Ask HN: Is GDPR the end of side projects?
I am reading GRPR.eu because I have a side project that is ready to launch. The site is daunting and the penalties are high. Even though there are some templates to put on the website, the general gist of it is that you need to have specifically appointed and trained Data Officers (you) that take care of them, you need to put 2FA everywhere.
Another example is "The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences".
As the fines are not tiered with the number of users or how big the company is, small side projects that could potentially (doesn't matter if the probability is small) face millions of euros of fines are not worth the risk any more of making experiments.
7 comments
[ 3.4 ms ] story [ 26.0 ms ] thread1. Clear opt-in for customers regarding Personal Data Manipulation that is not necessary for your service (e.g. advertising tailoring, sending the personal data of your customers to third-parties, etc.); don't collect data you don't need.
2. Notify when breached.
3. Don't collect data you can't protect. Negligence is just as badly punished as doing shady deals.
4. Export/Delete my data/account button.
That's it. You may also want to anonymize logs (hide IP addresses 123.45.xx.89 for example), hash the passwords (as should always be), use HTTPS, etc.
I can give you a few more pointers if you describe your project a bit more.
For most (side) projects, if not all, very little has changed.
What is happening is that people are in fact discovering the law because of the noise around the GDPR.