undefined | Better HN

story

0 pointsAmericanChopper7y ago0 comments

So because you don’t have many in-scope systems, you believe that the cost of compliance is going to be the same for every company in the world? And what did I say that gave the impression that I don’t respect my users or their data?

Our application is a financial one, so I’d say it’s reasonable to assume that it ends up with a lot more in-scope PII than yours does.

In spirit, we also comply with almost all of the GDPR. However, some of its undefined edge cases prevent us from fully complying with it without an expensive re-architecture project, and re-implementation of some of our toolset. The areas we don’t comply with are incredibly minor, and I’ve seen some people arguing that we’d fall within the GDPRs limits of flexibility. However, that’s not how we manage risk. No matter how confident we were, being wrong could potentially end our business with fines.

As I have said repeatedly, for many small to medium sized businesses that don’t have many EU customers, there is simply no reason to implement GDPR at all. The costs can be quite high, and the risk of getting it wrong is enormous and not survivable. This is one of the many unintended (although entirely expectable) side effects of the regulation. All you’re trying to do is spread FUD.

0 comments

mmt7y ago

> However, that’s not how we manage risk.

I think that this point can't be over-emphasized, and I wish you had put that sentence in its own paragraph.

Risk (management) was also alluded to elsewhere in the comments in the discussion of "rules-based" versus "principles-based" regulation.

Perhaps characterizing certain business reactions as "panic" is grossly unfair, when they're merely sensible (or even somewhat excessive) risk-aversion reactions.

I've come to suspect that the HN readership has a high risk-affinity, not just because of the startup leanings, but also even because of the preponderance of programmers working in internet/web tech, possibly never even being exposed to an environment that's life-critical or money-critical (is there a word for that? fiduciary?). Given that, I also suspect there's also broad, possibly even unconscious assumption that risks like you're describing are no big deal, 80% compliance is more than enough, (always) ask for forgiveness instead of permission, and that sort of thing.

Personally, I don't think there's anything wrong with either risk-affinity or risk-aversion, as long as one is aware of it and it's not an unconscious bias.

Proziam7y ago

I think you've hit the nail on the head regarding the bias of this particular forum. As a group, it seems obvious that HN would be less risk-sensitive than the average.

For the sake of the topic however, I'd say that in this case the greatest risk is in not pushing to become compliant for the sake of future-proofing against legislation of this type. The mood of consumers and legislators worldwide is becoming increasingly pro-privacy and security.

Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.

mmt7y ago

> For the sake of the topic however, I'd say that in this case the greatest risk is in not pushing to become compliant for the sake of future-proofing against legislation of this type

I find it a bit frustrating that you would so clearly ignore the whole point of this sub-thread merely to repeat the same sentiment about privacy and security, which wasn't under debate in the first place.

Are you seriously suggesting that the GDPR is the end-all, be-all of data privacy regulation and that "legislastion of this type" will always be a proper subset of the GDPR, no matter the jurisdiction?

If not, then even your purported future-proofing rings hollow, especially for a company which already substantially complies with the spirit of the legislation, which is what we've been discussing here.

> Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.

I remain unconvinced that this is true, because of, again, risk. It seems credible to me that, for many businesses, the risk could easily not be worth it, regardless of others opinions on the ease of compliance or financial exposure (so far only unsubstantiated opinions, as we have no actual data on enforcement yet, and this is a pretty deeply political matter, as you yourself point out).

Moreover, I find it telling that you would refer to the situation as a "game". I expect the business owners in question (I'm assuming smaller business, in general) are more likely to view it a bit more soberly, in that they're running a business, not playing a game. As such, I don't expect they have a "mini" or a "meta", only decisions for which they and those that depend on them bear the consequences.

apple4ever7y ago

Great points. It’s all about risk and the cost/benefits of complying.

crankylinuxuser7y ago

I think the underlying idea here, is that data is "radioactive". Quite a lot of data can be fed into classifier systems to accurately identify people (not just computers), their trends, their shopping habits, and other much more private things.

In Europe, because of classification systems surrounding IBM and Nazis, have chosen to be very proactive about the dangers of having too much data. It may be used right now in a good way, but the data can easily be used for very evil things.

The GDPR reminds me of a Target (chain retailer) advertisement where a 17 year old girl was being profiled and send pregnancy, maternity, and baby ads. The father was angry at Target sending his daughter this, until the daughter fessed up that she was indeed pregnant. How did they determine this? Shopping purchase records. The GDPR may not have stopped the first occurrence, but would have provided sufficient "bite" to ever stop this from ever happening again.

https://www.forbes.com/sites/kashmirhill/2012/02/16/how-targ...

mmt7y ago

Your response seems to completely ignore what I said, which had nothing to do with data. It's as if you're just making an appeal to emotion.

I keep smelling this false dichotomy: either you're complying with the GDPR or you're doing something nefarious.

Others may be arguing against the spirit of the law, the extent of the protections, the tradeoffs between data and privacy, or any of those topics actually related to data or its storage. I'm not, nor is the GP.

I'm arguing that businesses can make perfectly valid decisions regarding risk with respect to regulation that have little to do with the compliance in spirit.

1 more reply

jacquesm7y ago

That, and the fact that a good chunk of present day Europe was under the Soviet boot for 40 odd years and the people there got to see up close how dangerous data is in the wrong hands (in that case: the government).

2 more replies

j / k navigate · click thread line to collapse

0 comments

mmt7y ago

> However, that’s not how we manage risk.

I think that this point can't be over-emphasized, and I wish you had put that sentence in its own paragraph.

Risk (management) was also alluded to elsewhere in the comments in the discussion of "rules-based" versus "principles-based" regulation.

Perhaps characterizing certain business reactions as "panic" is grossly unfair, when they're merely sensible (or even somewhat excessive) risk-aversion reactions.

Personally, I don't think there's anything wrong with either risk-affinity or risk-aversion, as long as one is aware of it and it's not an unconscious bias.

Proziam7y ago

I think you've hit the nail on the head regarding the bias of this particular forum. As a group, it seems obvious that HN would be less risk-sensitive than the average.

Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.

mmt7y ago

> For the sake of the topic however, I'd say that in this case the greatest risk is in not pushing to become compliant for the sake of future-proofing against legislation of this type

> Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.

apple4ever7y ago

Great points. It’s all about risk and the cost/benefits of complying.

crankylinuxuser7y ago

https://www.forbes.com/sites/kashmirhill/2012/02/16/how-targ...

mmt7y ago

Your response seems to completely ignore what I said, which had nothing to do with data. It's as if you're just making an appeal to emotion.

I keep smelling this false dichotomy: either you're complying with the GDPR or you're doing something nefarious.

I'm arguing that businesses can make perfectly valid decisions regarding risk with respect to regulation that have little to do with the compliance in spirit.

1 more reply

jacquesm7y ago

2 more replies

j / k navigate · click thread line to collapse