A few days ago, I saw an article that began with the words “Now that the GDPR is over”, which is pretty reflective of an idea that’s surprisingly common — that post May 25th the GDPR is no longer an issue. This couldn’t be more wrong.
“GDPR day” was simply the date that it became legally possible to enforce the GDPR and to issue punishments and sanctions where violations occur. With that said, the GDPR is absolutely a concern for Startups — whether you’re just about to get started or already launched, but didn’t get everything in order by May 25th — this is definitely something that’s more relevant than ever.
If you are a startup (or any business really), the GDPR should make you think about how you manage your data in a transparent, responsible, and accountable way — showing and ensuring that you’ve put the right systems in place to manage user data securely.
Despite the initial effort, this can actually be a good thing (especially for startups).
In a time where iterative development has become increasingly popular (and with good reason), this regulation pushes us to pay attention to the undeniable fact that we’re responsible for people’s data and forces us to think about and design the data lifecycle in a minimalistic and responsible way.
This can be further useful for new/unheard-of companies as it gives the opportunity to build trust and make that a feature of your branding.
There’s no point talking about the GDPR without talking about the biggest motivating factor for compliance —
If you’re not already aware, the consequences of non-compliance are pretty steep. A first-time violation may or may not get you a warning. If you fall within the “may not” category, you’re looking at up to 20M Euro or 4% of your global revenue (which ever is more), and that’s not all. You can be audited, which can result in you being barred from making use of valuable data if some aspect of your data life-cycle was found to be in violation, and you’ll also be open to lawsuits, as the GDPR gives users the right to file a complaint and seek damages where their data was not handled in a compliant way. Needless to say, there are real reasons for the panicked scramble that occurred in the weeks leading up to to May 25th.
It likely does. The GDPR can apply in any one of three scenarios:
The GDPR specifically refers to “personal data”. Personal data under the GDPR means any information relating to a natural person which can be used to directly or indirectly identify the individual. This definition is pretty wide-reaching and includes such identifiers as name, id, location data, photos, email addresses, IP addresses etc.
The scope of this protection extends to any natural person in the EU which can mean users, employees, vendors, partners, customers or even members of the general public.
This means that not only must you manage user data responsibly, but you must also pay attention to your privacy management within your organization as well (aka how you manage your internal data) as similar rules may apply.
So what exactly does this mean for startups? What sorts of things do you need to pay attention to and how do you address them?
1) Roles
Central to the GDPR are the newly defined roles and responsibilities. The main ones are:
2) Privacy by design
The GDPR requires that data protection be considered from the onset of design and development of the business processes and infrastructure. This means that privacy settings should be set to ‘high’ by default and measures put into place to make sure that the processing life cycle of the data falls within the GDPR requirements.
Some factors to pay special attention to are:
3) Privacy Notice
This is a legal statement or document that discloses required information related to how and why user data is processed and is more commonly referred to as a “privacy policy”. Even before the GDPR came into effect, privacy notices/policies have been a legal requirement under most local and international legislations.
4) Defining the types of data
Not all personal data is the same. Some types of data are given additional protections under the GDPR. These are:
5) Legal Bases
The Legal Bases for processing data are just that — the basis or legal justification for your processing. There are 6 legal bases under the GDPR (you can read them here).
One of the more common legal bases is consent, however under the GDPR consent can be a bit taxing and in some cases is may not be your best basis (For example, if you’re processing employee data, your legal basis might be “performance of a contract” as opposed to consent). Data subjects may have more or less rights depending on the legal basis applied. Generally determining your best applicable legal basis can be tricky and it is highly recommended that you consult with a legal professional for this.
6) Monitoring/tracking
Monitoring” under the GDPR is referred to within the context of *”profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” *In many cases, monitoring can require consent with users reserving the right to object to, or restrict this type of processing. Whether or not something constitutes a profiling can often be determined by the purpose of the processing activity. The example here (involving Google Analytics) illustrates this point.
7) Cross-border data transfers
If transferring EU resident data outside of the European Economic Area (EEA), you must only do so where certain conditions are met. Under these conditions, the country or region the data is being transferred to must have an “adequate” level of personal data protection by EU standards, or the data may be transferred under the protections of standard contractual clauses (SCCs) or binding corporate rules (BCRs) in some cases. In regards to data transfer to the US, all transfers require that informed consent is received from the user.
1) Strategize and plan with risk in mind
2) Identify/review your legal basis for processing, ideally with a legal professional.
3) Put into place a comprehensive and compliant privacy policy:
Under the GDPR privacy notices must be easy to access, easy to read and understand, must not contain unnecessary legalese and must be up-to-date. These notices should contain:
4) Review third-party involvement (including your cloud hosting provider)
7) Review your own processes and systems for dealing with user rights.
8) Keep valid records of your data processing activities (including internal records of processing)
9) If using consent as your legal basis, be sure to manage consent in a compliant way and to maintain valid records of consent.
To be considered valid, consent must be:
However you choose to handle the extra responsibilities that the GDPR brings, one thing is certain — while it may cost you more up-front, it can give you the competitive advantage of starting things right: mitigating risk and saving you money in the long-run.
The GDPR is here to stay, so why not embrace it?
You can read more in-depth information about the GDPR in the dedicated GDPR guide here.
