| I'll point out which question gives me nightmares, as the founder of a EU startup: - the requirement to have a DPO. Based on the requirements for the DPO, no one in the company can fill the role (conflict of interest), so we must hire an employee or consultant (expensive either way for a small startup) - one month to respond. That's a lot of informations to collect the first time, and I might have other fires to put out (or I have to be pro-active and have a prepared respond, which has the take the place of something else important to do) - the sheer amount of informations to collect. In the age of plug and play solutions, that's a LOT of things to audit (Mailchimp, AWS, GA, Heroku, various Wordpress plugins, logging solution I don't even remember the name, just to name a few) - tracking every single PI of a user. If your systems are not built for this, it's going to be lengthy. If you were created before the GDPR, they are probably not. - tracking down the usage of those PI may be complicated depending of the expected scope and usage you do (fortunately for me, there is no ad nor data resell, so really only the scope is the problem) - some process asked for have a serious implication you should have some and do some sort of things. This is not feasible for a small startup. It boils down to: it takes time, and time is something I'd rather use for something else, and it also requires to do things that have huge fixed cost that the size of a small company can't absorb (at least not until there is a ready-made solution). I define small startup as startups with less than 20 employees, that might have received Seed funding but not more. Those points might not all be applicable to a new startup created with GDPR in mind. |