Building a start-up sounds exciting and fun: chase funding, hire smart people, set up a fancy office, buy funky furniture and plan marketing. But how much exciting your venture is, there is one area that founders tend to ignore: Compliance. It does sound like a boring dull subject but the consequences of ignoring can get you into trouble. A tight grip on licensing, data protection is a must have just like the foosball table that you have in the office.
The discussion here is relevant to all start-ups and digital companies in the EU. The new rule called General Data Protection Regulation (GDPR) entered into force on May 25, 2016 and was expected that after a two year grace period, companies and startups will be obliged to comply with the new regulations. The new EU General Data Protection Regulation (GDPR) is due to come into force in May 2018.
Here’s what you need to know:
Data protection laws apply to all businesses, irrespective of their size. Some countries, such as Germany, have strict data protection regulations in place already, though GDPR brings a major boost for compliance with fines up to €20M or 4% of global turnover for more serious offenses. That kind of sum might be small for a big company but it could empty the coffers of a start-up relying on seed funding or early tranches of investment.
One of the key principles of GDPR is “Privacy” which says that looking after the security of personal data that you are entrusted with by your customers.
Understand the definition of “personal data”
- Name, address and unique identifying numbers (e.g., your SSN)
- Demographics—such as age, gender, income or sexual preference
- Behavioral data — web searches, purchase history and more
- Social data—who your friends are, your emails, etc
- Sensor data—biometrics, health tracking devices
- User-generated content — videos, photos, blogs or comments
Document your data
Understand your systems, type of data you have, and document who has it, why they have it and who has the access—this is a crucial preparation step. Under the GDPR, the entity controlling the processing of personal data, needs to be prepared to demonstrate compliance with these requirements, which is called the accountability principle.
Data, Processor, and Subject
- Data Subject: This is your customer or your employee or your user or any EU-citizen who has entrusted you with their personal data. The Data Controller: This is your company. It’s who customers entrust the data with. And the responsible party in deciding what happens to the data, for what it’s used and how it’s handled.
- Data Processor: This is any entity that actually handles personal data and is mandated by the data controller. It’s a bit of a nuanced distinction but a very important one.
One of the big topics of the GDPR is consent and proving you have it. According to the ICO, consent needs to be completely unambiguous and the GDPR explicitly bans pre-ticked opt-in boxes.
If you market directly to prospects or customers, a positive opt-in will be required. Individuals must opt-in whenever data is collected and there must be clear privacy notices. Those notices must be concise & transparent and user must be able to withdraw their consent at any time.
Right to be forgotten
An individual will have the ‘right to erasure’ – which means that all data on them can be permanently deleted. In addition, they will have the right to transfer this data to another company.
All consumers have the right to move their personal data between providers. As a business, it’s your responsibility to:
- Provide this data in a commonly used format (e.g. a CSV) free of charge when asked
- Pass data to another provider if its technically feasible
Data Protection Officer
Companies must appoint a data protection officer if they:
- are a public authority
- carry out large-scale systematic monitoring of individuals (for example, online behavior tracking);
- carry out large-scale processing of special categories of data or data relating offences
Privacy Impact Assessment (PIA)
PIAs will be mandatory if data processing is risky for individuals:
- where a new technology is being deployed;
- where a profiling operation is likely to affect individuals significantly;
- or where there is large scale processing of the special data categories
While you may not need to formally assign a Data Protection Officer, it’s worth getting someone within your company to brush up on the regulation to make sure you’re complying so you don’t get hit with a potentially fatal fine.
Fines for noncompliance with European data protection regulation will increase dramatically under the GDPR and your ability to comply with the GDPR may affect how investors view your company. Ensure that everyone in your organisation understands the company’s obligations and the risks associated with noncompliance.