[Silhouette]

It's not the intent that I have a problem with.

Moreover, as a founder, I couldn't agree more with being responsible about working with personal data. We have always been careful about the data we collect and how we store and process it. But from what we have learned ourselves so far, we seem to have significant additional obligations under the GDPR (for example, being able to produce substantial amounts of formal documentation to the ICO on demand) that we would not currently be able to meet, and we might have other obligations that could be awkward (often related to the various subject requests now possible) but the implications aren't fully clear.

We also don't expect a huge deluge of requests from users. In fact, we've never had any under existing data protection rules. However, given that there several people have posted to HN recently saying that they'll be happy to send in large numbers of such requests when the GDPR comes into effect just to make a point, and unlike the current data protection rules in the UK there appears to be no provision for a token fee to deter such vexatious requests, we have to consider the possibility and at least have some intelligent way to respond, even if that just means knowing what our actual obligations would be if anyone did make such a request without doing any other work in advance.