Ask HN: How can I comply with GDPR as a solo founder?

55 points by sjroot ↗ HN
I am based in the USA, and am hard at work on building services for my company. My goal is to launch and have customers by the end of the year.

While I 100% support GDPR, I do not know anyone within the EU who could act as a Data Protection Officer or EU representative for privacy concerns. I am funding myself at this point, and don't really want to shell out hundreds of dollars to some law firm just because they have an address within the EU. Outside the EU, I plan to handle support concerns on my own (for the time being).

What are my options here? My initial thought is that I will just have to prevent those living in the EU from using my service, which is unfortunate.

23 comments

[ 77.4 ms ] story [ 1113 ms ] thread
Think about what you’re doing that has GDPR implications. If you’re not doing anything creepy then the GDPR is as easy as providing/deleting subjects’ own data upon their request.
"but your honor, this doesn't fit the legal definition of 'creepy'!"
The Data Protection Officer doesn't need to be located in the EU. You may also not even need to appoint one, depending on what exactly your company does.

You should read through the following sections of the GDPR carefully, especially Article 37 to determine if it seems to apply to you (the requirements are vague, but you should at least be able to get a general idea of whether it seems to apply to you or not):

Article 37 - Designation of the data protection officer - https://gdpr-info.eu/art-37-gdpr/

Article 38 - Position of the data protection officer - https://gdpr-info.eu/art-38-gdpr/

Article 39 - Tasks of the data protection officer - https://gdpr-info.eu/art-39-gdpr/

Recital 97 - Data Protection Officer - https://gdpr-info.eu/recitals/no-97/

Thank you for those links! I was more concerned with Article 27 but that website also helped mediate my concerns with that. Much appreciated.
You most likely don't need a DPO: https://ec.europa.eu/info/law/law-topic/data-protection/refo...

Check out the rest of the website, it is pretty helpful.

Don't worry too much, GDPR is both common sense and designed do go after the big companies. Some rules are intentionally vague in order to be hard to circumvent using armies of lawyers and/or technical 'innovations' in exploiting personal data.

Very helpful website. Thank you for sharing!
> Some rules are intentionally vague in order to be hard to circumvent using armies of lawyers

Because lawyers have never been able to turn vague rules and regulations to their advantage.

One option is to just do nothing about it.
I want to be able to tell customers that my service is GDPR-compliant. (Plus I'd rather not pay fines!)
This makes me wonder if we should also be proactive with following Korean, Singaporean, and may even Chinese laws?
As a solo founder, don't worry about it.

> shell out hundreds of dollars to some law firm

hundreds? LOL! $10,000 to get a DIY kit.

From one of your replies:

> I want to be able to tell customers that my service is GDPR-compliant.

This isn't possible with a one-man company. Rather, it's possible to tell them you are (there is no certification body) but it's not possible to be compliant if you don't already have expertise.

> DPO

I don't know why others are mentioning a DPO. You won't need a DPO.

The easiest route to compliance is to not collect Personal Data.

> I don't know why others are mentioning a DPO. You won't need a DPO.

After reviewing those parts of GDPR a bit more, I agree. I was thinking of the EU rep for businesses outside the USA.

> The easiest route to compliance is to not collect Personal Data.

The product I am working on has a social aspect. That said, nothing - particularly the data the GDPR defines as sensitive - would be collected without explicit consent from the users. Actually, nothing is really collected without their opt-in.

> As a solo founder, don't worry about it.

Thanks for chiming in! It is good to hear from someone in a similar situation.

> nothing is really collected without their opt-in.

opt-in is the least thorny aspect of GDPR.

but honestly, you don't have to worry about it.

There are 6 bases for collecting Personal Data. You should review them and see if something besides explicit consent (opt-in) is more suited. Opt-in is a trigger for other things. Avoid it if you can.

given that an email address is personal data, it's most likely virtually impossible to not have any gdpr-implicated data and, say, contact your prospects and customers.
It's a great question and one of the common complaints to the wave of privacy regulations. I believe that it's not a ton of work, but may be a bit of legalese to wade through and should be basic due diligence for collecting personal information.

There is a lot in GDPR, but here's a list of possibilities that will honor the spirit of the law and be huge steps forward:

- Privacy policy: Write a human-readable privacy policy and publish it. It should declare what you collected, for what purposes, how long it's retained and how to contact the privacy office for data subject requests.

- Conduct an internal Privacy Impact Assessment: an inventory of personal data collected, for what purpose, what is it's risk/danger level, what lawful reason is it collected/processed, where is it stored and what is the retention policy.

- Lawful processing: For each of the types of data collected, determine the lawful umbrella for collecting and processing it; GDPR defines a bunch but most people use only "legitimate interest" or "explicit consent". If you need to use consent, find a vendor to help you manage it.

- Honor data subject requests for access/portability/erasure. Doesn't have to be fancy, can even be just a mail to privacy@yourdomain. Don't forget to authenticate/vet the requestor to avoid leaking data.

- Vendors/3rd party companies you use: Inventory them and record what data is going to them. Will likely have in contracts their obligations under GDPR, and will define their role ('processor' or 'controller').

This is a good start. I wouldn't worry too much about GDPR compliance starting out. Follow this advice and when customers start asking questions about your compliance, you can invest in a more robust ISMS.
As I know GDPR is for startups and companies with more than 50 or 200? employees.

It means that the majority of startups and small companies don't need it, until becoming a firm that can afford the costs of GDPR consultants

There are a lot of websites that generate GDPR templates free of charge for startups and small companies and those templates are enough

That’s incorrect. The GDPR applies to every company (it has to, as otherwise, shady companies would create small sister companies for doing the work they aren’t allowed to do because they’re too big). https://gdpr.eu/faq/:

”Who must comply with the GDPR?

Any organization that processes the personal data of people in the EU must comply with the GDPR. “Processing” is a broad term that covers just about anything you can do with data: collection, storage, transmission, analysis, etc. “Personal data” is any information that relates to a person, such as names, email addresses, IP addresses, eye color, political affiliation, and so on. Even if an organization is not connected to the EU itself, if it processes the personal data of people in the EU (via tracking on its website, for instance), it must comply. The GDPR is also not limited to for-profit companies.”

"Those companies with fewer than 250 employees are required to hold internal records of processing activities if the processing of data could risk an individual's rights or freedoms, or if it pertains to criminal activity.

For those with more than 250 employees, more detailed records need to be kept. These include the name and details of your organisation, the name of your assigned data protection officer, the reasons for processing the data, a description of the categories of data being processed, details on the recipients of the data, how long it will be retained, details on transfers outside of the EU, and an overview of the security measures your organisation has put in place." - [1]

[1] https://www.itpro.co.uk/data-protection/29123/gdpr-for-small...

On a technical level: have a process for gathering and sending responses to requests from EU users for their data. Have a process for being able to hard delete that data, and a user's account. Dont store anything you dont need, not even in logs (IP addresses), and dont send that data to third party providers. Don't use third party monitoring, and analytics services that aren't GDPR compliant. Keep a constantly up to date document of cookies your site uses, and whether they're essential or non-essential for your product/service to operate. Lastly, learn exactly what is considered PII and not. This is a non-exhaustive list of things you should start with, and then go with common sense, and legal counsel as you can begin to afford it.

Edit: Following up, I say on a technical level, because much of this you can do yourself via having some scripts and report generation in place.

Thanks for this post, need to learn about it too