undefined | Better HN

0 pointsAmericanChopper7y ago0 comments

Where did I advertise misuse of our customers data? Compliance and privacy are not the same thing, just like compliance and security are not the same thing. We have a great privacy policy and we don’t misuse our customers data in any way.

For us, it didn’t make sense to invest the amount of money we’d have to to establish compliance with the GDPR, or to invest in maintaining that compliance, and the liability that GDPR would introduce for us most certainly didn’t make sense.

Europe is worth almost nothing to us, we don’t market ourselves there because it’s a waste of money. The EU customers we have all sought us out, not the other way around. For us, the cost and liability is simply not worth it. I think you’ll start to see more businesses make this decision, based on facts and numbers. You can’t just cry that they’re all being hysterical or want to abuse they’re customers data and privacy. When you introduce expensive new regulations, that have very strong punitive elements, this is exactly what you’d expect to happen. Small to medium sized businesses will wear the most of the cost (while posing the least of the risk). Luckily for us, EU is worth close to nothing for us.

0 comments

HelloNurse7y ago

You are advertising that your handling of personal data is so haphazard that GDPR compliance would be expensive. You are admitting that you aren't good enough for the EU, and therefore that you aren't very good in general at whatever you do.

I expect that, at least in some obviously global markets like most e-commerce, GDPR compliance (as opposed to throwing the towel like you) will be treated like a certification of being a relatively non-evil and non-amateur business, with a significant impact outside the EU.

AmericanChopperOP7y ago

I’m sorry, but this is simply the naive opinion of somebody that has clearly never had to deal with compliance before on a meaningful level.

My customers are all happy with my privacy policy, and not a single one outside of the EU has expressed any interest at all in the GDPR. We are actually compliant with a majority of the regulation, however there are some areas where we would have to re-architect to gain full compliance.

This is not in anyway a signal that we’re “not good enough” to handle our customers data. It is mostly a sign of a poorly written piece of regulation, that has more undefined edge cases than it has defined use cases.

We’re not going to be the only company that comes to this conclusion, so you can go around slandering anybody you like, but that’s not going to change the facts behind what is a rather simple business decision for a lot of people.

You’re incredibly naive if you think complying with regulations like this is going to be cheap and easy, and your even more naive if you think that compliance is going to mean anything other than a rubber stamp. I’ve seen PCI, Fedramp, ISO27k, SOC2... organisation that have been certified as compliant, but were in reality less than 10% compliant. The compliance industry is a joke worldwide, and everybody knows it.

HelloNurse7y ago

I'm arguing from the point of view of a customer, not "slandering". Customers are going to have a choice between GDPR-compliant companies and USA-only ones and (if they care) they are going to assume the worst about why the GDPR can make a company retreat from the EU market.

As far as the public understands that complying with a new law is expensive, and why GDPR compliance in particular is expensive, it is obviously more expensive for "bad" companies: don't expect the same compassion and tolerance with which other types of customer disappointments (e.g. raising prices) are received. Your competitors who do not retreat from the EU are obviously caring more for customer privacy, and/or better organized, and/or less reliant on excessive data collection. They are not going to be considered stupid because they spend more than they should on doing the right thing.

You admit bad organization ("there are some areas where we would have to re-architect to gain full compliance"): not trying to comply with the GDPR is clearly not a "rather simple business decision", it's a decision to accept failure instead of losing even more money, and you aren't going to look good even if it's the rational choice in your situation.

crankylinuxuser7y ago

Right now we are going through a federal audit. We sell only to US orgs, but also have a social media platform.

Because our social media platform is open to all, we are addressing adhering to the GDPR. In spirit, we already do, but they want what amounts to 5 documents how we use metrics and user data.

(Edit: we use metrics only in a '20 new people signed up'. We treat all data as federal confidential data. We also abide by deletion requests - immediately all user data is zeroed out, and a script overnight removes the zeroed fields. If it should not have been entered, we also will nuke users on backups too.)

If you're doing things respectfully and the right way, the GDPR is a nuisance. If you were hoovering anything and everything, you're in for a bad time.

And given your comments above, I'd put you in the company of "Hoover, Dyson, and Electrolux".

Edit: > "My customers are all happy with my privacy policy,"

Do they have a choice, aside to never use your stuff? If do you force acceptance of the 'privacy policy' on usage of your service? If you, that is in direct violation of the GDPR.

Hope you never want to consider European citizens as a customer. Building in this respect is cheap, but is expensive if you ignore now.

Think of this as "California Emissions". Eventually the US will adopt, even if in defacto. Might as well be on the right side of the fence.

2 more replies

Jare7y ago

> Compliance and privacy are not the same thing

I remember the time we had very good privacy policies but getting that project to be compliant with COPPA was still a significant effort, so I think I get where you're coming from.

Once we became compliant, quite frankly, I felt a lot safer and more confident in affirming that our privacy policies were very good. Maybe it was some kind of sunk cost syndrome, but I was glad we did (were forced to do) it.

olau7y ago

What amount of money would you have to invest and for what? Data retention?

j / k navigate · click thread line to collapse