We have been spending a lot of time in Board meetings lately talking about GDPR.

GDPR stands for General Data Protection Regulation and is an EU regulation that, as written, will impact most Internet companies regardless of where they are located.

If you have not heard of GDPR and are running or working for an Internet company, you should wrap your head around it asap.

This Wikipedia entry does a pretty decent job explaining GDPR at a high level.

I heard someone explain GDPR as the “privacy equivalent of SOX.” I think that is a decent way to think about it.

This is serious regulation and complying is going to be hard and a lot of extra work. It will also impact product development and add overhead to that. The penalties for non compliance are massive and you cannot simply ignore this.

All that said, we did this to ourselves. The tech/Internet industry has run roughshod over user privacy for almost two decades now and we created the conditions for this regulation to pass.

The privacy equivalent of SOX.

So wrap your head around GDPR and prepare your company to comply. There is no other option.


Comments (Archived):

    1. awaldstein

      Good info.I’d be curious if when you are planning a dtc business like lets say in a nutrigenomic supplement, how you line item out this resource.

      1. Nick Grossman

        I guess just legal/compliance ?

        1. awaldstein

          Smart. Not a line item I ever put enough in.

    2. DJL

      Nick – This is becoming a huge space from the technical tools perspective, because some of the requirements are impossible to implement today.Add us to the list. https://www.informationshie… But we are tackling security and privacy compliance as an integrated system. Startups (especially in the Saas) world are getting pummeled by their customers with security assessments.

    3. Diego Ventura

      Thank you for sharing this!

    4. LaVonne Reimer

      We have a data governance layer for applications that give “data subjects” (hate the term) more than passive access. It works because our starting point is people should (and can) be in charge of personal data they need to share in credit and risk. The challenge for many is that big data has become the major driver of business valuation and monetization strategies. Legacy players like Equifax practically invented that playbook. I have been launching digital platforms with personal data for decades. In each case we had ways to make money other than monetizing data. Assuming the attitude, policies, and tech architecture of data stewardship is ever so much easier in such a case.

    5. Campbell Macdonald

      Do you anticipate services to comply with GDPR will be provided by AWS and the like?

      1. Lawrence Brass

        Rackspace is in a sweet spot and a step ahead in providing GDPR supporting services in my opinion. They have focused on infrastructure management and they are already partnering with AWS, Microsoft Azure and others players in non-GDPR areas. I guess they will provide those services to them too.…Rackspace UK has interesting related articles in their blog:

    6. JLM

      .Same thing happened when SOx 404 kicked in. Everybody was hiring people to make charts for them to meet the requirement. I was running a public company at the time. We made our own using MS Publisher.JLMwww.themusingsofthebigredca…

    7. Lawrence Brass

      DIY GPDR guidelines, templates and a nice supporting SaaS for startups and not so startups sounds like a very interesting product/service.I think that one half of the problem is about technical design. Encrypt everything, don’t hold the encryption keys, design compliance support tools into the systems, automated deep user deletion, good logs(!). Things that a startup can consider as requirements of their software products in development, as they are in the stage of building their systems. More mature businesses may spend a lot more time and money implementing those as complementary systems.The other half is traditional compliance (is this lawyer and process stuff only?), but with the proper supporting tools and reporting in place I guess it should be easier to achieve.

      1. VC

        Most companies will need a DPO for GDPR compliance. They are tech heavy, legally skilled data subject advocates who report to the board. Average compliance people cannot do it.

    8. VC does an excellent job, and they are global

    9. Aircloak

      See also – Berlin/San Francisco. Confirmed by European data protection authorities to provide GDPR-level anonymization for all data sets and use cases.

  1. Tom Labus

    “Valid consent must be explicit for data collected and the purposes used for…”

    1. Anne Libby

      And, “Automated individual decision-making, including profiling (Article 22) is made contestable. Citizens now have the right to question and fight decisions that affect them that have been made on a purely algorithmic basis…”It will be interesting to see how some of the HR tech companies respond to this.

      1. Tom Labus

        when did we decide to pass credit judgment!! We just slipped into it and no one cared. How did checking what the credit cos were saying about you become a negative for you

        1. Anne Libby

          I’m not exactly sure when this started, maybe the early 00s?

  2. jason wright

    “All that said, we did this to ourselves. The tech/Internet industry has run roughshod over user privacy for almost two decades now and we created the conditions for this regulation to pass.”all in the name of private profit. oh the irony.GDPR and blockchain seem to be pleasingly this the beginning of a change in the Google and Facebook model? are we as individual citizens being empowered to reclaim a balance of sovereignty over our personal data and identity against the corporate class? about fucking time.

    1. Matt A. Myers

      Perhaps. The State can intervene and force companies to allow full data portability and deletion abilities, and/or technology can be used and people support platforms that allow this via their governance – governance being the final competitive layer.Blockchain technology may be the answer, however it still increases costs, isn’t necessarily attack proof, central bodies who can alter the rules for some blockchains exist, and blockchain should be a function of currency – not of being incentivized through wealth transfer which then incentivizes manipulation and other bad behaviour.The State in the EU is much further ahead with user privacy and data rights, the rest of us would benefit from keeping up. They’re also ahead with going after the bullshit tax dodging practices by going after a % of revenue instead of on profit. These tactics by businesses are all terrible for society, adding friction to people’s ability to flow away to competition and friction to money flowing throughout society – the tipping point seems near.

      1. jason wright

        the american state appears to be in the pocket of big corp and lobbyists (web tech giants (google, facebook…), the saudis, israel (aipac), elements of wall street (citibank, goldman sachs) et.c.), while the EU is a partnership of different cultures and histories and has to strike a balance that i don’t think Washington does.

        1. Lawrence Brass

          I agree with Larry Lessig theories about the state being held captive by the lobby and special interests. I think this is the same reality that made Trump possible. However, freedom of speech, diversity and a moral reserve that lives at the heart of many US institutions and most importantly at the hearts of their people is what provides the balance in the USA.

  3. awaldstein

    I embrace something else to worry about.Actually I like problems that need solving and since this one appears to be built to protect me, I’m in.Was ignorant about this. No more.

  4. Nawaz Imam, CFA

    If you are a fintech company, the other piece of European regulation to be aware of is MiFID II (Markets in Financial Instruments Directive II) which is a massive piece of regulation affecting most parts of financial markets and going live on Jan 3rd 2018. It will catch everyone in its trap that touches pretty much any transaction that crosses over into Europe (including the UK which is applying their rules regardless of Brexit)

  5. falicon

    “complying is going to be hard and a lot of extra work”I’m not so sure that’s true for everyone or even most…if you aren’t trying to be coy with your users in the first place, and you aren’t collecting more than you really need to solve whatever problem you are solving…then what’s so hard about it?

    1. JimHirshfield

      Users need to opt in. And any third-party service provider you use has to be opted in by the user. Third parties are as culpable as first party sites.

      1. falicon

        1. Users should already be opt’ing in.2. IMHO there is too much reliance on 3rd party systems anyway (though I understand that is prob. the dev. in me speaking there). ;-)3. Overall, I still say #Good

        1. JimHirshfield

          Agreed. The law is there to force/enforce your points (and more).

        2. PhilipSugar

          I am not saying bad. There is an awful lot of selling personal data and that is really bad why should somebody not only violate my privacy but make money on it. Some of it is done because in the fine print they say that they can do it and some it is done in violation of agreements. It is dirty and it gets done by small companies that don’t care and big companies because people don’t know exactly what everybody else in the company is doing (or they don’t care)

      2. PeterisP

        This is kind of the whole point – on that regard, either you’re *already* compliant and don’t need to change (you still’d need to verify), or you have been screwing your customers the whole time. A large part of what this regulation does is prohibit activities that were legal (and popular) but they were clearly immoral the whole time, like opt-out confirmations and all kinds of black-hat marketing manipulation to obtain “consent” that’s not really consent.

    2. PhilipSugar

      It will be and here is why, certifications. Just like the SOC I and SOC II standards in the U.S. we will have to comply with a standard in the EU.That compliance has to be done by an auditor. They have no desire to make that quick and easy (how do they bill?)So we will have do another audit and prove that we in fact do what we say.

      1. falicon

        OK – you win. *That* will be a pain.

