Ask HN: How do you GDPR for your small side projects?

I'm sure I'll be shot by HN for this, but I'm not bothering. If a side project starts to gain traction then I'll look in to it, but if it's a small web app with a handful of users then sod it.

It's not too tricky, fortunately!

1. Stop collecting any data you don't need. If you don't collect it, it's not an issue!

2. Have a way for users to access their data or request it be deleted. This can be a manual process.

3. Make sure you gain explicit consent for any data you capture from users, and explain why you are using it.

4. Make sure any data you capture is stored securely using industry best practices.

5. Put a retention policy in place for backups and logs – for example, delete them after 30 days.

That's basically it. It's more complex if you have a product that needs to store lots of data to function, or if you have a sprawling set of databases, or if you have some kind of un-deletable storage. But in general, you only need to do the sort of things that you should really already be doing if you use personal data.

And bear in mind that the goal of GDPR is not to fleece companies for fines, but to achieve compliance with the rules. If you do something wrong but act in good faith, you can expect a letter from whichever SA is coming after you. But you're not going to see a €20m fine any time soon.

I try not to be an asshole with user’s data and it worked out great for me even before GDPR.

I haven’t actually read the regulation and couldn’t care less if I comply (I’m sure there is like 10% of it that I might not comply with), but my point is that nobody ever complained - I give users an easy way to nuke all their data (actual delete, not pretending to delete), I don’t share their data with anyone, no analytics/tracking/advertising and problem solved.

I have enough on my plate working on GDPR for the sites I pay my bills with, so I shut down almost all of my side projects (and one business with a few customers) to avoid having to worry about them.

Some people here have mentioned ignoring it completely in the short term. While I wouldn't recommend this, for a small, personal, non-profit side-project, it is worth mentioning that lot of the checklists and advice out there are:

1. aimed at, at the very least, medium-sized for-profit businesses, and as such include requirements that explicitly don't apply to very small projects

2. very often are trying to sell you something (consulting services, compliance audits, training, etc.) and as such are motivated to make GDPR sound as scary as possible.

There is a little more to it than this, but, my advice would be to just be mindful of any info you collect on users.

If you are worried about it, you can focus on projects that are open-access or don't necessarily involve accounts and login, but if you are implementing auth, just note what the auth collects, and be careful with it, both in terms of consent and securiy.

Don't give it to 3rd-parties (the easiest way to do this is doing things like sending userIds to Google Analytics in custom JS events). Consider whether your small side-project really needs Google Analytics (logging, crash analytics is good for debugging issues, but behavioural analytics is moving towards building a business, imo).

Note: I'm not implying side-projects shouldn't be moving toward building a business, but I'm just making the point that if that is your intent, you should be spending a little bit more time considering user privacy and compliance. And getting proper advice about it. You don't even need a DPO for <250 employees, so this really isn't that burdensome.

Can someone clarify what exactly is the legal liability that comes from GDPR?

My very basic understanding is that countries set up SAs (supervisory authorities) to deal with complaints, and have the legal power to sanction and so forth.

So is it only the SA that can take action against you? If someone wanted to harass you, must they complain through the SA, or can they bring a civil suit based on the GDPR?

I'm not clear on how to revoke PII from distributed systems, like git, when mischievous peers can copy data or ignore changes as they wish. Likewise for any other distributed information storage.

So... Blackhole .eu and move on with my life?

All the most important data that shouldn't be for my eyes -- is 256-bit encrypted as it gets entered into any database. All passwords and most user-inputted data is encrypted. Stripe takes care of the payment information which I don't store, but I do keep the expiration date in my database which usually cannot be used to identify anything. Definitely trying to be more GDPR-compliant as I take privacy and security very seriously. Wouldn't want my data exposed if I was using someone else's product and that is how I try to think when developing and encrypting the data.

Would be great if someone made a check list of things, since legal documents are barely readable for normal humans

I don't, but I've never kept personal information. As someone with a background in the security and finance industry. I don't want that burden. If you don't have it, you don't have to deal with it. So if you have a side project, why would you collect personal info?

If you have a project that doesn't allow users to enter any kind of information but simply displays ads (via Adsense), is that in scope for GDPR or is a proper Privacy Policy enough?

Blackhole all connections from Europe.

Cold emails to EU region recipients aren’t allowed unless they give you consent to receive your email (you as a company or marketer can do this by mentioning or using check-boxes in the web form’s popup template)

Email list needs to be updated - Only consented customer data needs to be stored, and erase the other unless you want a fine of 20 million euros or so. (remove data of those who have unsubscribed to your service immediately). Data erasure - Remove data of those who have unsubscribed to your service. Check for the Unsubscribe button everywhere - It’s mandatory that each and every mail of yours needs to contain an unsubscribe button with updated privacy policy given below. Update the privacy policy & terms of service - these need to contain what and how you are going to use the user’s data. For more info, read from the links given below in this answer. Double opt-in- for both entry and exit needs to be mentioned. Permission for profiling - Sales people can get prospective customer’s data through gated content(whitepapers, e-books) etc and they shouldn’t get this data from any other source like email hunters etc. (without their consent you can’t even breathe!) Employee data handling - You need to mention how and where is the data used and stored and for which purpose too. If you are using the data for multiple purposes, then you need to mention each purpose every time. Referral Program - You can’t process the referral email ids/data gained through offers/discounts etc. Yes, even they have to be GDPR compliant. Data usage policy - already mentioned in this answer(this is just to remind its importance in this context) Right to forget - option to be provided if the user wants you to erase(forget) their data from your databases. Usage of cookies - to track email opens etc you need to mention you are using cookies to the user. Some notes you would want to keep for GDPR compliance:

GDPR: Key Points and Steps to Prepare (https://www.agilecrm.com/blog/gdpr-key-points-steps-prepare/) https://www.superoffice.com/blog/gdpr-marketing/ (https://www.superoffice.com/blog/gdpr-marketing/) Salesforce PDF on GDPR(fiction vs fact) (https://www.salesforce.com/content/dam/web/en_us/www/documen...) GDPR Regulation (https://www.eugdpr.org/the-regulation.html)