GDPR will undoubtedly have an effect on most businesses. I'm curious what the impact has been. Is it mostly financial? Have you had to make changes to the services you integrate with or create new technology to service users looking to view or manage their data?
I work for a major news media company and our GDPR compliance has been extremely difficult with our relatively small dev staff that manages many news outlets so we've opted to block access from all of Europe. It's gotten a lot of press, but it's an unfortunate reality. Most of our adtech and analytics vendors we use have put the burden on smaller companies like us -- ripe for disaster.
I work for one of the biggest (non-tech) companies in the world, and in many countries we've been storing user data in spreadsheets all over the place and often without consent. So it's been pretty frantic.
Right now, it's not. Management has decided that we're going to keep operating the way we have been as if the GDPR didn't exist, and hope nobody notices. Which isn't a surprise, this company is very reactive. Proactive planning doesn't happen.
I run a small consulting business.<p>It's been quite some effort but for my business so far it's been a net positive because it made me rethink, clarify and streamline my processes.
Very little if any change. We were not doing anything creepy with users data and complied with the Data Protection Act of 1998. We updated our privacy policy with new wording.
I work for an international education startup and while it was obnoxious to get the technical groundwork and auditing done: it doesn't affect the business very much. This shouldn't be too surprising; the GDPR is really only problematic to businesses who's primary purpose was identity and interest brokering. Most folks with actual products to sell aren't in such a bad spot.<p>Certainly, some folks have opted into some heroics getting all our microservices and datastores audited. But it's good to do that periodically anyways, so we made the audit a multi-purpose affair.
Not a great deal. Sure, more paperwork in terms of obtaining DPAs (Data Processing Agreements) with some of the vendors we work with, as well as preparing our own DPA for our customers, but overall not a huge impact as we already value privacy highly in our SaaS app.<p>On the development side, we've had to accelerate some 'nice to have features' that we had planned for later, to this month. Things like scheduled deleting of old customer data, migrating to a more robust SQL system that supported 'encryption at rest' etc. Things that would have had to be done anyway.
I work for a business that designs, builds and supports learning management systems for corporate organisations. I also had the task of coordinating our GDPR readiness activities.<p>As we are a 'processor' for our clients, we reviewed and updated some of our existing infosec policies and procedures, and produced a very detailed set of 'GDPR' docs to satisfy customers asking for evidence of our compliance efforts, and to provide data mappings, impact and risk assessments etc. We already had most of this done internally anyway so we just needed to 'prettify' it and change the language/terms in our 'Electronic Information Security Policy' document to match the GDPR.<p>We also wrote up a DPIA document about our internal systems.<p>All of this work took time - perhaps about the equivalent of 2-3 weeks to plan, collate and draw the diagrams and workflows for things like our security incident response plan and how we would sub-process subject rights requests; like when a client receives a 'Right to erasure' request and asks for assistance.<p>Overall that work was not difficult and did not cause any headaches. What has been a pain has been responding to all the clients who send us various compliance 'questionnaires' (spreadsheets) expecting tailored responses - fortunately, in the main I was able to answer "see document ref xxxxxx, section nnn".<p>What I am seeing now is the late-arrivals throwing in (demanding) 'for compliance' every conceivable infosec feature they have read up about - one today insisted we must now implement in-memory encryption! Many of these recent demands are not mandated by the GDPR and so are being handled as contractual changes and new feature requests so the sales team are having discussions to explain our stance and see if the customer wants a quote to amend their service and contract!
Not a great deal. I think management got together with the lawyers to do a cursory review but we've already been under similar legislation for at least one of our European markets so code-wise we haven't actually changed anything.
We are one of the largest large format printers in the US, but our online business does not intentionally market to the EU or accept payments in Euros, so while I did a risk assessment for management, we concluded that we could ignore it.
My product collects limited number of personal information and in theory it has always been compliant. Only thing I have doubt about is AdSense. I have disabled personalized ads, but I have no idea if that is compliant.
Also working on data portability, so users can export their data.
