May 19, 2019

GDPR-compliance when just starting out?

Gershon Ballas @gballas

Hi indie hackers,

My partner and I (both developers) are currently working on an MVP which could (if we are predicting it right) develop into a product. We predict that a lot of customer are going to be European.

How did you guys manage to stay GDPR-compliant? Especially when starting out? Did you guys use some sort of software for that? It seems to be that it's not impossible to be GDPR-compliant but does require some reading and work at first which I can't be bothered to do right now. I'm also afraid of making mistakes and getting fined...

Am I being too paranoid? Is GDPR-compliance actually enforced on small businesses?

Sorry for posting about this subject again. I've read through a ton of posts about GDPR here on IH but couldn't quite find an answer for that.

Thanks in advance!

  1. 7

    Hey, being fully GDPR complaint is a challenging but possible task. I don't think it worse spending an effort until the ball really starting to roll, but I would do a few simple things to cover the basics. Here is the list (it is not full by any means, just what I think is enough for a new company):

    Cookie banners for the website. Can be covered with a site like CookieBot (https://www.cookiebot.com/en/) for free or a small monthly fee. CookieBot has an option to show banners only to EU people which I think is valuable.
    Gathering and tracking consents to your terms of service and privacy policy. I would recommend you to keep track of the exact text that a customer agreed to (what you put next to checkbox) and date. The version of ToS and PP is optional since it can be derived from the consent date if needed.
    Data Processing Addendum. A document similar to the PP, describing what data you collect and why. Google for examples. Don't collect data you don't need and this is an easy check box to check.
    Gathering EXPLICIT consent (having an opt-in checkbox, default to false) to any marketing communications you plan to send and add the ability to control that. Ability to unsubscribe from marketing messages/calls also part of CAN-SPAM regulations.
    Ability for customers to delete their account and data forever. Think about what to do with backups where this data will stay. If you don't keep backups long, you should be fine with just making sure you're re-deleting accounts after restoring the backup.

    While this all looks like a lot, if you build with these practices in mind from the beginning you should be fine and don't spend too much extra time.

    Best,
    Sergey

    PS I don't think anyone will go after small business with a few customers, but better be safe than sorry. Plus, when things really starting to roll, GDPR will be the last thing to think about.

    1. 3

      All great points by @sergey_shvets. I'll just add a few things as we're going through that process at the moment.

      • If you're a US entity you're likely to be asked about Privacy Shield compliance. This is not free so don't rush into it until you know for sure it'll be worth it.
      • For GDPR you'll need to list all the 3rd parties services that you push personally identifiable information (PII) to. That means emails, name, address... So if you're using things like Intercom or support tools you'll need to make sure you've listed the tools along with providing information about opting out
      • Make sure that you have DPA agreement with the 3rd party software. Most of the big cos include them in their own privacy policy so it should be straightforward.

      I have a suggestion to make with regards to your investment. GDPR compliance has some costs to do properly - see the official checklist here: https://gdpr.eu/checklist/. If you're just at the MVP level I'd suggest focusing on getting validation from US customers first until you're in a good spot. In our case, we always followed GDPR best practices but only invested in updating all our T&C and policies after getting traction and getting some pushback from EU companies.

      1. 1

        Thanks for the response. Yeah, I don't think anyone will go after my web-app considering how small it currently is, but it's always good to think ahead. Thanks for the info.

        1. 1

          Yeah, usually it's not so much that people will go after you, but rather that some EU company have internal policies to not use services that aren't GDPR-compliant. But when you get to that point it should be easy to comply if you're embracing privacy by design principles.

    2. 1

      Thanks for the detailed response!

      Yeah, I figured more or less what you said. That although it's some work at first, it's not that difficult once you simply set the right habits in place.

  2. 1

    Just starting out I would just go with a privacy policy and a website pop up that makes them agree to cookies, your privacy policy, and terms of service if you choose so.

  3. 1

    I use iubenda for my privacy policy. It’s point and click to add various support for the technologies that you use (e.g. Heroku, Google Analytics, Facebook Pixel, MongoDB). They also have other products for more extensive support. 10% discount referral link: http://iubenda.refr.cc/JZ7X59H