Ask HN: How is GDPR affecting your business?

49 points by funfunfunction ↗ HN
GDPR will undoubtedly have an effect on most businesses. I'm curious what the impact has been. Is it mostly financial? Have you had to make changes to the services you integrate with or create new technology to service users looking to view or manage their data?

65 comments

[ 490 ms ] story [ 1494 ms ] thread
Very little if any change. We were not doing anything creepy with users data and complied with the Data Protection Act of 1998. We updated our privacy policy with new wording.
Right now, it's not. Management has decided that we're going to keep operating the way we have been as if the GDPR didn't exist, and hope nobody notices. Which isn't a surprise, this company is very reactive. Proactive planning doesn't happen.
Out of curiosity, what industry is the company in, and are you in Europe (either physically, or do you have a significant European market)?
We're in fintech. And we're not in Europe, but we're about to start a big project targeted towards European users.
(comment deleted)
Wow. That's a pretty interesting attitude to take. The consensus here among the M&A crowd is that either fintech, medtech or social media will be the verticals where one or more examples will be made. Best to hope none of your users complains to regulators.
If the have no EU customers, no examples can be made.

It's up to residents of other to demand their governments give equal protections. We all know that won't happen in America.

We've already got users who fall under GDPR protection. Not as many as we will by the end of this year, but some.

And really, I've done all I can do. I've talked it up, given powerpoint presentations, and emailed a comprehensive report about penalties for failing to comply as well as a project outline for becoming compliant.

I believe you. I know a few other cases like that and I really wonder how we got here. I've been CEO of a 25 people company with presence in both Canada and Europe, I would never ever chart a course like that but maybe I'm just too risk averse.

In the beginning of Camarades.com/WW.com we had a lot of interaction with LE because of all the stuff our users got up to online and we tried very hard to comply with the various laws. It did not always work perfect but it worked well enough that we earned the respect of the various LE contacts that we had. I can only imagine how it would have ended if we had thumbed our nose at them. Going global means you need to change your attitude.

If you're not in Europe there's no obligation. I can appreciate the attitude even if I don't like it. Fintech is a REALLY difficult business to make money in. Especially with so many larger financial institutions coming in and buying any naive existential threat they see (coughs suggestively)
No being based in Europe does not exclude a business from GDPR.

"even if a US-based business has no employees or offices within the boundaries of the EU, the GDPR may still apply.

Under Article 3 of the GDPR, your company is subject to the new law if it processes personal data of an individual residing in the EU when the data is accessed. This is the case where the processing relates to the offering of good or services or the monitoring of behavior that takes place in the EU." - https://www.lexology.com/library/detail.aspx?g=3a02f14c-828b...

It has been 24 hours since GDPR came into effect. To be blunt, if anyone’s business has been affected dramatically, then their business is likely too brittle or unethical. If that’s the case, you should rethink your business model.
That's a dangerous oversimplification. Standard best practices like logging server traffic with IP addresses, or making immutable backups with no way to edit that data now have serious problems. It's ridiculous to call them "unethical", and it has nothing to do with business models.
Alternatively, some part of your business has spent the last X months preparing for this so that their business won't be affected dramatically.

I am easily tracked to my place of employment so I don't want to get into too many details, but we were doing things ethically but still had a non-trivial amount of going through, dotting our i's and crossing our t's, making sure that there weren't pockets of unknown data, putting together plans in case someone asked for data retrieval or deletion, etc.

The longer a company's been in business, the more onerous the task is. I can't imagine what it would be like for a large company with mainframes still around.

If this is the case, then being transparent about it is a good policy. I hope your employer is committing to compliance publicly and apologizing to its customers for the delay.
We don’t have a delay in our case.
Nothing, but we are strictly located in the U.S. and only sell products in local markets. I guess we could block non-U.S. access though.
We where already subject to much stricter rules, so we honestly didn't have to do anything. We have started selling GDPR consulting, so it's only positive.

Both my colleagues and I have much stricter personal guidelines to data protecting than required by our employer, our chief security office and the GDPR, so it's not really an issue.

I run a small consulting business.