        1. PhilipSugar

          I certainly don’t win. I have auditors in my offices two weeks a year. The problem with that is multi-fold. They don’t know what they are doing, I try and mandate we get the same ones so we don’t explain the same thing over, and over, but they want “independent” ones that are getting a new opinion, by default you are guilty until you prove yourself innocent, and they have to find something wrong otherwise people will think they are not doing their job. Then we have to follow up for a month, and get our sign off.Now some of this is deserved. If I google search bathroom remodeling I start getting bathroom remodeling emails in my work email. Not a coincidence. Uncool.

          1. falicon

            btw – we actually are about to remodel our bathroom…but I leave all that research to my wife (so she gets all the spam about it) 🙂

          2. LE

            but they want “independent” ones that are getting a new opinion, by default you are guilty until you prove yourself innocent, and they have to find something wrong otherwise people will think they are not doing their job.Wow. I am impressed that they are so ‘smart’. Because sure you don’t want the prisoners to become friendly with the guards. And if money is no object because it’s not your money why not? It’s your pain, not the rule makers pain.and they have to find something wrong otherwise people will think they are not doing their job.In the past with somewhat similar situations I’ve just planted things that I know they will find so they feel they are doing their job. It’s actually a common technique that I have used in different variations.One thing about that audit job is that it really sucks and only certain people have the personality to go in and be annoying and disliked like that. I don’t. I had a consulting project years ago after I had sold my first company. A mid sized accounting firm paid me to go in and go over company records to try and save them money on things that they bought. I remember to this day how cold the entire experience was. The CFO and the accounting staff looked at you like you as if you were going to make them look bad if you found something they did wrong or overpaid for. [1] That was the one and only time I did that. I made money doing it but it was not satisfying in any way to have to sit there for a few weeks and have everyone looking at you in that way.[1] It was easy to find things they overpaid for. Typically some situation where it was easy for them to do it a certain way because of predictably personal relationships. That is why replacing people sometimes makes sense from a money saving perspective at least.

          3. PhilipSugar

            Yes, everybody does the plant a flaw for them to find. And yes personal relationships (usually greased by something as trivial as sports tickets) do cause people to make decisions that are not in the best interest of the company.

      2. VC

        You don’t. You will self certify, via your (in-house/outsourced DPO). No external audit required. That said, the DPO has to be given a lot of power to run their own show, as per the regulation

        1. PhilipSugar

          Here is what will happen if you like me sell SaaS to large companies:They don’t want to trust that you do what you say you do. The auditors will come up with a three letter standard and you will get audited.

    3. fredwilson

      i have not dug into whether there are safe harbors for small companies and side projects. But the requirement to hire a Chief Privacy Officer who has to personally sign the filings is an example of something that would be a hardship for certain situations

      1. PhilipSugar

        See my comment the issue will be we will have to document all of this not just say we are doing it. We have to extensively document that we check logs every day not just do it, that doubles the work.I totally agree with your last paragraph. I have been saying this forever which is when you do bad things you are pissing in the well that we all use, i.e. technology.

      2. JLM

        .The whole nonsense of tranfering enterprise responsibility to an individual is right from the SOx playbook. It is pure nonsense.I recall all the brouhaha when CEOs of public companies had to start personally signing their 10Qs and 10Ks as if they hadn’t been responsible in the past.First, what did they think CEOs and CFOs were already doing? Of course, they were taking responsibility for their numbers.Second, every CEO, CFO, CPO has protection under the general legal concept of the “prudent man.” As long as you did not commit negligence, you are covered by the prudent man rule.This is an amateurish attempt at scaring people. If I were a CPO, I would demand my salary be doubled.This is typical of regulatory excess which simply does not work. It is what happens when people with no practical experience are tasked to regulate businesses about which they know nothing.JLMwww.themusingsofthebigredca…

        1. LE

          when people with no practical experience are tasked to regulate businesses about which they know nothingYou have hit the jackpot Mr. Jeff. [1] Imagine all the money that is going to be pissed away by companies implementing this. The eggheads don’t look at the downside. As usual they only look at the upside. Not to mention unintended consequences. [2] [3]By the way it’s more than ‘no practical experience’. It’s also a mentality that exists because they don’t feel the pain and the impact. It takes a certain type of bureaucratic loser with no conscience to write laws like this aided no doubt by attorneys and consultants who stand to gain.[1] Exactly what I was thinking before I read your comment.[2] Like when disclosure of CEO pay was required and it led to a pay race because every CEO was easily able to compare himself to his peers. And then an entire industry of pay consultants comes in to predictably jack up everyones’s pay.[3] Deregulation of utilities leads to less reliability.

