top | item 16509591

(no title)

boggio | 8 years ago

God damn it EU, all these regulations make it impossible for small companies, indie developers to cope with all the bureaucracy.

The VAT for digital products, now the GDPR.

10 more years of regulation and you will spend 90% of the time working on implementing legal requirements and 10% on the actual product.

discuss

lucideer|8 years ago

GDPR—while vastly different to what has become the defacto standard practice in most companies—is largely simple, basic, common decency and common sense. My very tiny startup won't have any problems complying because we've actually given a smidgen of consideration to our users' privacy up until now.

In fact, I foresee it being a much greater tax on large corporations: the work in GDPR is not compliance—that's relatively easy once you have procedures in place—the real work is converting existing non-compliant systems to bring them into compliance. This is going to be much easier for those maintaining relatively small, simpler systems, and easiest of all for brand new startups.

davnicwil|8 years ago

From what I have seen and understood about the regulations and the spirit of them this is basically right.

If your system was intentionally designed with both privacy and the ability for users to own their data (i.e. edit & hard delete whatever, whenever for any reason) in mind, then GDPR should be essentially complied with already 'out of the box'.

If this was not the case, either for cynical reasons, simple disregard for the importance of these things, or a decision to not prioritise these things in favour of shipping more features faster, and you just essentially slapped a checkbox with some legal copy over your signup process and thought you were done with all that pesky user data privacy stuff, well, you're in for a pretty bad time now.

Maybe my reading of it the regulations is naive and it won't be so easy in the first case and will be easy to subvert anyway in the second case. But if not, to be perfectly honest it seems just like what good regulation should do - incentivise good behaviour - allowing businesses that behave well by nature to thrive without too much extra hassle introduced, and suppress both the bad behaviour itself and the general productivity of the business behind it where that's not the case.

crazygringo|8 years ago

I'd hardly say that. "Forget me" can take a lot of design work (can introduce a ton of edge cases). "Export data" requires building an entire information processing pipeline.

Larger corporations have the resources to dedicate to this. But for a small startup deciding between spending 4 dev-months on "forget me" and "export data" versus on enabling the top 3 new primary use cases users are asking for, I understand how this could feel really difficult.

I really wonder if it wouldn't be better to make some of the requirements only for companies above a certain revenue threshold or the types of data collected. (E.g. export data is critical for health or finance-related sites, probably less so for a meme generator startup.)

rectang|8 years ago

It wasn't the company's data to begin with. Modern businesses have caused harm to countless individuals by treating data cavalierly.

The GDPR puts things right. It brings the externality into the market, and now the market can correct.

Businesses that rely upon slinging private information around irresponsibly need to adapt. If they can't, their failure in the marketplace is just.

dagmx|8 years ago

I'm not sure I've read anything in there that is hard to implement, other than retroactively.

I'm sure as time passes there will be frameworks and best practices developed for conforming to these regulations, but I honestly don't see anything egregious or complex to develop in there.

mycall|8 years ago

So what's the alternative? Completely lose all of your privacy? It is only developers who can fix this massive PPI leaking.

nawitus|8 years ago

There's plenty of alternatives. The main problem with GDPR is not the goal of advocating privacy but the details. I would have done it like this:

a) bring out regulation gradually instead of in a single big change like GDPR to have companies time to comply

b) don't write vague laws

c) give specific examples of what GDPR means in practice

d) be more lenient on smaller companies

unknown|8 years ago

[deleted]