Compliance with GDPR for an existing small business might be tricky. But...
I’ve been in the “online payment processing” space for decades. When I first got involved, there were no central guidelines for handling sensitive credit card data. And to be honest, there was a lot of neglect within the industry as a result. As I share memories with my colleagues of what was done in the early days it is laughable and a horror at the same time. We were all learning on our feet.
When PCI was introduced in the mid-early 2000s, it was not easy to undo / redo things to be compliant. It took time and cost money. At the time I wished I was working on features rather than “compliance”. But we got there. It didn’t kill us, and in the end we had a better service because of it.
Fast forward a decade and I found myself working on another startup in the payments space. PCI compliance was in the very fabric from which we started - we designed things from the very beginning with PCI in mind. And that made PCI much easier overall because every decision contemplated PCI.
I feel GDPR will be similar. It will be a transitional burden because existing businesses will have to undo some practices and that is hard. But going forward startups will build services with GDPR in mind from day one, weaving compliance into the fabric of the product piece by piece, and everyone will be better off for it.
I’m sympathetic to small businesses that face a difficult transition. But I do feel that the burden is in the transition, and not something that will hang overhead forever.
I’ve been in the “online payment processing” space for decades. When I first got involved, there were no central guidelines for handling sensitive credit card data. And to be honest, there was a lot of neglect within the industry as a result. As I share memories with my colleagues of what was done in the early days it is laughable and a horror at the same time. We were all learning on our feet.
When PCI was introduced in the mid-early 2000s, it was not easy to undo / redo things to be compliant. It took time and cost money. At the time I wished I was working on features rather than “compliance”. But we got there. It didn’t kill us, and in the end we had a better service because of it.
Fast forward a decade and I found myself working on another startup in the payments space. PCI compliance was in the very fabric from which we started - we designed things from the very beginning with PCI in mind. And that made PCI much easier overall because every decision contemplated PCI.
I feel GDPR will be similar. It will be a transitional burden because existing businesses will have to undo some practices and that is hard. But going forward startups will build services with GDPR in mind from day one, weaving compliance into the fabric of the product piece by piece, and everyone will be better off for it.
I’m sympathetic to small businesses that face a difficult transition. But I do feel that the burden is in the transition, and not something that will hang overhead forever.