        2. DJL

          That is exactly why we are bullish on our approach. To me it is much easier to guide the small business on what it means to “be prudent” with respect to security and privacy. But alas – everyone will look for the technical magic bullet.

      3. falicon

        Seems like, if small companies and side projects do fall into the bucket, the *real* solution will be to “disallow” users from the EU (until you hit a certain size and it becomes worth it [if it ever does]).Prob. not something the EU users themselves will be big fans of going forward…

      4. LE

        i have not dug into whether there are safe harbors for small companies and side projects. 250 employees or more:One area of concern for small businesses is the GDPR requirement that companies hire a data protection officer. But, as Incisive Business Media’s V3 site notes, that part is for firms with more than 250 employees. “Smaller firms may still need to employ someone in this role if handling personal data is core to their operations,” V3’s Dan Worth writes. “This may not have to be a full-time employee, but could be an ad-hoc consultant, and therefore, would be much less costly,’”https://nakedsecurity.sopho……Note: Assumes correct, haven’t triangulated..

        1. VC

          Can’t rely on that if you are a tech company with many users. Even 2 person shops which process a lot of customer/employee data must comply.

      5. DJL

        As with the NYS DFS, I believe that small businesses can outsource this role. People are going to be pushing “CPO on Demand” services. There is going to be a lot of legal analysis in the next 12 months.

        1. VC

          It’s outsourced DPO service, and yes, fully legal and compliant to outsource it.

      6. VC

        You don’t need a chief privacy officer, you need a DPO. The skillsets are quite different. does it for multiple startups. I’m sure there are many others too.

    4. DJL

      GDPR has essentially called for “Compliance On Demand”. These means that for organizations to REALLY comply, they would have to ramp up their technology and governance to an entirely new level. This will be very slow. And in the meantime the requirements will change when they realize that most organizations are behind.

  6. Niall King

    A lot of companies popping up to help, all right. Y2K, anyone?Incidentally – doesn’t blockchain fly in the face of GDPR in that the blockchain data is “immutable”?

    1. VC

      No, blockchain doesn’t contain data to identify humans, so is not in conflict with GDPR

  7. Chris Jagers

    Glad to be in the blockchain space, where user privacy is already presupposed. We’ve written about our take on GDPR and enterprise software using the blockchain here:

  8. DJL

    GDPR and the NYS DFS (Department of Financial Services) Cyber law are the two most important regulations to hit cyber security and will drive the future. While GDPR is “Sox for Privacy”, the NYS DFS is “Sox for Cyber Security” But compliance is very painful and many of the controls in GDPR are nearly impossible. So they will evolve.At Information Shield we have developed a Control Framework for complying with both privacy and cyber security and then wrapping it in a GUI for the SMB market. (sorry for the plug). I am happy to talk to anyone about this topic. https://uploads.disquscdn.c

  9. Pointsandfigures

    Was recently in Torino Italy advising the G7. Here is an excerpt of Michael Kratsios, Deputy Assistant to the President and Head of the U.S. Delegation at the G7 ICT and Industry MinisterialAt the White House Office of Science and Technology Policy remarks at the G7. “we think a lot about the very issues tackled here at the G7. Innovation and emerging technologies are the most powerful force for combating humanity’s greatest challenges. They allow us to create new types of productive and fulfilling jobs, vastly improve human health and wellbeing, and help people better realize their dreams.“Innovation Week” is a fitting wrapper for these discussions, and I’m very happy that we were able to involve entrepreneurs and innovation experts – not just policy wonks – but the people who are working each day to actually bring new discoveries and inventions to life. They’re the ones who know first-hand what the trajectory of the technology landscape looks like, and they know how regulatory frameworks can either assist or destroy their ability to make the world a better place through technological development.The digital economy is the global economy. And a thriving digital economy requires that we as governments find ways to promote access to innovation.To that end we welcome the G7’s recognition this week of:· The promotion and protection of the free flow of information across borders· The commitment to keep our markets open while standing firm against unfair trade practices· And opposition to data localization requirementsBy developing sound policies with principles like these in mind, we can increase access to the digital economy, the global marketplace, and new digital trade opportunities for our most innovative companies. We can make it easier for our entrepreneurs to reach customers at home and around the world.I believe it is critical for great nations like those in the G7 – with strong historical ties and great affinity for one another – to continue to come together to discuss these incredibly important issues. While we may not always agree on every point or every process, it is clear that our objective is universal: a secure, bright future filled with opportunity for generations to come”Obviously, this sort of regulation flies in the face of the above sentiment. Very hard to regulate opt-in services like Facebook and Google. Very hard to compete with them as well.

