Ask HN: So your startup received the GDPR Nightmare Letter, now what?

7 points by Androider ↗ HN
We're a two-person startup and we've already received "the nightmare letter" (literally copied and pasted) from a few users: https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-under-gdpr-karbaliotis/

It's one thing to send this type of nastygram to Google or Facebook, but sending this to someone you know is a tiny outfit is like a Denial of Service attack. We spent significant time making the systems and policies GDPR compliant, we store minimal PII (first/last/email and Google Analytics), but how do you even start to respond to this thing...

5 comments

[ 3.2 ms ] story [ 26.2 ms ] thread
Which of the points do you have concrete trouble with?

Since you say you've spent effort to be GDPR compliant, most of the questions should be easy to answer (and can become boilerplate text snippets for all other letters).

I'd recommend starting on top, answering all the low-hanging fruit while skipping more difficult or expansive questions on the first run-through. And then take a look how much is left and see whether those are rightful demands and who can answer them.

Or you could just point them to your privacy policy and then just ignore them if you’re not in the EU. They’re clearly just trolling to damage you.

The irony here is that the OP is one of the ones who put in the hard work to comply with the GDPR, and yet they’re one of the first being attacked. And is worrying about what to do. Meanwhile the truly bad actors have ignored the GDPR and would ignore this letter, and that’s the end of it. Perhaps OP thought that bowing to this law would appease the trolls, but nope. Like many poorly thought-out and hard to enforce laws, this will harm the law-abiding while the people it was aimed at skate free. What a shock.

First of all, where are you located? Can this be enforced at all? What would happen if you just ignored?

Second, don’t you have a month to respond?

Third, aren’t you allowed to charge a reasonable fee? I suspect 99% of these requests go away if you charge $50, which seems reasonable if it takes someone more than 15 mins to respond.

Fourth, how do you validate the identity of the requester? Email addresses can be spoofed, so that’s not sufficient. Can you make them jump through another hoop to prove who they are?

I think my approach (if I wasn’t going to just ignore) would be to to spend the next month to prepare a form letter to match theirs that’s as vague and non-specific as the law allows, and then just be able to plug in a few pieces of info for that specific user, if needed. And then I’d charge them a fee AND make them verify their identity somehow. I think 99.99% of them would go away. And yes, they’ll file complaints. Which puts me right back at: if I wasn’t in the EU, I’d just ignore this and point them to my privacy policy.

Third, aren’t you allowed to charge a reasonable fee? I suspect 99% of these requests go away if you charge $50, which seems reasonable if it takes someone more than 15 mins to respond.

Unfortunately, even this won't work. Article 15(3) [1] states:

"The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. "

In other words, you have to provide the first copy for free and may only charge for subsequently requested copies.

[1] http://www.privacy-regulation.eu/en/article-15-right-of-acce...

Sadly, you won’t find much help on HN with this problem, and you can see by the lack of upvotes how much people want to hear about any problems that it causes. The overarching sentiment here is that GDPR is amazingly awesome and that no abuses of it are going to happen. Don’t have 100 hours to reply to each nightmare letter? You must be doing something bad with their data. This isn’t the first abuse, and it won’t be the last.

Unfortunately, even if you’re not in the EU, you have optionally chosen to subject yourself to the GDPR under Recital 23 by “mentioning” EU users. You must spend the time to respond. The good news is that you can write it once and send roughly the same response to each abuser. If you don’t respond to their full satisfaction, you’re looking at immense fines.

Welcome to the GDPR.