GDPR Impact on Startups

There are two factors at play here; both you and the GP are making points that are correct.1) As you say, "If you're abusing data, you're going to have a hard time- and that's good." Companies that are built on selling your data (e.g. data brokers in the marketing / finance industry) or sharing it without your consent (e.g. Facebook with Cambridge Analytica) will have to stop those practices. GDPR working as designed, win.2) For business models that are viable

This is mostly false.The GDPR doesn’t fine small companies that aren’t making a lot of money. The fines also don’t apply fully to startups until they are a certain age, depending on country.The GDOR doesn’t require you to delete user data that you need. That would be insane, you could obtain a loan and ask to have the record of it deleted if it did. The GDPR does require you to inform people that you keep their data, and it requires you to tell your national how you plan to keep the data s

Depends on the country. For instance in Europe, GDPR enforcement is way more lenient towards small companies, to the point where it makes no strategic sense for a startup to invest anything but the bare minimum required to feign "good intentions". Striving for actual compliance with the letter of the law is something only huge companies do.

The european union provides a FAQ for the GDPR so you don't need a lawyer if you have a small business: https://ec.europa.eu/info/law/law-topic/data-protection/refo...The "best practice" you mention was already illegal if you have European users, the right to be forgotten was al

This is a ridiculous over-reaction based on an extremely shallow interpretation of the GDPR.If you are running a small business and you feel that you won't be able to operate your business because of the GDPR consider all those other laws that you have to be in compliance with as well. If that's your attitude towards legal compliance then you should probably shut your business down completely rather than to hope that just ignoring European customers is going to make the bogeyman go

The nature of the chain business. Chains do things that small ones don’t and the extra regulations are about that. As I said, small restaurants are not allowed to be dirtier than the chains.The same goes for the software, if you’re not doing things that Google does then GDPR affects you less than Google.Seriously, the cost of GDPR compliance is not the same for Google and mom&pop businesses, just like the cost of food safety regulations is not the same for the chains and small restaura

The GDPR was specifically sold as limiting the things that well-known US tech companies (Facebook, Google, Twitter, etc.) can do with respect to EU citizens. The sad irony is that only well-resourced tech companies with a small army of lawyers and a large army of programmers can afford to be GDPR compliant.The sort of unintuitive machinations it takes to maintain honest compliance while providing useful services is kind of mind-blowing. Every bit of it that I've delt with has left

There's a consistent strain of conflation of this issue in all the GDPR threads, along the lines of "well, if you can't comply with the GDPR, you must be a evil company selling my data to bad people for bad reasons!"You don't have to be doing anything shady with data for the GDPR to be a threat to you and your business. You can be collecting a bare minimum of data that you only use with the purest of intentions and still be in violation of the law and subject to its p

You disagree with what exactly?In the case of being a small business, it’s not even about being shady. Imagine you were building a simple step tracking database for a pedometer app. All it does is store a user id and some daily steps. You have zero intent to market or share it in any way, no ad personalization, no third parties, etc. Before GDPR you’d just spin this up and be fine. Now you need to deal with data consent policies, data deletion tools, potential exfiltration policies if your DB

Sad -- regulation hurts small businesses. Why not make GDPR apply once the number of users reaches a certain critical mass?