I'm arguing from the point of view of a customer, not "slandering". Customers are going to have a choice between GDPR-compliant companies and USA-only ones and (if they care) they are going to assume the worst about why the GDPR can make a company retreat from the EU market.

As far as the public understands that complying with a new law is expensive, and why GDPR compliance in particular is expensive, it is obviously more expensive for "bad" companies: don't expect the same compassion and tolerance with which other types of customer disappointments (e.g. raising prices) are received. Your competitors who do not retreat from the EU are obviously caring more for customer privacy, and/or better organized, and/or less reliant on excessive data collection. They are not going to be considered stupid because they spend more than they should on doing the right thing.

You admit bad organization ("there are some areas where we would have to re-architect to gain full compliance"): not trying to comply with the GDPR is clearly not a "rather simple business decision", it's a decision to accept failure instead of losing even more money, and you aren't going to look good even if it's the rational choice in your situation.

Right now we are going through a federal audit. We sell only to US orgs, but also have a social media platform.

Because our social media platform is open to all, we are addressing adhering to the GDPR. In spirit, we already do, but they want what amounts to 5 documents how we use metrics and user data.

(Edit: we use metrics only in a '20 new people signed up'. We treat all data as federal confidential data. We also abide by deletion requests - immediately all user data is zeroed out, and a script overnight removes the zeroed fields. If it should not have been entered, we also will nuke users on backups too.)

If you're doing things respectfully and the right way, the GDPR is a nuisance. If you were hoovering anything and everything, you're in for a bad time.

And given your comments above, I'd put you in the company of "Hoover, Dyson, and Electrolux".

Edit: > "My customers are all happy with my privacy policy,"

Do they have a choice, aside to never use your stuff? If do you force acceptance of the 'privacy policy' on usage of your service? If you, that is in direct violation of the GDPR.

Hope you never want to consider European citizens as a customer. Building in this respect is cheap, but is expensive if you ignore now.

Think of this as "California Emissions". Eventually the US will adopt, even if in defacto. Might as well be on the right side of the fence.

So because you don’t have many in-scope systems, you believe that the cost of compliance is going to be the same for every company in the world? And what did I say that gave the impression that I don’t respect my users or their data?

Our application is a financial one, so I’d say it’s reasonable to assume that it ends up with a lot more in-scope PII than yours does.

In spirit, we also comply with almost all of the GDPR. However, some of its undefined edge cases prevent us from fully complying with it without an expensive re-architecture project, and re-implementation of some of our toolset. The areas we don’t comply with are incredibly minor, and I’ve seen some people arguing that we’d fall within the GDPRs limits of flexibility. However, that’s not how we manage risk. No matter how confident we were, being wrong could potentially end our business with fines.

As I have said repeatedly, for many small to medium sized businesses that don’t have many EU customers, there is simply no reason to implement GDPR at all. The costs can be quite high, and the risk of getting it wrong is enormous and not survivable. This is one of the many unintended (although entirely expectable) side effects of the regulation. All you’re trying to do is spread FUD.

> However, that’s not how we manage risk.

I think that this point can't be over-emphasized, and I wish you had put that sentence in its own paragraph.

Risk (management) was also alluded to elsewhere in the comments in the discussion of "rules-based" versus "principles-based" regulation.

Perhaps characterizing certain business reactions as "panic" is grossly unfair, when they're merely sensible (or even somewhat excessive) risk-aversion reactions.

I've come to suspect that the HN readership has a high risk-affinity, not just because of the startup leanings, but also even because of the preponderance of programmers working in internet/web tech, possibly never even being exposed to an environment that's life-critical or money-critical (is there a word for that? fiduciary?). Given that, I also suspect there's also broad, possibly even unconscious assumption that risks like you're describing are no big deal, 80% compliance is more than enough, (always) ask for forgiveness instead of permission, and that sort of thing.

Personally, I don't think there's anything wrong with either risk-affinity or risk-aversion, as long as one is aware of it and it's not an unconscious bias.

I think you've hit the nail on the head regarding the bias of this particular forum. As a group, it seems obvious that HN would be less risk-sensitive than the average.

For the sake of the topic however, I'd say that in this case the greatest risk is in not pushing to become compliant for the sake of future-proofing against legislation of this type. The mood of consumers and legislators worldwide is becoming increasingly pro-privacy and security.

Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.

> For the sake of the topic however, I'd say that in this case the greatest risk is in not pushing to become compliant for the sake of future-proofing against legislation of this type

I find it a bit frustrating that you would so clearly ignore the whole point of this sub-thread merely to repeat the same sentiment about privacy and security, which wasn't under debate in the first place.

