GDPR compliance- How necessary is it?
GDPR compliance is really cumbersome. I'm neither sure which things I'm doing are not compliant, nor am I aware of how to make them complaint- how do you pause google analytics until a user explicitly complies for example?
GDPR is probably not something to worry about pre launch. So for some context, I launched 5 months ago, I have 560 users, I'm at $4kmr, but my profit is still very small, around $110/m. As the risk of a GDPR violation increases with the # of users but my profit still remaining low and time limited, it's hard to weigh if GDPR is worth prioritizing.
In this post https://www.indiehackers.com/forum/gdpr-and-fear-of-doing-something-wrong-14e7781953 an indie hacker said:
"You know... if, in the extremely (and I mean extremely) unlikely event a regulator contacts you to say there is a GDPR violation it will likely go through some process in which they give you instruction on what is wrong and time to fix it.
So... worry about it then?
You wont just randomly get slapped with 20 million Euro fine."
That post was from 3 years ago. Is this still the case? Can I slowly implement GDPR and until a regulator contacts me?
40 open-source gems to replace your SaaS subscriptions 🔥 🚀
After 19,314 lines of code, i'm shutting down my project
Need feedback for my product.
We are live on Product Hunt
Don't be a Jerk. Use this Tip Calculator.
GDPR is a mess. I'm not sure they even know the rules.
Let's make a distinction between GDPR & the traditional cookie laws (that actually already existed for over 10 years and didn't really change much).
Ideally, you're 100% compliant with everything, but realistically speaking I would worry more about personally identifiable information than cookies collecting anonymous information.
Rule number 1: make sure not to store any personal data anywhere of people that didn't explicitly gave consent. This includes google docs, a spreadsheet on your computer, a database or anywhere else in the cloud.
Rule number 2: if you DO store that kind of data without explicit consent (willingly or unwillingly) don't make public use of it. Don't send unsolicited cold-emailing campaigns or anything similar. This will expose you and makes it clear you are willingly abusing the data for you own good.
Rule number 3: if you DO store that kind of data without explicit consent, never ever share it with external platforms or companies. Big no-no.
And like a few others already mentioned: more & more people in the EU are becoming increasingly aware of their rights. I'm personally calling out all companies that I notice that are storing data of my without my consent and won't hesitate to file an official complaint when they don't follow up on my request to remove the data.
I'm very confused reading about GDPR and how it applies to what I'm doing. I want to collect a user's interactions with the content in my app. I don't need to tie any PID like email/name/address/IP to that, except that the data is associated with a randomly generated ID that's stored on the client. Would I need explicit consent for this?
The criticality of GDPR for your business depends on your business home country and your customers.
If you don't have any EU customers, easy, then you probably are safe to not care.
If you are based in the EU and have primarily EU customers, and collect lots of PII, then you better make GDPR compliance a priority.
I am German, my company is German, most of my customers are privacy loving Germans and on top I offer a security product. GDPR compliance was one of my top priorities while building the MVP (after getting it running for the first time).
My customer base simply expects that I am GDPR compliant, with all the right paperwork to show if necessary, and not having this past the MVP stage is a risk. Not because of regulators nagging you, but because of customers expecting this as a basic requirement over here.
(Note that I offer a B2B product, B2C is different from mindset and regulation.)
Hey Jan,
I will face a similar problem soon to figure out how to make a SAAS tool GDPR proof, do you have some resources or used a specific tool to prove for your software?
No specific resource like that exists, that I know of. (Maybe this a niche to develop?)
I read a lot on the net and signed up with one of the leading data protection officer / GDPR service companies / lawyers in DE (heydata) and use them to clarify any questions that pop up.
To pause GA check for the existence of a consent cookie. If the consent cookie exists then run the GA script, if not then don't.
I'd recommend a GDPR compliant alternative like plausible, though.
I second the recommendation for plausible. They're great...and I've replaced GA on all of my sites. If you're extra paranoid you can even self host.
I think people overreact with regards to GDPR... if you're not sharing PII data with 3rd parties, have sensible security practices and a way to delete a customer's account (this one is important)...you don't need to loose sleep over it. Wouldn't you be paying attention to these things regardless?
Yeah, add to that all the problems with respect to maintaining multiple test environments of your app, database backups and storage backups, and you will lose sleep over it. Then add unnecessary costs like having a server in the EU, storage buckets in the EU and things like that. It is much easier to ignore EU customers and not sell in the EU in the early days. This is not to hurt any EU privacy sentiment but just practicality. I want to be GDPR compliant but I just don't have enough resources to understand it. In case I am missing something, would be happy to know.
I switched to fathom analytics and it has been breeze to use
Non-compliance with the GDPR can cost a company as much as 4% of its annual turnover and reputational damage.
Partnering with Merchant of Records is the easiest way to forget about tax & compliance nightmare. Simply let PayPro Global manage your subscriptions, taxes, compliance, reports, global payments and 24/7 customer billing support.
If you're using best practices to store users data (with their consent); have a privacy policy in place and are using compliant third-party services I wouldn't lose any sleep over it.
The bigger you get the more likely it will become that you will get people trying to hack you, or start complaining to authorities about a lack of gdpr compliance.
'free' thing you can do is ensure your terms and conditions say how your customers data:
I have previously used cookiefirst to ensure we don't load tracking cookies until they've been agreed to.
They don't know their own rules. BUT, most of the time a regulator might contact you and tell you to make some changes unless someone was damaged due to your negligence. Then you'll be in trouble.
So I'd suggest you to at least pay a little attention to avoid at least issues that might cause harm to someone