[lucideer]

I disagree. Here's an outline of what a response to the letter in that first link should look like for a small, well-meaning* startup:

The letter is nicely formatted into 9 bullets. All are optional for small companies, and all can be automated - the answer should be the same for all users.

1. This is a "yes" or "no" question. If the answer is "no", you can ignore the rest of the letter. If yes, the answer is the same for all users.

2. Simple, short, same for all users.

3. You can avoid doing if you want. If you are doing this, you're signing up to take on this additional burden of informing your users. Consider this when making this decision. This is the only bullet in the list that is in any way burdensome as you will need to update this text in your automated response whenever you take on 3rd-parties (if at all).

4. Simple, short, same for all users.

5. and 6. are "if" conditionals that you shouldn't be doing. The answer should be "No".

7. Amounts to "has my data been hacked". If yes, that's unfortunate, but obviously you have a moral obligation to respond here regardless. Presuming you're hacked once, you provide full details once and send automatically to any users who ask.

8. and 9. are out of place. GDPR doesn't require you to respond to these questions within this quoted 1 month time limit (you do have to have what's detailed within them in place to comply with GDPR but that's tangential to info requests). These seem to have been put into this blog post as extra scaremongering.

* by "well-meaning" I basically mean "not selling all of your users personal data to myriad nefarious 3rd-parties"

[Kalium]

> 3. You can avoid doing if you want. If you are doing this, you're signing up to take on this additional burden of informing your users. Consider this when making this decision. This is the only bullet in the list that is in any way burdensome as you will need to update this text in your automated response whenever you take on 3rd-parties (if at all).

Pretty much everyone is going to. Google Analytics, Zendesk, Salesforce, and more all qualify. Hell, even AWS qualifies...

> 5. and 6. are "if" conditionals that you shouldn't be doing. The answer should be "No".

Why do you say that? Given that we're discussing technical companies, I fully expect that automated decisions will be made.

> 7. Amounts to "has my data been hacked". If yes, that's unfortunate, but obviously you have a moral obligation to respond here regardless. Presuming you're hacked once, you provide full details once and send automatically to any users who ask.

And "detail all your security measures". Which, for a small company that doesn't have an InfoSec group, probably means next to nothing. An admission that feels a lot like liability...

> 8. and 9. are out of place. GDPR doesn't require you to respond to these questions within this quoted 1 month time limit (you do have to have what's detailed within them in place to comply with GDPR but that's tangential to info requests). These seem to have been put into this blog post as extra scaremongering.

It's the sort of thing an angry consumer might do, and most startup founders subject to GDPR are not deeply knowledgeable about it.

[lucideer]

> Pretty much everyone is going to [...] even AWS qualifies...

I worded this badly. This is optional on a case by case basis, i.e. there's a cost-benefit to using each 3rd-party, and this burden is worth considering for each. It's still not a massively onerous burden tbh if you do use a lot of 3rd parties.

> And "detail all your security measures". Which, for a small company that doesn't have an InfoSec group, probably means next to nothing. An admission that feels a lot like liability...

I'm sorry but if you're really defending companies with no competent security measures in place, regardless of size, I think you're in the wrong forum here. If you are a commercial entity of any size there should be moral hazard in ignoring security of your users' personal data.

> It's the sort of thing an angry consumer might do, and most startup founders subject to GDPR are not deeply knowledgeable about it.

Exactly. And unlikely to be more knowledgeable if they're reading misleading scaremongering articles like this on LinkedIn!

[Kalium]

> I worded this badly. This is optional on a case by case basis, i.e. there's a cost-benefit to using each 3rd-party, and this burden is worth considering for each. It's still not a massively onerous burden tbh if you do use a lot of 3rd parties.

I'm up close and personal with a vendor assurance process right now. It's often a non-trivial amount of time for any given vendor.

> I'm sorry but if you're really defending companies with no competent security measures in place, regardless of size, I think you're in the wrong forum here. If you are a commercial entity of any size there should be moral hazard in ignoring security of your users' personal data.

I'm sorry, I worded this badly. I'm saying that small startups have a tendency to prioritize getting a product working and seeing if it's worth investing heavily in before standing up a strong information security unit. You're absolutely, completely, 100% correct that there should be incentives to be very careful with user data.

I think it's possible to see where some people might find the level of expense and expertise required to be appropriately careful somewhat scary. I can even see where some people might decide to not create a social media startup to challenge Facebook because of this fear.