undefined | Better HN

0 pointshk__28y ago0 comments

> We should handle companies that have >1M data records differently from smaller companies.

What makes you think we don’t already do that? GDPR is about privacy 101; there’s nothing in it that shouldn’t apply to small companies.

Do we allow small restaurants to poison their clients because they’re just starting and you-know-it’s-hard-to-build-a-restaurant-so-let’s-wait-a-bit-before-applying-regulation? Of course no.

0 comments

1 comments · 1 top-level

_Codemonkeyism8y ago

"GDPR is about privacy 101;"

It looks like our experience on implementing GDPR is different.

Essentially GDPR is like being PCI and SOX compliant from the first day - and looking at what companies go into to not be under PCI compliance, like use Stripe forms, this looks like significant overhead. After implementing GDPR, SOX and PCI in several companies, from an IT perspective they are comparable, with PCI the easiest to implement, especially on the process side, GDPR a little bit more than SOX on the documentation side but no monitoring of code changes and traceability.

Paying 10.000+ EUR for a missing word in your data protection declaration is no problem for a multi billion dollar company, but can and will kill startups.

If your GDPR is not on the same level as a SOX implementation, there will be a rude awakening if you get a review and are fined.

Paying for a data protection officer is hindering small companies and startups.

Updating your deletion infrastructure with every feature you implement is overhead. If you do not automate this and keep it updated and respond to information request by hand, plan for significant manual work.

Having a process documentation of 100+ pages which needs to be updated with everything you do and every new feature that captures or transfers personal data or stores data is a huge overhead for iterating on your product.

Do a risk analysis and data protection sign off for every test feature decreases your speed a lot.

You need to document every process (what data, where stored, when deleted, what cloud/saas/systems involved, who has access, how it is protected, ...) - like sending marketing mails or cold calling or going to a conference collecting business cards or giving stuff away to winners on Facebook - if it touches personal data.

Encryption in the database of personal data and encryption on the storage medium is a lot of operation stuff - this will lead to converging every startup to only use PG instead of being polystorage.

Implementing access controls to your office (if you use Excel with personal data) as if you were a data center is a lot of overhead - no more starting at home or in the garage. Probably best to go to WeWork who have proper office access control, if you have the money.

Investing into training days, planning and updating training material and managing training and with your staff is a lot of overhead for startups. Together with staying up to date with court decisions on GDPR will cost startups 1 FTE (see above). From now on instead of hiring that second developer I'd consult startups to hire a security officer first.

Having a data processing contract for every prototype feature you test is a lot of overhead to being agile and lean.

Marketing signing up with a credit card to try out some automation in a startup - these days are gone.

I'd say it is significantly more difficult to follow the lean startup methodology than before.

From working in some large companies and some startups, implenting GDRP, SOX and PCI, GDPR will help large companies who already have a large legal team, large compliance teams and who are SOX compliant against disruptive startups. Google and Facebook are the main beneficiaries from the GDPR.

j / k navigate · click thread line to collapse