Ask HN: Should a startup block EU countries at first?

2 points by dqh ↗ HN
I previously lived in the EU and was instrumental in bringing a 100ish employee B2B SaaS company into GDPR compliance. We weren’t in the business of disrespecting personal information, but compliance nonetheless took and continues to take a lot of time and money.

I am now outside the EU and looking to create a new B2B SaaS. It doesn’t really seem viable for a single founder to create a GDPR compliant operation.

Does it make sense to simply block all EU countries until a business has grown big enough that the benefit of access to the EU market outweighs the costs and risk?

8 comments

[ 3.1 ms ] story [ 35.3 ms ] thread
If you found your company in the us, some legal people say that you can't be GDPR compliant, unless a lot of laws are changed.
Good to know, and I would not be surprised if that were the case.
If you're based in the US with no presence in the EU the pragmatic approach may be to be sensible from the start about personal data handling but to ignore the GDPR, and not to bother blocking anyone.
Based in Australia. Straightforward B2B SaaS offering - nothing to do with exploiting personal information. But having been through it, not doing anything wrong and compliance are two very different things.

What worries me is that it’s still early days for enforcement, but they’ve already handed out something like US$1.6B in fines. I assume they will only get more aggressive with this over time.

How many of those fines were handed to companies with no presence in the EU and not targeting EU customers?

You cannot be expected to comply with the laws of every country in the world.

Do comply with Australian laws and relevant laws and regulations of countries to specifically target and ignore the rest.

If you see traction in the EU then you can start paying attention to the GDPR.

Well, I expect this sort of activity to escalate over time.

Unfortunately our government advice appears to be that we should comply if we "offer goods and services in the EU", or "monitor the behaviour of individuals in the EU.": https://www.oaic.gov.au/privacy/guidance-and-advice/australi...

I have no idea what would actually happen if they decided to fine an Australian entity.

Maybe focus on the customer & product market fit first, if you feel that means blocking EU countries because of the risk that could be a decision you make. You could also ignore the risk.
I'd avoid any explicit targeting of the EU and call it a day. You can always block the EU later if GDPR trolls become a problem. B2B should be low risk. It appears to me GDPR "compliance" is a guessing game and hardly guarantees immunity. Not sure investing too much in it is a good bet even in the EU unless you have reasons to believe you'll be targeted. In fact, being a big American corporation seems to be the biggest risk factor. It's always been designed as a ransom scheme against US tech, "domestic" enforcement seems to be more of a negative externality. Doubt a small player from Australia is even on the radar.

Just look at how ridiculous the statistics are: https://www.enforcementtracker.com/?insights