Are you Managing GDPR yourself?

12 points by dhumph ↗ HN
A question for other small biz saas’s.. are you managing any changes required for GDPR yourself or are you hiring a consultant to advise?

I’m trying to judge the risks of managing the changes myself versus the costs of looking for someone to help advise. How are others managing this?

Has anyone used a consultant they would recommend?

6 comments

[ 3.6 ms ] story [ 31.0 ms ] thread
I've been managing it myself over the past couple months mainly by working on getting my privacy policy and terms of service updated to cover GDPR, and how that affects both EU and non-EU customers (I'm applying GDPR to all customers, because I think privacy is important, and because it's easier to implement when it's "across the board").

Updates include things like a detailed disclosure of all data that is collected that could be considered PI (IPs, machine fingerprints, names, emails, etc.), GDPR-related requests, the third parties (sub-processors) I use to run my business, and the responsibilities of my company as a data processor, and my customers' responsibilities as data controllers.

I've been looking over a lot of other GDPR privacy policies and terms as inspiration, so I know what needs to be covered for my particular business, to see how they go about structuring their contracts, etc.

That, and I have been implementing adjustments to data retention (logs, backups, etc.), explicit consent, record deletion (luckily I never did soft deletes), etc.

I may hire a tech lawyer to look it over after I'm done and recommend that I make adjustments where needed.

We Humio.com are a small business as well, and we hired a consultant for a few days to help us iron out the changes we needed to do. We are happy with the help we got and it would have taken us a lot longer to get right by ourselves.
Great. Can you provide contact info?
Can you recommend a GDPR expert?

yes

Can I have their email address?

no

:-)

We're getting advice from our existing legal counsel regarding how to interpret how the law applies to our business and what the risks are for us.

Implementation and compliance with said law (including things like evaluating each data source and destination; examining retention policies, etc) we're doing entirely internally.