It's been quite some effort but for my business so far it's been a net positive because it made me rethink, clarify and streamline my processes.

How does GDPR affect your business? You're not really responsible for anybody's data, presumably you inherit the policies of your customers.
First, I'm responsible for handling my clients' data, such as their email addresses or phone numbers. It doesn't matter that they're business customers rather than consumers. GDPR still applies.

Secondly, though not always the case, I might have to process their respective customers' data in some way in order to do my job (by having access to a production database, for example).

So, yes, GDPR absolutely does apply to my business.

Can you please share how GDPR affects the second workflow? I'm curious, as I've performed similar work.
It means that in that case I have to provide my client with a data processing agreement and handle data accordingly.

Basically, it means that what's been best practice all along is made explicit. So, in most case this doesn't affect the actual workflow all that much.

However, in the past occasionally clients could be quite liberal in handing out access to their production data. GDPR definitely has raised awareness that this isn't something to be taken lightly.

So you're saying that you are asking consent to store the phone number and email address of a client? And you'll provide clients with the right to be forgotten, meaning that you're prepared to delete their contact information? This seems like overkill.
> So you're saying that you are asking consent to store the phone number and email address of a client?

No, I didn't say that. GDPR doesn't mean that you have to ask for consent in each and every case. If as a business you have a legitimate interest to store client data for a specific purpose you don't have to ask for explicit consent. Being able to contact clients in the future who contacted you first constitutes such a legitimate interest.

As for the right to be forgotten: Sure, why wouldn't I? If they don't want to be contacted anymore and want me to delete their contact info I'm happy to oblige.

Past invoices will have names and addresses, will you shred them? Don't you need them to file taxes?
Existing laws and accounting standards still take precedence over GDPR. Past invoices and accounting entries remain as they are.
I work for one of the biggest (non-tech) companies in the world, and in many countries we've been storing user data in spreadsheets all over the place and often without consent. So it's been pretty frantic.
He asks "Have you had to make changes to the services you integrate with or create new technology" and your answer has spreadsheets. I bet that was unexpected.
Not a great deal. Sure, more paperwork in terms of obtaining DPAs (Data Processing Agreements) with some of the vendors we work with, as well as preparing our own DPA for our customers, but overall not a huge impact as we already value privacy highly in our SaaS app.

On the development side, we've had to accelerate some 'nice to have features' that we had planned for later, to this month. Things like scheduled deleting of old customer data, migrating to a more robust SQL system that supported 'encryption at rest' etc. Things that would have had to be done anyway.

Not a great deal. I think management got together with the lawyers to do a cursory review but we've already been under similar legislation for at least one of our European markets so code-wise we haven't actually changed anything.
Large tech company: it took tens of thousands of jira tickets and umpteen-trillion human-hours to become gdpr-compliant in preparation for today.
I work for a major news media company and our GDPR compliance has been extremely difficult with our relatively small dev staff that manages many news outlets so we've opted to block access from all of Europe. It's gotten a lot of press, but it's an unfortunate reality. Most of our adtech and analytics vendors we use have put the burden on smaller companies like us -- ripe for disaster.
then stop using them, instapaper
(comment deleted)
That's an interesting way to broadcast your lack of technical/lateral thinking skills over there at latimes.com (see https://news.ycombinator.com/item?id=15604736). You could look at USA Today's way of temporarily handling this as an example of what could be done with a few hours of work.

You're saying that the GDPR is so taxing because your team is so small? Meanwhile you're recruiting data scientists to your existing team to fuck over your users' privacy even further? Come on!

This is just embarassing. Grow up. I suspect you're just upset that your role is suddenly at the risk of becoming a lot less relevant - you are worried that this attitude of government regulation of privacy aspects will actually spread so that it impacts you in a meaningfull way and you want to nip it in the bud.

Hounding another user like this counts as personal attack, and a virulent strain of it to boot. If you do this again we will ban you.

Please treat others respectfully on this site, regardless of how strongly you disagree with them or their employer.

https://news.ycombinator.com/newsguidelines.html

Your snarky attitude is the real embarrassment, and you misread into what my feelings are about GDPR.

