Ask HN: What is your company doing for GDPR compliance?

23 points by nrjames ↗ HN
The EU's General Data Privacy Regulation goes into effect at the end of May. Our company is getting ready to spend probably 8-person-months of labor time becoming compliant (for a mobile app that uses advertising). It's a giant pain to navigate the policy when you're on a small-ish team without somebody who has been paying close attention to this.

Here's the GDPR website: https://www.eugdpr.org/

11 comments

[ 3.4 ms ] story [ 40.6 ms ] thread
(comment deleted)
Work for a fairly large company and we've been working on GDPR since like last October. There is a lot of ambiguity on unstructured data that we don't parse/process (things like customer uploaded images, pdfs, etc) that seem to be confusing for product management and/or legal.

If a customer uploads an image or PDF and it's got a second customer's protection information in it, how am I supposed to know? It's just sitting in an s3 bucket without any introspection...

(comment deleted)
Nothing. I am waiting for the EU and its army to enforce it on companies like mine that have no business presence in the EU.

We don't collect personal information and if someone wants to have their data removed I am happy to do this too.

No one expects them to enforce it on you.

But don’t be surprised when your EU customers start leaving for products that do comply.

That’s kind of the whole point.

Considering we are B2B and don't collect personal data I think this is unlikely.

I feel for the poor EU companies that have to deal with this mess. If you are a smaller company it might be best to do the bare minimium and hope you sail under the radar.

The worst is for side-project which is making small buck from freemium subscriptions. The project is finished and almost maintenance free. I am considering to kill the project or explicitly require only B2B users (no consumers). There is also option to move all it behind US reseller to avoid unnecessary compliance burden.
Mainly supporting the Right of erasure. I’m the PM working on it, so lots of talking to our lawyer, consultants, going through all the db fields, etc.

If you are a SaaS provider then GDPR is table stakes now.

By 8-person-months of labor time, you mean 4 people working on it on a quarter-time basis for the next 4 months?

Deadline is May 25 2018 which is less than 4 months from now. I'm planning this and talking with various consultants right now. Happy to share the details if anyone is interested.

Probably the most important part of GDPR is the fact you must prove you're doing reasonable efforts to comply.

In my company we've setup an internal redmine project that tracks and has pointers to all development and administrative work related to data protection. We also upload there a copy of the final documents we produce to have it everything in one place.

Why? In case of inspection, you cannot fake 2-3 years of work in a few hours.

We're a development & product company and are currently adapting to GDPR. We compiled some useful tips in this article: https://bugfender.com/blog/how-to-comply-with-the-gdpr-eu-la...

You must first evaluate which level of compliance you need. For cases where the data is not very sensitive, compliance is a matter of following some simple rules. If the data you're collecting is sensitive, you need to do a risk analysis and decide yourself on the requirements you should follow (which IHMO is bad for both consumers and companies, since they do not have clear rules to follow).

If you fall in the "simple" case, you just have to do in summary:

- You must guarantee certain rights which might require some changes but are not necessarily too difficult, like allowing to delete data and export it.

- You must list the suppliers processing data for you and have a contract with them. Also not very difficult but might require some time and requires your suppliers to also adapt, which might probably be the most difficult step.