Hacker News new | past | comments | ask | show | jobs | submit login

No, one cannot just comply with the "general rules" of GDPR, you have to comply with every last letter of the considerable legal legislation. The fact that the rules can be generalised to a reasonable few paragraphs is meaningless.



That’s just not true. I’ve consulted with a few privacy legal agencies and spent a lot of time evaluating the law. Some sections are even worded in a way to allow wiggling room for prosecutors, or require good will on your part. What would even be supposed to happen if you weren’t „compliant“? In the end it’s always about specific kinds of misconduct, and that means fines. The amount of a fine depends on the severity of the misconduct. The GDPR isn’t different at all from other laws in that regard.

If you’re found to be in breach of the GDPR, the severity of the breach as well as the amount of negligence or malevolence on your part is taken under consideration to decide on the fine. The prosecuting attorney also doesn’t have to actually fine you if it’s clear you put in effort and acted in good will.

For a concrete example, a startup usually isn’t required to provide a fully fledged data deletion policy, but if you cannot roughly outline how you intend to handle people’s requests to delete their data, that doesn’t look good. If you don’t even have some sort of privacy policy on your website, that looks worse.

Nobody can implement the GDPR 100%. But you can try to handle data responsibly, and if someone discovers you don’t and you try your best to fix the error (which is on your part, mind you), nothing draconian is going to happen.

And we’re still talking about basic respect towards your users or customers here, it’s not like someone asks something ridiculous of you.


> you have to comply with every last letter

Cite, please.

Perhaps regulators in diferent countries take different attitudes; in the UK, it's very soft-touch. Only the most egregious, repeated flouting of the regs attracts a penalty.

As far as I can see, the Irish regulator is even softer; you could be mistaken for thinking that the Irish regulator's job is to make sure that US tech companies don't move their server sheds away from Ireland.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: