The operating part is "should already be state-of-the-art". The typical programmer already knows that personal data is sensitive and treats it that way. Maybe there are some adjustments here and there, or some oversights or things-that should-have-been-fixed-months ago. But most of what needs to be done has already been law in one form or another, so the programmer is trained to do it correctly. There are retention laws for tax data and business communication of 7 years and longer, which override the GDPR, so the startup will most likely be out of business before any deletion is required.
So what remains for the business part of the startup is to make sure the necessary contracts with all third parties are in place (the pressure-the-conglomerates-part), and to explain it to the users. This is annoying, but also not much worse than the typical legalese stuff the CEO has to deal with. The data privacy policy of a certain privacy activist reads, in essence: "We store only what we need, and delete it as soon as we can, as long as we are not required by law to store it for any longer." You don't even need a law degree for that, as you shouldn't, because the text should be readable for the end user.
> What is everybody complaining about?
I don't know, the GDPR is basically German data privacy law, and it hasn't stopped Berlin from becoming a startup center in Europe. I guess if you don't want to be GDPR compliant due to the effort that's fair, but you should know that there are much worse things ahead for a company.
However, if you are not _able_ to be GDPR compliant as a small organization, while many of your competitors are, you should absolutely not be entrusted with personal data.
> The operating part is "should already be state-of-the-art". The typical programmer already knows that personal data is sensitive and treats it that way.
The expense doesn't come from that. Even if you're doing the right thing in spirit, now you have to compare what you're doing to a complex regulatory framework. That's pure overhead that you pay even if you don't even have to change anything.
> This is annoying, but also not much worse than the typical legalese stuff the CEO has to deal with.
You're saying that this thing that harms small businesses and entrenches incumbents is like the other things that harm small businesses and entrench incumbents. But that's the problem. Each one you add is an incremental burden that moves the margin for how many startups you kill by another kilometer in the wrong direction.
> The data privacy policy of a certain privacy activist reads, in essence: "We store only what we need, and delete it as soon as we can, as long as we are not required by law to store it for any longer." You don't even need a law degree for that, as you shouldn't, because the text should be readable for the end user.
That is a very aspirational privacy policy that also happens to be very strict and trivial to violate unintentionally. And what are the consequences for not following your own very strict privacy policy?
This is why most of the big companies have one that says something to the effect of "we promise to use your data for things we want to do" but then have to be carefully crafted by lawyers to simultaneously minimize liability and hold up under scrutiny.
> I don't know, the GDPR is basically German data privacy law, and it hasn't stopped Berlin from becoming a startup center in Europe.
It's all relative. If Germany has a significant regulatory burden but Greece is a hotbed of corruption, Germany can still do better than Greece. But not as well as it could have done with less overhead.
> However, if you are not _able_ to be GDPR compliant as a small organization, while many of your competitors are, you should absolutely not be entrusted with personal data.
The pretense that complex regulations only cost you if you were previously doing something wrong is empirically false. The cost of complying with the regulation is in addition to the cost of doing the right thing and is still paid by everyone who was doing the right thing already. And it can be enough to destroy a company that was not actually mishandling data but merely had low operating margins.
I'm not arguing against any of that, including your statement that the GDPR might be the last drop to destroy a compliant-in-spirit company which has been surviving just so. I'm merely questioning the scale of the problem (based on my own experience implementing the GDPR in a low operating margin context) and their right to exist to begin with (based on my personal view on the sad necessity of data privacy regulation).
So what remains for the business part of the startup is to make sure the necessary contracts with all third parties are in place (the pressure-the-conglomerates-part), and to explain it to the users. This is annoying, but also not much worse than the typical legalese stuff the CEO has to deal with. The data privacy policy of a certain privacy activist reads, in essence: "We store only what we need, and delete it as soon as we can, as long as we are not required by law to store it for any longer." You don't even need a law degree for that, as you shouldn't, because the text should be readable for the end user.
> What is everybody complaining about?
I don't know, the GDPR is basically German data privacy law, and it hasn't stopped Berlin from becoming a startup center in Europe. I guess if you don't want to be GDPR compliant due to the effort that's fair, but you should know that there are much worse things ahead for a company.
However, if you are not _able_ to be GDPR compliant as a small organization, while many of your competitors are, you should absolutely not be entrusted with personal data.