Ask HN: Is GDPR the end of side projects?

3 points by arisAlexis ↗ HN
I am reading GRPR.eu because I have a side project that is ready to launch. The site is daunting and the penalties are high. Even though there are some templates to put on the website, the general gist of it is that you need to have specifically appointed and trained Data Officers (you) that take care of them, you need to put 2FA everywhere.

Another example is "The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences".

As the fines are not tiered with the number of users or how big the company is, small side projects that could potentially (doesn't matter if the probability is small) face millions of euros of fines are not worth the risk any more of making experiments.

7 comments

[ 3.4 ms ] story [ 26.0 ms ] thread
Just geoblock the EU if you’re worried
I live in it
So? No one is going to give a monkey’s about your tiny side project and if they do you can get around to doing GPDR mitigation after you’ve been profitable enough to quit your job for a year. Then you can unblock the EU. There are not infinite enforcement resources and the chances of anyone coming after a tiny company are minuscule. If you geoblock the EU they’re nonexistent.
GDPR is not about preventing innovation, it's about basic ethics: you don't do whatever you want with personal data.

1. Clear opt-in for customers regarding Personal Data Manipulation that is not necessary for your service (e.g. advertising tailoring, sending the personal data of your customers to third-parties, etc.); don't collect data you don't need.

2. Notify when breached.

3. Don't collect data you can't protect. Negligence is just as badly punished as doing shady deals.

4. Export/Delete my data/account button.

That's it. You may also want to anonymize logs (hide IP addresses 123.45.xx.89 for example), hash the passwords (as should always be), use HTTPS, etc.

I can give you a few more pointers if you describe your project a bit more.

As I commented previously, most of the GDPR has already been law in the EU for years.

For most (side) projects, if not all, very little has changed.

What is happening is that people are in fact discovering the law because of the noise around the GDPR.

I think small side projects that will need to store personal information about users will be ended.