[ryandrake]

Honestly, those questions should be pretty easy to answer especially if your company is small. If as a business you can’t answer these basic questions about the data you want to collect from me, I’m going to be hesitant to share it.

People keep sharing that “nightmare letter” link but won’t point out which question gives them nightmares and why.

[Kalium]

A couple of things stand out to me as potentially scary. First, the hard one-month timeline. For a brand new baby startup, a month is a lot of time and any distraction potentially killer.

Second, a list of everything across all types of storage in any and all systems stands out. Even large companies often lack the ability to search ZenDesk, Salesforce, email, AWS S3, and Slack logs all at once.

Third, there's a clause that asks quite specifically for a thorough list of any and all potential future plans. That's a lot, especially given how startups are subject to pivoting.

Fourth, the section about third parties is essentially asking for the outcome of a vendor assurance process. A lot of small companies can't pass a reasonable vendor assurance process. They often can't afford the time and assurance specialists to manage one for their vendors. Even large companies often have trouble maintaining the level of control required for thorough vendor assurance. The bit about legal reasoning implies the involvement of a lawyer as well.

Fifth, there's a strong implication that no matter what you might say in response, it's not going to be good enough. There's always something that can be pointed to as not enough.

With all of the above combined, I can see where some might view GDPR as intimidating and favoring big companies over small ones through sheer costs.

[AnthonyMouse]

> People keep sharing that “nightmare letter” link but won’t point out which question gives them nightmares and why.

There is a standard way in which "reasonable" regulations kill small companies. It works like this. You impose some small burden, something like an hour of labor a week. That won't destroy a small company, but that is not the only rule in the world. That rule takes an hour, another rule an hour and a half, a third rule a half hour. By the 60th rule, a two person company is past sunk. Even if every individual rule is nominally reasonable, the combination is hopelessly destructive.

The problem with tech companies is the rules don't just add together, they get multiplied by the user base, and it's entirely common for a very small company to have ten million users.

So you take a letter like that. The first time you get one it will take you a week to figure it out, but over time you get the response time down to an hour. Only with 10 million users, if 0.1% of the users make such a request per year, you're looking at 27 of those every day. That's more than three full time employees doing nothing but that. For this one "reasonable" regulation.

[Fradow]

I'll point out which question gives me nightmares, as the founder of a EU startup:

- the requirement to have a DPO. Based on the requirements for the DPO, no one in the company can fill the role (conflict of interest), so we must hire an employee or consultant (expensive either way for a small startup)

- one month to respond. That's a lot of informations to collect the first time, and I might have other fires to put out (or I have to be pro-active and have a prepared respond, which has the take the place of something else important to do)

- the sheer amount of informations to collect. In the age of plug and play solutions, that's a LOT of things to audit (Mailchimp, AWS, GA, Heroku, various Wordpress plugins, logging solution I don't even remember the name, just to name a few)

- tracking every single PI of a user. If your systems are not built for this, it's going to be lengthy. If you were created before the GDPR, they are probably not.

- tracking down the usage of those PI may be complicated depending of the expected scope and usage you do (fortunately for me, there is no ad nor data resell, so really only the scope is the problem)

- some process asked for have a serious implication you should have some and do some sort of things. This is not feasible for a small startup.

It boils down to: it takes time, and time is something I'd rather use for something else, and it also requires to do things that have huge fixed cost that the size of a small company can't absorb (at least not until there is a ready-made solution).

I define small startup as startups with less than 20 employees, that might have received Seed funding but not more. Those points might not all be applicable to a new startup created with GDPR in mind.

[taylorswift_]

thanks for this. so what's your advice for a social startup building a new platform in today's data-privacy concerned world?

[connorelsea]

Simply build a secure and private platform, don't be reckless with user data. Health startups already deal with this through HIPPA and it isn't really a big deal, just common sense practices for security and privacy

[Fradow]

I'm going to be honest: I have no clue about social. I operate in socio-medical domain, we don't share by default.

We are mostly fine with the spirit of the GDPR, it's the work we have to do to follow it to the letter which is a problem (and the lack of process internally).