(Never got a request for that though)
If revenue from ads will go down I will be considering closing the business.
I don't feel comfortable going paid subscription route.
we don't even use personal data we just need aggregated usage metrics but google analytics was extremely convenient to collect those. under gdpr we will need to waste lot of time moving event collecting into some other in house solution like pwiki and make sure data gets aggregated and deleted properly.<p>not a load of work, but we have to pause some business development opportunity so that we have hands to put on this.
Working for an e-commerce company in Europe.<p>We didn't have much trouble. Someone was assigned last year from our security team to teach and consult other teams within the company to keep their products compliance.<p>Even before going for GDPR everything about user data was very strict so don't remember if we (at least my team) did anything new.<p>We always had data anonymization pretty much everywhere, no production access even to our deployment team, no third party company is allowed to store information or even cookies from our users, a clear and short page for our users to tell them which companies have access to some of their data (ex. delivery company). We always have been obligated to report a data breach to the government and users if it happens.<p>It is a very long list, and goes down to stuff like even HR recruiter is not allowed to keep applicant information after X amount of time.<p>All of that also means sometimes we are unable to do something fancy with users data to improve our products. Or use some third party services because the third party company doesn't look reliable or they want to access user data.
We where already subject to much stricter rules, so we honestly didn't have to do anything. We have started selling GDPR consulting, so it's only positive.<p>Both my colleagues and I have much stricter personal guidelines to data protecting than required by our employer, our chief security office and the GDPR, so it's not really an issue.
We've had a fair bit of work around cyber-security - being a bit sharper on checking project dependencies, encrypting all data (including things like access logs) restricting firewalls even further, better audit trails, and also things like automatic password rotation.<p>I'd say this is all good stuff, and in most cases we were already doing it, but it is difficult to retrofit in one go.<p>Going forward it will be a lot easier though as new projects will simply be designed better from a security-perspective.
Hey just one question: Remember the old days when many people still using NTTP? Your email and IP address will be carried in every post you've sent, and other people have to download the whole post (including your email and IP) so they can view it.<p>Does GDPR made all NNTP services illegal?<p>I'm asking it because I was developing an online forum application that will publicly display your posting IP and registered email address, and sync posts with other sites.<p>If GDPR made that illegal, that could be a bad news for me.
My favourite is: <a href="https://www.reddit.com/r/ireland/comments/8m078i/gdpr_well_played_cartellie_well_played/" rel="nofollow">https://www.reddit.com/r/ireland/comments/8m078i/gdpr_well_p...</a><p>They're actually not hurt by doing this: their business model is selling you a pdf report in exchange for money. The transaction handling is literally only reason to touch any personal data.
It doesn't affect me hugely. The biggest impact was that I had to spend time to define these processes and outline my privacy policy. I didn't need to go and redo all of my forms/consent flows because all the data I collect is reasonable and necessary.
Not at all. I'm working in Germany. The GDPR is basically the same as the <i>Datenschutzgesetzt,</i> which is the German law.<p>The only difference is that we will have higher fine if we don't comply. And we have had an external Data Protection Officer for a long time already.
the biggest impact is all the navel-gazing time we have spent trying to decipher what _is_ personal data and what are our obligations to our customer's and to their user. The actual work has been the easy part. We will never get back all the lost hours spent on debate, clarification, re-clarification, non-answers, vague-answers, more debate.
We've gone through a couple of audits from customers' GDPR-compliancy consultants.<p>As a result we have have been triggerered to perform some well-over-due security reviews, thinking about security processes and data compartmentalization, documenting some procedures etc. I think it's by far a net-good, even as relatively small company.
It has been 24 hours since GDPR came into effect. To be blunt, if anyone’s business has been affected dramatically, then their business is likely too brittle or unethical. If that’s the case, you should rethink your business model.
The only recent change for me was that I entered into a DPA with the bookkeeper and the payroll company everything else was already done (and long ago, not last week).<p>It helps that collecting data on individuals was never a part of our strategy to begin with.