It's like a small car maker saying that it can't be expected of them to comply with basic road safety regulations.

"We are a startup on a shoestring budget, we can't put safety belts in our cars!!!"

The cost of being in the car business is to build safe cars. The cost of being in the webservice business is to protect userdata.

If you can't, you are not good enough to be allowed on the market.

If you disagree, should the US also stop prosecuting VW for the diesel cheating?

For what it's worth, I'd argue the same should be permitted of a small car maker. If I want to go build my own cars, step 1 should be putting a motor on a chassis and being able to drive forward. Step 1 shouldn't be adding airbags and seat belts to a couple axles.

The safest car is one that can't drive, and the most privacy-friendly software will fail to compile. You should be able to build a functional car before you need to worry about making it as safe as possible, and similarly you should be able to build a functional MVP of your software before you need to worry about compliance with a huge international policy.

Like most car analogies this one has a fatal flaw.

Before you are permitted to use your DIY car you need to comply with safety regulations to avoid harming others. You can keep your unsafe car off the street in your garage, though. Same for software that is not compliant; you just don't get to call it a "product" and let it loose on the public.

you can build a functional car, but you can’t put it on the road. you can build a functional mvp, but you can’t make it available as saas to users.

you can drive your unsafe car on the track, and your negligent mvp on your customers own hardware as in-house software.

Going along that, it's also like 3D printing house startups no complying with fire safety regulations in the name of "oh no, it's too expensive, let's just not deal with that". Actually, thinking about it, such startups would probably start somewhere where regulations are laxer, make money there, then invest in security, and finally expand to western countries where subject to massive regulations. I don't want unsafe houses, I don't want unsafe cars, and I don't want unsafe websites. Some other countries don't mind about that. To each their own, what's so ridiculous about that ?

Great point about VW btw, I forgot about that !

I disagree with the analogy. Trying to use the same analogy: If I were a one person entrepreneur trying an MVP, I would be building a bicycle, not a car. And what I suggest is have the right to put a sticker on the bicycle: "Warning, this is not compliant with the car regulations" to make sure people don't have false expectations. (Because I agree that in the real world, only a fool wouldn't be able to differentiate between a car and a bicycle, but for web services, this isn't an easy task)

A one person entrepreneur might not consider him/herself to be "being in the webservice business". Instead he/she would consider being in the business of [whatever problem the MVP is trying to solve]. It just hapens that in the 21st century, most of innovation happens online.

Back to your car analogy, it seems that people on one side argue that all companies "being in the webservice business" are 'car makers'. some people on the other side of the argument might say it's not.

Also, ultimately, it's possible that after spending a lot of time and hours examining the legal requirements of GDPR, a startup realizes it's not technically hard to comply, but the issue here isn't implementing the requirements, it's more about getting all the legal analysis, certification, handling customers requests, etc.

> If you disagree, should the US also stop prosecuting VW for the diesel cheating?

In that case, VW has clearly been in the car business for much more than 2 years, and in my example "X users", a good value for X would be something order of magnitudes less than the number of VW customers around the globe. So no, the US would continue prosecuting VW.

Well it's funny because Uber, a company that actually does seem to have financial resources, is allowed to run their apparently unsafe cars on the streets of some us states.

to be fair though uber also has thousands and thousands of unsafely driven cars on the road that we have no problem with; humans are bad at controlling heavy rolling fast motorised steel boxes

Uber seems to be worse than humans thusfar. Orders of magnitude fewer miles than average before killing anyone, covering up running red light running, misleading videos. A human driver like Uber would've ideally lost their license and faced legal penalties by now.

I feel like starting from scratch GDPR really isn't that hard to handle.

If your business is based around exploiting user data however it might be a lot harder, but then that's the point of GDPR, to prevent people exploiting user data.

GDPR exists because it turns out we can't trust companies to handle personal data with the care it deserves, and I don't see why any company should be excused that proper care.

>I feel that you're ignoring the situation of small startups with just a few founders

It's that the equivalent of starting a new car company and arguing that you shouldn't be required to follow the same safety standard as Volkswagen Group, because you're still a small company?

At it's core the GDPR is simply stating that you're accountable for the data you collect and that you're only allowed to use the data for the purpose is originally collect. Building privacy into your product is much easier for someone designing something from scratch, compared to retrofitting it into the business plans of Facebook and Google.

I get the feeling that most of the people arguing against the GDPR are people who are focused solely in collecting user data as a core business. The people I know who are building actual product, where people pay for a service, are doing fine. Even though that they have to build products in a manner I suggested five years ago, where user data is either not collected or delete when processing is completed.