault.

[nawitus]

GDPR was announced years ago, but this pratical guide was authored a few months ago. EU should have released an official guide two years ago.