Agreed that our company handled it poorly -- and that's on our leadership (which is a much much longer story) -- Note: my opinions are not the opinion of my employer.

But your real anger should be directed at your technologist/programmer peers who work at Facebook and Google who take six figure salaries and compromise moral dignity, not at media outlets, or small companies -- and from reading your comments on HN -- we can agree on that.

My product collects limited number of personal information and in theory it has always been compliant. Only thing I have doubt about is AdSense. I have disabled personalized ads, but I have no idea if that is compliant. Also working on data portability, so users can export their data. (Never got a request for that though) If revenue from ads will go down I will be considering closing the business. I don't feel comfortable going paid subscription route.
Just curious, what does your business do?
We are one of the largest large format printers in the US, but our online business does not intentionally market to the EU or accept payments in Euros, so while I did a risk assessment for management, we concluded that we could ignore it.
we don't even use personal data we just need aggregated usage metrics but google analytics was extremely convenient to collect those. under gdpr we will need to waste lot of time moving event collecting into some other in house solution like pwiki and make sure data gets aggregated and deleted properly.

not a load of work, but we have to pause some business development opportunity so that we have hands to put on this.

One-man shop that sells desktop software. I made a few changes to my privacy policy and called it good.
Not at all. I'm working in Germany. The GDPR is basically the same as the Datenschutzgesetzt, which is the German law.

The only difference is that we will have higher fine if we don't comply. And we have had an external Data Protection Officer for a long time already.

the biggest impact is all the navel-gazing time we have spent trying to decipher what _is_ personal data and what are our obligations to our customer's and to their user. The actual work has been the easy part. We will never get back all the lost hours spent on debate, clarification, re-clarification, non-answers, vague-answers, more debate.
The only recent change for me was that I entered into a DPA with the bookkeeper and the payroll company everything else was already done (and long ago, not last week).

It helps that collecting data on individuals was never a part of our strategy to begin with.

We've gone through a couple of audits from customers' GDPR-compliancy consultants.

As a result we have have been triggerered to perform some well-over-due security reviews, thinking about security processes and data compartmentalization, documenting some procedures etc. I think it's by far a net-good, even as relatively small company.

We just blocked European traffic. They're not profitable enough to be worth the headache.
Can you please tell me who you work for so I can avoid using you?

I don't actually want to be profitable for you if I'm not paying for the service.

Fortune 500 in the Oscars/Emmys winning business. We have European partners and distributors for our stuff that Europeans are supposed to be using anyway. "This content is not available in your region" will probably become a lot more common. We'd prefer you pay for our content too.
It's weird how that isn't enough then, isn't it? There is some secondary data moneiltizaton.
It doesn't affect me hugely. The biggest impact was that I had to spend time to define these processes and outline my privacy policy. I didn't need to go and redo all of my forms/consent flows because all the data I collect is reasonable and necessary.
I work for an international education startup and while it was obnoxious to get the technical groundwork and auditing done: it doesn't affect the business very much. This shouldn't be too surprising; the GDPR is really only problematic to businesses who's primary purpose was identity and interest brokering. Most folks with actual products to sell aren't in such a bad spot.

Certainly, some folks have opted into some heroics getting all our microservices and datastores audited. But it's good to do that periodically anyways, so we made the audit a multi-purpose affair.

I work for a business that designs, builds and supports learning management systems for corporate organisations. I also had the task of coordinating our GDPR readiness activities.

As we are a 'processor' for our clients, we reviewed and updated some of our existing infosec policies and procedures, and produced a very detailed set of 'GDPR' docs to satisfy customers asking for evidence of our compliance efforts, and to provide data mappings, impact and risk assessments etc. We already had most of this done internally anyway so we just needed to 'prettify' it and change the language/terms in our 'Electronic Information Security Policy' document to match the GDPR.

We also wrote up a DPIA document about our internal systems.

All of this work took time - perhaps about the equivalent of 2-3 weeks to plan, collate and draw the diagrams and workflows for things like our security incident response plan and how we would sub-process subject rights requests; like when a client receives a 'Right to erasure' request and asks for assistance.