    1. Erin

      Well that might be Michael Kratsios’ sentiment, but aren’t the Americans going to start to have privacy envy when the GDPR is implemented?

  10. Vasudev Ram

    Will GDPR be applicable to small companies and say individuals like consultants, who are outside the EU (and US), who are selling some product like a course or book online, and some of their customers could be from the EU?

    1. VC


  11. Adam Parish

    It’s been awhile since you’ve mentioned the Wikipedia (even as a reference). I like it.

  12. llonyort

    We’ve been developing a solution over the last year for GDPR compliance. The fines for non-compliance will be significant and the difficulty does not lie with complying with a user’s request to opt-in or opt-out, but rather ensuring you can provide ALL the information on any European resident on demand. The law gives users the right to demand organizations to erase their personal data, which can be a difficult task when it resides in so many different data domains, including individual inboxes, CRMs, Marketing, Customer Success, product, tech, etc. You may think you’ve deleted all the data on someone and then they are reached out to by marketing or sales and now you face potential massive fines.

  13. William Mougayar

    Although it will be costly to retrofit existing software systems, this will be a standard feature going forward. But the Aha moment will be for consumers- suppose you want to move suppliers (e.g. healthcare, insurance, banking services, etc.), they will give you Your data. You take it and go somewhere else. That’s powerful.

  14. Kent Karlsen

    A little story related to GDPR: Two months ago I testet my Windows phone with German language for a few days. Then I switched back to my native language again. I have never used German on other devices or applications or settings. Forward two months. Yesterday I bought a book at I chose Kindle version and then bought the book with one click. Then I see that I got a Dutch translated version of the book (and I can’t change language of the book to english on the order page). What? I have bought like hundred books before, always in english language. My language setting at was still english, but my book was selected as Dutch and I could not change it. I used a laptop when I bought the book, but got information from my Windows phone. Have Microsoft sold my information to Amazon? I really don’t care personally, but in this case sending data between companies/devices was not helping, it was giving me a problem and a bad customer experience. I managed to place the order with the book written in english language. Ironically, the book I ordered was “Hit Refresh” by CEO of Microsoft Satya Nadella.

  15. Leo Bekhuis

    Hi there, good post thank you! We are a small legal tech startup getting out of the incubator phase. Our focus lies on getting the specific sectors within SME in Europe GDPR compliant. Alvis IO We deliver decentralized proof regarding a subsection which is storing and sharing the rights of individuals and dealing with consent validations our clients customer bases. We team up with small legal firms to get the approval and our solution is based on a permission chain. Our vision is to embed trust and transparency into business processes regarding personal data. Our mission is ultimately to give your business a clear data conscience. Lets work in subsections on this data privacy challenge would be pur advise, inform them, teach them, hand out smart first steps and work on using transparency as a competitor advantage. KR Leo

  16. Rob Sobers

    If you want a deep dive into GDPR and all the nuances, security pro Troy Hunt released a free video series on it:

  17. julianranger

    The comments here all look at GDPR as a cost, rather than as an opportunity. By following sound data principles, putting the individual at the centre of their data, maybe businesses will have GREATER access to personal data over a WIDER range.This access to Rich permissioned personal data is exactly what we are doing at Enabling businesses to have access to orders of magnitude better data today at orders of magnitude less cost – whilst respecting individual privacy and consent.GDPR is not a zero sum game – by putting the individual at the centre it can and is better for both individuals and businesses.