Compliance · Regulation

How big of a deal is GDPR if you're not selling people's data?

Tatyana Deryugina Founder of

May 21st, 2018

I'm working on a website that will definitely be available to EU users. We're not really collecting any sensitive information. You provide your name/email when you sign up and then tell us which academics/journals/keywords you are interested in. We might track how people use the website and use their preferences for statistical purposes (e.g., which academics are the most popular), but nothing like selling/giving users' data to third parties. Currently, we have a pretty standard privacy policy that people have to agree to by checking a box when they sign up. I've read a bunch of articles about GDPR and it's really unclear to me whether I have to change anything or not given how "boring" our use of the data is. I know this is not a platform for legal advice, so I'll phrase my question as, "If you have EU users, are you changing much to comply with GDPR?".

Whitney Founder of Meetaway -- Online events that fit into startup life.

May 25th, 2018

Great question! If you are also asking individuals outside of this forum, it would be awesome if they/you could follow backup on this thread.

I similarly have a swiss-cheese knowledge about GDPR, but one area that has been disruptive, is the opt-in model to receiving marketing emails. You've likely noticed that many subscription services are asking for consent to email you recently, and this part of GDPR is driving that. There are also rules around weighing opt-in / opt-out options. The devil is in the details on all these reg...

Ashit Vora Co-founder RaftLabs

May 22nd, 2018

Well, I haven't dived deep into GDPR but there are few things you need to change in your app....

- Your users should be able to Delete their account permanently and when they do that, their account & all the data related to their account should be deleted forever.

- Users should be able to download the data related to their account. Meaning if you allow users to upload their photos, they should be able to download them all if they need to.

Other than that, I don't think you need to make any major changes in your app.

I would love to hear others' thought on GDPR.



Jenny Kwan Co-Founder and Technical Lead of Woodlamp Technologies

May 23rd, 2018

"Right to be forgotten" includes your analytics. You can preserve their records in your aggregates, but it has to be provably impossible to derive PII from them.

Tatyana Deryugina Founder of

July 16th, 2018

I found a high school friend who now lives in Sweden and is a lawyer who is working on this exact issue. She offered some advice that I'll share. Basic takeaway is that perfect compliance is hard, but small companies are unlikely to be targets of regulators.

"If you have a service agreement with European users you can base a lot of the processing of the users' data on that agreement, i.e. that will be your legal ground for that processing (article 6 GDPR). Each different type of processing requires you to identify an appropriate legal ground for that processing in order to be legal. The GDPR does not apply to anonymized data at all, but care has to be taken to ensure that it really is not just pseudonymized (there can be no way to 'unlock' or decode the data, i.e. it has to be irreversibly anonymized). Sharing data with third countries (any country outside the EU/EEA) requires a separate legal ground for that particular transfer, as third countries are usually not considered to have sufficient security (this actually includes the US because of the NSA, but there are some specific exceptions for that transfer). Third country transfers are governed by articles 44-50 and are a complicated and require some work to set up, so the best thing would definitely be to keep EU/EEA data within the EU/EEA.

The GDPR is incredibly burdensome and is not a question of setting up the right policy or hiring the right person, but of mapping all of a company's data processing activities, analyzing the processing and identifying and setting up legal ways of continuing with that processing, where possible (and discontinuing the other activities), and implementing a whole new structure and way of working. With that said, I'd say that perhaps 10% of European companies are even close to achieving everything that the rules stipulate. A lot of work remains to be done also at my company; I am very busy with these issues still and there are generally very few people to even hire to do work with GDPR compliance in the EU right now. It's therefore difficult for me to give you straight yes or no answers on any thing or help you update e.g. the privacy policy; to get it right, we would have to start with me interviewing your programmers and IT staff and I don't think any of us have the time for that :)

Therefore, my best recommendation is to get familiar with the GDPR ( and the articles I have pointed out. It is written in really clear and modern language and in English, so that's a plus :) I'd then try to set up the data processing in line with these main rules and base the processing on the core principles laid out in article 5. Try to keep a register (article 30), keep the privacy policy updated and complete (article 13), avoid third party transfers and anonymize data where possible. If you are uncertain, make sure to obtain clear and unambiguous informed written consents. And remember that the risk of you becoming the target of European authorities are probably tiny :)"