Is GDPR compliance truly high priority?

https://git.snowdrift.coop/sd/snowdrift/issues/107 was marked as high priority. Is it really? Can’t we just say, “only non-EU residents are supported until we finalize GDPR compliance,” and then do things that are actually high-priority?

While we may not currently be in compliance with the letter of the GDPR, we have always been in line with the spirit — we keep user data to ourselves, avoid dark patterns, don’t inundate people with email, etc.

  • I think the chance of running into trouble with regulators is small; I don’t think it’s even worth the trouble to add a “only non-EU…” notice. (Obligatory: IANAL)

  • On the other hand, revisiting our privacy policy and terms of service needed/needs to happen anyway[1]. GDPR is a good excuse to do that.

  • On the other, other hand, there’s a lot of people trying to figure GDPR best practices. It’s less work to delay our implementation until there’s some consensus on the right way to do things.

tl;dr I think reviewing the Privacy Policy and Terms of Service is high priority, but implementing GDPR compliance is not. Put differently: I think it’s high priority for outreach, but not sysadmin/dev.


  1. Feeling good about the documents that essentially describe our relationship with users is a soft blocker on announcing discourse. That's important at the least because more external interaction would really motivate me, personally. ↩︎

1 Appreciation

I strongly oppose the use of “no-EU users” type language. Even to non-EU visitors that can be interpreted as “we aren’t GDPR compliant and aren’t prioritizing it (and may not really care about privacy)”. I overall agree with @smichel17’s post though about not worrying about taking the lead in doing this right.

My concern is mainly about what is or isn’t a blocker to broader promotion and inviting people. So, in order to be comfortable really promoting and getting hundreds of new folks coming around (which will happen when we push for it and are in position to take it on), I want either:

a. The acceptance of terms/privacy to be solid enough that it’s no worry about it further (it’s already what we think is needed long-term)
or
b. to know our plan for how we will get acknowledgement later when we update policies or otherwise reach out again to the new users

Even if there are higher priorities right now, I wouldn’t want this just put off too long. But I agree with the sentiment that we can observe the rest of the world and try to follow best-practices that we see from those we trust and respect. So, that’s a reason to wait and not to rush.

Overall, doing this right is important even if we accept it being non-urgent.

Personally, I feel more comfortable promoting and inviting people (especially en masse) if our terms are clear and we’re overall compliant with things like this… We don’t need to be perfect, just need to do what we know about already and can manage practically.

To the point: I marked it high-priority but I considered saying medium, and I’m not insisting that it’s top priority. Having it done would relieve some of the tensions I have about promoting and building the community.

The problem is that GDPR compliance is not something that is one-and-done. It’s not a task that you complete and then you put a check in the box. It’s more of a process and way of doing things overall.
It is also not something we can isolate to Non-EU residents. Corporations can be held accountable for doing business with other businesses that are not-GDPR compliant.

STRIPE, our payment processing service company, has one of it’s main processing facilities in Switzerland. If STRIPE finds out we are not following, or do not intend to follow GDPR, they could refuse us service. I think that does make GDPR high priority.

Here is an excellent guide to GDPR provided by STRIPE.

It covers the topic quite well, includes a checklist at the end, and provides even further resources for people that want to take an even deeper dive into it. I’ve only skimmed it so far, but I intend to read it in full, and I suggest that everyone else in this topic do so as well. It’s a good guide. Based on what I have read so far, and what I have seen as to how snowdrift.coop handles client data, I don’t think we will have to change that much, however, GDPR is something we will always have to consider as we make decisions moving forward that involve the personal information of our clients.

1 Appreciation

Anyone who spends 2 seconds looking at Snowdrift will realize we take this stuff seriously, and have been following the spirit of GDPR from day one.

It’s impossible to get it totally right, and if someone is going to start a smear campaign against us because of GDPR non-compliance, they will do so regardless of how many boxes we’ve ticked. We can’t fight with logic, because smear campaigns aren’t about logic anyway.

Besides smear campaigns, I can’t imagine any high-severity issue with how we are handling data. Minimizing the potential for high-urgency situations (e.g. if Stripe were to hypothetically give us some crap) is good, but that’s a very, very low risk anyway.

In other words, the chance for trouble is small, and the amount of trouble that can be generated is small.

We do need to treat this as important, but we are already doing so. That is different from suggesting there are high-priority changes to make to the website.

2 Appreciations