The article is spreading FUD and inciting others to spread it even further in the comments.
> There is a cost associated with trying to figure out GDPR regulations, finding a lawyer, vetting their feedback, acting to hire folks, changing UI to give user an opt out, implementing that in the system etc.
The GDPR is online, and has been for a long time, you don't need a lawyer but if you feel that gives you more comfort then fine, you don't need to hire anybody, that is just plain nonsense, and changing the UI to give users an opt out: that should have been done two years ago.
> All these things don't drop from the sky.
Indeed, this did not drop out of the sky. It has been in the works for years.
> And they are a business. And as a business they have decided to get out of Europe as the above costs weren't worth it to them.
That's fine with me, the way in which it is presented is not fine with me.
They comply later than everyone else not because they didn’t see it coming or didn’t prepare for it, just that it wasn’t in their interest to do it earlier
I run a business that follows EU DP best practices (and so was mostly GDPR compliant already) and the first I heard of it was mid 2017. My country's data protection agency made no attempt at raising awareness despite having my email address on file :-D It's only been frequently hitting non-EU industry news and places like HN since late 2017 so I can appreciate how non-EU folks might feel blindsided by it.
Likewise. This idea that the GDPR has been in the works for years so it's somehow implausible that very small businesses have only just heard of it doesn't stand up to scrutiny. No owner-run microbusiness is spending the time necessary to keep up with the vagaries of EU debates.
Similarly, the idea that the GDPR is plainly readable and so that shouldn't be a burden and no-one needs to consult experts makes no sense. The document is many pages long, there are many more pages of guidance and interpretation produced by both the EU itself and the various national regulators, and it's still fundamentally ambiguous on many significant practical points.
It is entirely reasonable for a small business that does relatively little trade with the EU not to want anything to do with this, and it has little if anything to do with how good or bad their practical data protection measures and respect for privacy are. If small businesses are overreacting then that is on the EU for failing to pass better law and provide sufficiently clear, concise and timely publicity and guidance on what it really means.
My business interests are in the UK, so we're stuck with this one. However, if we'd realised ahead of time how much trouble the new EU VAT rules would cause a few years back, we would gladly have sacrificed the modest part of our revenue that comes from other EU member states in order to avoid that mess, and it wouldn't have been a close decision. So I find it very hard to criticise anyone running a small business outside the EU for wanting to avoid the latest round of heavyweight EU regulations if they have a way to put themselves outside of their scope.
I only found out about GDPR earlier this year from a random HN comment. I can't understand the attitude from some HN commenters that everyone should have known about this for years. Where/how should every small business that could be impacted by this regulation be notified?
As you noted, the regulation is readable, but verbose and frustratingly vague. I ended up reading most of it along with countless articles from various third parties debating what it means and how to comply - and I'm still not 100% certain if the steps I've taken mean I'm actually "GDPR compliant."
I too got stuck having to comply since around 30% of my customers are in the EU. However, I gladly would have foregone all of that revenue and focused on non-EU customers only if I had known what was coming back then...
That's the price of sitting in your office with your head down though, you can't ignore changes such as these.
This is one of the oldest HN mentions about the GDPR I could find:
https://news.ycombinator.com/item?id=11764073
But it sank without a trace.
VOGON CAPTAIN: [On Speakers] People of Earth your attention please. This is Prostectic Vogon Jeltz of the Galactic Hyperspace Planet Council. As you no doubt will be aware, the plans for the development of the outlying regions of the western spiral arm of the galaxy require the building of a hyperspace express route through your star system and, regrettably, your planet is one of those scheduled for demolition. The process will take slightly less than two of your Earth minutes thank you very much.
MANKIND: [Yells of protest]
VOGON CAPTAIN:
There’s no point in acting all surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for fifty of your Earth years so you’ve had plenty of time to lodge any formal complaints and its far too late to start making a fuss about it now.
From "Hitchhiker's Guide to the Galaxy" by Douglas Adams
sorry I couldn't resist
* We've known about the GDPR for around 2 years.
* The GDPR text, national regulators' comments, industry opinion, sample docs and a plethora of free resources have been readily accessible on the Internet for about the same length of time.
Having worked on the GDPR docs for a medium-sized business that builds learning management systems for corporate customers (about 100 live systems + dev and testing platforms where we are a processor of their personal data), it took about 3 weeks-worth of time to re-audit our platforms, complete a more detailed risk/impact assessment and write this all up together with some procedures for handling enquiries.
Yes it took time, and we went the extra mile with diagrams and tables because the docs are customer-facing, but handled in a timely fashion, GDPR compliance is not a brick wall to business continuity.
If a business already has in place a baseline level of good information security practice, GDPR compliance is not that hard.
Sure, the regulation was there, but nobody talked about it, and it's unreasonable to expect people to magically learn about EU regulations, especially if they don't live in the EU.
6 years, it's a 2012 directive.
And no, this is not about demolishing our way of life, the town we live in or the planet, it's about respecting the privacy of your users, which - for a change - is actually a positive thing. Unless of course you weren't going to do that in the first place you should welcome the development, I imagine that in a just world the Vogons would be on the receiving end of it.
Oh, and in this case the plans were not on display in the locked filing cabinet in a basement of a building where the lights had gone off and where the stairs were missing.
A handy URL has been provided for a long long time and all the debates have been recorded in public as well.
Sure make it illegal to mistreat user data then punish those who fail. Don’t punish everyone up front
The decision to exclude a portion of your user community should be explained.
Unless you personally know the developer you are making a number of assumptions about their resources and time to deal with this issue.
Presumably the developer wants to continue to offer this app and service. His understanding of GDPR and how it affects his service will grow over time and he will likely eventually take action to reintegrate the EU into his service.
Unless you personally know the developer you are making a number of assumptions about their resources and time to deal with this issue.
The only thing certain are the insane crippling fines.
It is extremely naive to believe you don't need a lawyer for that. You do - the same way as in some of EU's less market-oriented countries, after a VAT reg you need a registered accountant.
Having a data processing officer in the EU for some definition of significant business is not a natural law and requires careful parsing of the legal text.