Are you seriously suggesting that the GDPR is the end-all, be-all of data privacy regulation and that "legislastion of this type" will always be a proper subset of the GDPR, no matter the jurisdiction?

If not, then even your purported future-proofing rings hollow, especially for a company which already substantially complies with the spirit of the legislation, which is what we've been discussing here.

> Essentially, many businesses not looking to adopt GDPR compliant are winning the economic mini-game while getting beaten in the metagame.

I remain unconvinced that this is true, because of, again, risk. It seems credible to me that, for many businesses, the risk could easily not be worth it, regardless of others opinions on the ease of compliance or financial exposure (so far only unsubstantiated opinions, as we have no actual data on enforcement yet, and this is a pretty deeply political matter, as you yourself point out).

Moreover, I find it telling that you would refer to the situation as a "game". I expect the business owners in question (I'm assuming smaller business, in general) are more likely to view it a bit more soberly, in that they're running a business, not playing a game. As such, I don't expect they have a "mini" or a "meta", only decisions for which they and those that depend on them bear the consequences.

Great points. It’s all about risk and the cost/benefits of complying.

Your response seems to completely ignore what I said, which had nothing to do with data. It's as if you're just making an appeal to emotion.

I keep smelling this false dichotomy: either you're complying with the GDPR or you're doing something nefarious.

Others may be arguing against the spirit of the law, the extent of the protections, the tradeoffs between data and privacy, or any of those topics actually related to data or its storage. I'm not, nor is the GP.

I'm arguing that businesses can make perfectly valid decisions regarding risk with respect to regulation that have little to do with the compliance in spirit.

> I keep smelling this false dichotomy: either you're complying with the GDPR or you're doing something nefarious.

It certainly doesn't appear to be a false dichotomy to me. If your company has a European presence, you will be required to follow the GDPR. But for my purposes, companies that say they will support the GDPR globally will absolutely get my business before those that do not.

And there are plenty of areas where my data is used against me. Look no further than the recent cell phone location leaks, or facebook, or google.. The time for their siphoning every last shred of data is done.

> I'm arguing that businesses can make perfectly valid decisions regarding risk with respect to regulation that have little to do with the compliance in spirit.

And I, a customer, can make a very easy choice of "If you assert that you follow the GDPR globally, I will buy from you." I think of it like California Emissions, or other 'Better than average certifying bodies'.

> It certainly doesn't appear to be a false dichotomy to me.

That's the problem. What you seem to be espousing is exactly "my way or the highway" (where "my way" is the GDPR) or "you're either for it or against it", the very epitome of false dichotomy.

Why not actually address the middle ground that has now been clearly explained multiple times? In what way does that non-compliance equate to nefarious conduct?

> And there are plenty of areas where my data is used against me

And here, again, is the appeal to emotion. Where's the data in this case, not those other cases?

That, and the fact that a good chunk of present day Europe was under the Soviet boot for 40 odd years and the people there got to see up close how dangerous data is in the wrong hands (in that case: the government).

Unfortunately your reasoning is not correct here.

Hungary and Poland were under the Soviet boot, but a generation later they are going back to undemocratic and authoritarian governments. Eastern Germany was under the Soviet boot and they have far more neo-nazism than Western Germany who wasn't. So the 40 years seem to have made some long lasting damage instead of fostering as strong "never again" attitude.

On the other hand 12 years of nazi government have left a much more permanent "never aggain" against big brother in Western Germany. To my knowledge it's the only country on the planet where citizens' resistance made Google to stop deploying Streetview (where it might well be debatable whether Streetview is the worst big brother thing. But sometimes relatively minor issues raise big fears and hit big resistance, as it seems to be with GDPR for small US businesses)

Countries are made up of individuals and not all individuals have the same mental make-up. Yes, there are quite a few worrisome developments but there still (maybe not much longer) is an institutional memory of these things that is for the moment exerting a positive influence in this particular domain.

In that case and now, in this case, too.. the government will have a legal monopoly on the data.

There is nothing that will magically transfer corporate data to the government.

I'm not sure what you mean by this. No magic is required, only sufficient desire by those in power.

That wasn't my point, though. It was that now only governments are allowed to gather and keep this data. Granted, the breadth of what's available to them may not be as great if they're mainly recording traffic with no access to corporate servers, but even that access can be periodically arranged given sufficient desire.

> It was that now only governments are allowed to gather and keep this data.

That just isn't true.

That's a pretty extraordinary claim, requiring extraordinary evidence.

There have been enough leaks that the public knows even European governments spy on their own citizens.

> And given your comments above, I'd put you in the company of "Hoover, Dyson, and Electrolux".

Comments like this come across like a personal insult.

For you an others, please refrain from such comments I see it shutting down interesting conversations(that help me understand additional view points).