A watershed moment which affects every entrepreneur is coming and it’s not too far on the horizon. The date is May 25, 2018. And the subject is GDPR – the EU’s General Data Protection Policy which comes into force on that date.
On the face of it, to anyone not familiar with legal terms, the whole thing is a minefield of information. A myriad of details. And a labyrinth of legalese. I’m sure there’s a few more analogies to throw in but I’ll stop there.
Anyway, the GDPR will have a major effect on businesses of all shapes and sizes, including startups. This is because when it comes to the law, there is no discrimination or special cases based on size.
So how do you make your startup GDPR-ready?
I confess to being an absolute novice on the subject, but lucky for you (and me), I have some words of wisdom for you from our resident expert in the ways of the information and legal superhighway. Step forward Manos Dramitinos, CIO of Epignosis, one of the jewels of the Starttech Ventures portfolio. This is what he had to say about it all.
What is GDPR?
Above all, GDPR is a regulation, this means that – as opposed to EU directives – it is self-activating and legally binding upon its enforcement date. GDPR replaces the prior data privacy EU Directive 95/46/EC and regulates how individuals and organizations such as government institutions and companies may obtain, use, process and delete personal data of European citizens.
Its territorial scope is also substantially larger. How? Because it applies to any company that is doing business with/processing personal data of EU citizens. Regardless of where it is established or where the actual processing of personal data takes place. This means that even if a company is not based in the EU and there is no processing of personal data in any EU-based facility, either the offering of goods-services to EU citizens or the tracking of EU citizens behavior – for example by means of cookies – are enough for the company to be subject to the forthcoming regulation.
Why is it being introduced?
The EU basically wants businesses and organizations of all sizes to take increased accountability for the data they collect. Up to now, data protection has typically involved a tick the boxes approach. The EU now wants companies take a step back, check what data they collect, and consider how they store it and take care of it.
Additionally, GDPR makes consumers/end-users more aware of how their data is being used. The aim is to give individual data subjects a deeper understanding of what organizations are doing with their information. As a business, you’ll need clear signposts around your website about what’s happening to users’ data, for example. And when using third-party data services such as Google Analytics for tracking browsing data, you’ll need a proper contract with them, taking into account GDPR.
Why should I care about it? Should I be afraid? And if so, how afraid?
There’s a lot of hype going around that companies should be absolutely terrified of this. It’s simply not true. You do need to take it seriously; simply because it applies to all businesses, and even smaller organisations can face fines of up to €20 million. But, there’s no need to panic. GDPR is a principle-based law, and it is not highly prescriptive of how those principles are applied. Read the law, get legal advice, make a plan and execute it to achieve compliance.
The major changes of the regulation at a glance for my company?
The main points, and by no means an exhaustive list, are the following:
Your company is responsible for and must be able to demonstrate compliance for the data it controls and/or procsses. This means that you must be able to document and prove how you ensure data confidentiality, integrity and security. You must also justify the lawfulness of processing you perform, and ensure it is adequate, relevant and limited to the processing purpose for which the data have been provided.
b) Enhanced data subject rights
The new regulation empowers users with the right to be informed about what data you keep about them and the respective processing. Not only that, but it also gives users the right to access, rectify or export their data. Users also have the right to object to processing and have their data erased. As well as:
- the right to be forgotten if no longer using the service
- the right to restrict or stop processing
- lodge complaint and
- not to be subject to decision solely based on automated processing (e.g. for hiring)
Supporting these rights is mandatory and you should enhance your services or site to be able to support them. Additionally you need to be able to demonstrate that you support them, so implementing logging and timestamping will come in handy for you.
User consent is one of the six legimitate reasons for processing personal data. And it should be freely given by a clear affirmative act. E.g. by ticking a box on a distinct form written in plain, clear language without legalese or “blanket wording”. Silence, pre-ticked boxes or inactivity do not constitute consent under GDPR. Consent should be given separately for each processing activity involved (e.g. different for each service you provide, and different for marketing). You need to record user consent and ensure that it is just as easy for the user to withdraw as it is to give consent.
d) Flow down security and privacy obligations
In case your company uses subprocessors (and in the era of the cloud really who doesn’t?), such as third party services for cloud infrastructure or specialized services (e.g. payments) then you have to tread carefully. You must make sure that you flow down your security and privacy obligations to your subprocessors.
This is one of the most heavily criticized aspects of the regulation. Why? Because combined with the fact that under GDPR, the likes of IaaS, PaaS, and pure storage SaaS services are all considered “subprocessors”, it is extremely difficult to achieve GDPR compliance if your company performs outsourcing and any cloud-related service model. You must review the third party services you need and ensure that you meet security and privacy obligations sufficiently. And that you reflect them in your contracts. If not, then modify your contracts or consider alternatives. Good luck!
e) Data breach notifications
Data breaches resulting in risks for individuals must be communicated to the supervisory authorities, and in case of high risk, the affected individuals within 72 hours.
If your company is not located in the EU but is subject to GDPR, then you should appoint an EU representative. If you perform processing in the US and you transfer personal data of EU citizens there, make sure you have a PrivacyShield certificate. This is one possible way to perform international data transfers of personal data lawfully. Check here for a list of countries where EU officially acknowledges adequate data protection. In case your company performs processing on a large scale of sensitive data or regular and systematic monitoring of data subjects on large scale, then you need to appoint a Data Protection Officer. Finally, it may be required to perform a Data Privacy Impact Assessment so as to ensure that you evaluate and address risks for the personal data of individuals in your company’s operations and services.
The first step in preparing for GDPR?
Accepting that you need to start now! Even the smallest startups should begin preparing themselves. Make a plan or follow one suggested by a supervisory authority (e.g. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf) and adapt it to your company! After that, the first practical step is to know your data, GDPR is all about personal data and accountability for privacy and security after all…
Knowing your data means you can answer:
- what type of data you process
- how you acquired them
- when and why
- where they are located
- who has/should have/may get access
- how data are shared and flow inside your company and to third parties
Create a data map where all this information is visualized. So that you can easily detect potential threats and specify security and privacy controls proportional to the sensitivity of the data. Make sure you have a legal basis for the data you keep and process and that you can support data subjects requests about them, while ensuring privacy and security at all times.
What data do you really need?
Acquire and process the minimum set of data needed for the processing purposes you have a legitimate basis for (e.g. due to legal contract with the individual or by means of obtaining consent). Ensure that this data is exposed to the people that really need them in order to perform their tasks. Sharing other people’s data with anyone out there will surely get you into trouble.
Why is data security so important?
Under the GDPR, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities. You should explicitly embed privacy by design and security in your services and daily operations, ideally from day zero. This is the only way to ensure GDPR compliance and meet your ethical and business obligation to keep your customers’ data secure. Ignoring security open the door to the kind of trouble that can destroy not only GDPR compliance but essentially your customers’ trust and your business.
Any final remarks?
Be thorough. Cover and document everything. Use GDPR as an opportunity to review and improve your business processes, privacy and security standards. It may be painful, but it will be worth it. The old cliche no pain, no gain truly applies here. Think about it though. When was anything which caused a little pain not worth it?
Also if your company is involved in marketing operations, cookies and OTT/IoT communication services, keep an eye open for the ePrivacy regulation. This is GDPR’s so called “twin”. It is expected to be presented for approval in the European parliament the coming months. Don’t panic. Keep your sense of humor. It’s the most important ingredient in the workplace if you ask me.
No rest for the entrepreneur then. But you wouldn’t want it any other way, right?