Ask HN: What is your company doing for GDPR compliance?
The EU's General Data Privacy Regulation goes into effect at the end of May. Our company is getting ready to spend probably 8-person-months of labor time becoming compliant (for a mobile app that uses advertising). It's a giant pain to navigate the policy when you're on a small-ish team without somebody who has been paying close attention to this.
Here's the GDPR website: https://www.eugdpr.org/
11 comments
[ 3.4 ms ] story [ 40.6 ms ] threadIf a customer uploads an image or PDF and it's got a second customer's protection information in it, how am I supposed to know? It's just sitting in an s3 bucket without any introspection...
We don't collect personal information and if someone wants to have their data removed I am happy to do this too.
But don’t be surprised when your EU customers start leaving for products that do comply.
That’s kind of the whole point.
I feel for the poor EU companies that have to deal with this mess. If you are a smaller company it might be best to do the bare minimium and hope you sail under the radar.
If you are a SaaS provider then GDPR is table stakes now.
Deadline is May 25 2018 which is less than 4 months from now. I'm planning this and talking with various consultants right now. Happy to share the details if anyone is interested.
In my company we've setup an internal redmine project that tracks and has pointers to all development and administrative work related to data protection. We also upload there a copy of the final documents we produce to have it everything in one place.
Why? In case of inspection, you cannot fake 2-3 years of work in a few hours.
You must first evaluate which level of compliance you need. For cases where the data is not very sensitive, compliance is a matter of following some simple rules. If the data you're collecting is sensitive, you need to do a risk analysis and decide yourself on the requirements you should follow (which IHMO is bad for both consumers and companies, since they do not have clear rules to follow).
If you fall in the "simple" case, you just have to do in summary:
- You must guarantee certain rights which might require some changes but are not necessarily too difficult, like allowing to delete data and export it.
- You must list the suppliers processing data for you and have a contract with them. Also not very difficult but might require some time and requires your suppliers to also adapt, which might probably be the most difficult step.