Ask HN: How can I comply with GDPR as a solo founder?
I am based in the USA, and am hard at work on building services for my company. My goal is to launch and have customers by the end of the year.
While I 100% support GDPR, I do not know anyone within the EU who could act as a Data Protection Officer or EU representative for privacy concerns. I am funding myself at this point, and don't really want to shell out hundreds of dollars to some law firm just because they have an address within the EU. Outside the EU, I plan to handle support concerns on my own (for the time being).
What are my options here? My initial thought is that I will just have to prevent those living in the EU from using my service, which is unfortunate.
23 comments
[ 77.4 ms ] story [ 1113 ms ] threadI'm also not sure that your DPO needs to be European or based in Europe
You should read through the following sections of the GDPR carefully, especially Article 37 to determine if it seems to apply to you (the requirements are vague, but you should at least be able to get a general idea of whether it seems to apply to you or not):
Article 37 - Designation of the data protection officer - https://gdpr-info.eu/art-37-gdpr/
Article 38 - Position of the data protection officer - https://gdpr-info.eu/art-38-gdpr/
Article 39 - Tasks of the data protection officer - https://gdpr-info.eu/art-39-gdpr/
Recital 97 - Data Protection Officer - https://gdpr-info.eu/recitals/no-97/
Check out the rest of the website, it is pretty helpful.
Don't worry too much, GDPR is both common sense and designed do go after the big companies. Some rules are intentionally vague in order to be hard to circumvent using armies of lawyers and/or technical 'innovations' in exploiting personal data.
Because lawyers have never been able to turn vague rules and regulations to their advantage.
> shell out hundreds of dollars to some law firm
hundreds? LOL! $10,000 to get a DIY kit.
From one of your replies:
> I want to be able to tell customers that my service is GDPR-compliant.
This isn't possible with a one-man company. Rather, it's possible to tell them you are (there is no certification body) but it's not possible to be compliant if you don't already have expertise.
> DPO
I don't know why others are mentioning a DPO. You won't need a DPO.
The easiest route to compliance is to not collect Personal Data.
After reviewing those parts of GDPR a bit more, I agree. I was thinking of the EU rep for businesses outside the USA.
> The easiest route to compliance is to not collect Personal Data.
The product I am working on has a social aspect. That said, nothing - particularly the data the GDPR defines as sensitive - would be collected without explicit consent from the users. Actually, nothing is really collected without their opt-in.
> As a solo founder, don't worry about it.
Thanks for chiming in! It is good to hear from someone in a similar situation.
opt-in is the least thorny aspect of GDPR.
but honestly, you don't have to worry about it.
There are 6 bases for collecting Personal Data. You should review them and see if something besides explicit consent (opt-in) is more suited. Opt-in is a trigger for other things. Avoid it if you can.
There is a lot in GDPR, but here's a list of possibilities that will honor the spirit of the law and be huge steps forward:
- Privacy policy: Write a human-readable privacy policy and publish it. It should declare what you collected, for what purposes, how long it's retained and how to contact the privacy office for data subject requests.
- Conduct an internal Privacy Impact Assessment: an inventory of personal data collected, for what purpose, what is it's risk/danger level, what lawful reason is it collected/processed, where is it stored and what is the retention policy.
- Lawful processing: For each of the types of data collected, determine the lawful umbrella for collecting and processing it; GDPR defines a bunch but most people use only "legitimate interest" or "explicit consent". If you need to use consent, find a vendor to help you manage it.
- Honor data subject requests for access/portability/erasure. Doesn't have to be fancy, can even be just a mail to privacy@yourdomain. Don't forget to authenticate/vet the requestor to avoid leaking data.
- Vendors/3rd party companies you use: Inventory them and record what data is going to them. Will likely have in contracts their obligations under GDPR, and will define their role ('processor' or 'controller').
It means that the majority of startups and small companies don't need it, until becoming a firm that can afford the costs of GDPR consultants
There are a lot of websites that generate GDPR templates free of charge for startups and small companies and those templates are enough
”Who must comply with the GDPR?
Any organization that processes the personal data of people in the EU must comply with the GDPR. “Processing” is a broad term that covers just about anything you can do with data: collection, storage, transmission, analysis, etc. “Personal data” is any information that relates to a person, such as names, email addresses, IP addresses, eye color, political affiliation, and so on. Even if an organization is not connected to the EU itself, if it processes the personal data of people in the EU (via tracking on its website, for instance), it must comply. The GDPR is also not limited to for-profit companies.”
For those with more than 250 employees, more detailed records need to be kept. These include the name and details of your organisation, the name of your assigned data protection officer, the reasons for processing the data, a description of the categories of data being processed, details on the recipients of the data, how long it will be retained, details on transfers outside of the EU, and an overview of the security measures your organisation has put in place." - [1]
[1] https://www.itpro.co.uk/data-protection/29123/gdpr-for-small...
Edit: Following up, I say on a technical level, because much of this you can do yourself via having some scripts and report generation in place.