Overall that work was not difficult and did not cause any headaches. What has been a pain has been responding to all the clients who send us various compliance 'questionnaires' (spreadsheets) expecting tailored responses - fortunately, in the main I was able to answer "see document ref xxxxxx, section nnn".

What I am seeing now is the late-arrivals throwing in (demanding) 'for compliance' every conceivable infosec feature they have read up about - one today insisted we must now implement in-memory encryption! Many of these recent demands are not mandated by the GDPR and so are being handled as contractual changes and new feature requests so the sales team are having discussions to explain our stance and see if the customer wants a quote to amend their service and contract!

Hey just one question: Remember the old days when many people still using NTTP? Your email and IP address will be carried in every post you've sent, and other people have to download the whole post (including your email and IP) so they can view it.

Does GDPR made all NNTP services illegal?

I'm asking it because I was developing an online forum application that will publicly display your posting IP and registered email address, and sync posts with other sites.

If GDPR made that illegal, that could be a bad news for me.

> I'm asking it because I was developing an online forum application that will publicly display your posting IP and registered email address, and sync posts with other sites.

Please don't do this.

Apart from my own rational self-interest, I'm saying this as a subscriber to various free-software mailing lists, which occasionally get requests from someone to remove archives of support emails they sent 10 years ago. It's pretty rude to publicize the problems someone had and their frustrated response from years in the past, and make it Googleable by their name.

(Also, if by any chance you want to publicly display this as a means of deterring bad behavior of any sort, spam, rudeness, etc., it's unlikely to work - the people intent on bad behavior have proxies and anonymous email accounts, and the non-technical folks who never even thought of bad behavior won't think to protect their identity this way, so it will only hurt the people you don't want to hurt.)

The thing is that due to the synchronization, users post could be synchronized to another site which they are not registered to.

Thus, a mechanism must be setup to allow users to manage their content on other sites. The mechanism that I currently planed was to use email verification (if (User's email === poster's email): They're the owner of the post), which requires all sync sites knows the email address (as an universal identifier) of the content owner.

To me, that means I need to share user's email with other sync parties which may not under my control. Because of that, I think it's sanctimonious to tell user that their email is under protection, I rather letting user be very aware about their email will be publicly displayed.

Another reason to publicly display users email is because I don't want to implement private message features (Which require to save private information), so if user's can know each other's email, they could just make content with their emails.

How does this handle people changing their emails? Can you do the same thing with a cryptographic signing key or something, instead? It seems like this could be implemented in a way where I prove control over the signing key (by signing a challenge, for instance), but I don't have to reveal anything about my identity besides "I have access to this key" if I don't want to.

(If you're worried about not just servers changing but clients changing, and needing to get the key over, there are protocols for efficiently and securely transferring information between client computers, using a very short password that doesn't need to be kept private after the transaction. magic-wormhole implements this sort of thing.)

This may or may not apply to your site, but, in general I don't want other users of a website to be able to PM/email me unless I specifically authorize them to. Requiring that my email is public does not provide me this control. You can do what HN (which doesn't implement PMs) does and let people have an optional public profile, where they can list a way they want to be contacted by other users if they want.

> How does this handle people changing their emails?

It can, as long as the email change request can be synced as well. It may have some security problem need to be resolved, but I think it can be worked out.

> Can you do the same thing with a cryptographic signing key or something, instead?

It's actually an better idea. If I can implement something like PGP (With maybe WebAuth), then user only needs to submit their public key. When authentication is needed, server will sends challenge (Message encrypted by user's public key), then user decrypts it with their private key, send the decrypted message back to server for verification.

However, I'm still figuring out the whole WebAuth thing, so no decision is made yet.

> This may or may not apply to your site, but, in general I don't want other users of a website to be able to PM/email me unless I specifically authorize them to.

I actually like to encouraging user to make contact by themselves with their emails, because service email is decentralized and controlled by users (At least they have better control of it than a website). Also, user may left a website but still using their email.

However, I know in real world, people don't like to be bothered, so make their email public could be a problem. I guess I need to rethink it a little.