Entrepreneurs are busy people having to distribute their precious time between technical implementation, marketing and monetization. Data privacy is not very high on the list of things that need to get done but the GDPR knows no mercy or the concept of a test or beta phase.
As soon as the data of real people is processed, the rules of GDPR apply. Looking into data privacy early prevents bad decisions and can ultimately shape a more sustainable business plan.

In this guide, I want to provide basic requirements and actions for young businesses to avoid privacy debt. Ignoring GDPR responsibilities can result in fines, invalidate the business case, leave organizations open to legal action and negatively affect the credibility of the startup.

Why this is important

The GDPR became enforceable on 25 May of 2018 and is a regulation for all member states of the EU. It affects all organizations that collect data from EU residents and has become a model for many national laws outside of the EU.

Violators of the GDPR may be fined up to €20 million or up to 4% of the annual turnover of the business. Solid investors will check if the paperwork of a startup includes the necessary documents regarding data privacy.

GDPR compliance is an advantage, adding value to the business and giving customers the security that their rights are taken seriously.

gdpr is here to stay

Lawyer up

The GDPR was written by lawyers and is filled with legal terms. To understand it requires to decipher the language and terms. Here are some basic explanations for common wording in the data privacy regulation law.

Data Subjects are individuals. The natural person whose data is being processed. This can be a customer or an employee.

Data Controller describes the entity that “determines the purpose, condition and means” of the processing of personal data. This is the entrepreneurs’ startup or small company.

Data Processor is the entity that processes data on behalf of the Data Controller. Sometimes companies are the Controller and Processor at the same time but the Processor role can also be outsourced to a third party.

Personal Data is any information relating to an identified or identifiable natural person. Examples are e-mail addresses, names, birth dates, financial data.

Sensitive Personal Data is a set of “special categories” that must be treated with extra caution. This category includes racial or ethnic origin, political opinions, religious beliefs, health data and more.

welcome

Data Privacy Mindset

With the right approach and by following a few rules it is possible for small businesses to implement a robust approach to data privacy. Collecting data of users is a responsibility that startups and entrepreneurs need to prioritize. The following points are by no means a GDRP compliance guide but a good foundation to build on top.

Data classification

A good way to start the process is by performing data classification. This must involve the data directly requested from users (e.g. name, email address, day of birth, password) and also data that is collected during the use of a service (e.g. log files, browser information, IP address). Documenting the categories of all data collected is the base for the next steps.

Data flow

The data flow of data provides the ability to implement appropriate protective measures. Those can be technical, organizational or contractual. Documentation of where data is stored and which services are involved is essential. Data classification and data flow documentation underline the purpose of data processing.

Third-party screening

You can’t outsource risk nor responsibility. Startups need to choose third-party services not only by features but also with regards to their data privacy policy. A list of all service providers of a company has to be compiled and the data and data categories shared with them have to be documented. The data flow diagram reveals what data is shared with which provider.

Transparency and consent

Personal data can only be processed and stored with the consent of the user. The purpose of the data collection has to be made clear to the user and any change to it requires new consent. Being transparent about data processing is a major goal of the GDPR. Creating a transparent message of how customer data will be used builds company integrity and emphasizes the commitment to GDPR compliance.

Point of Contact

Customers have the right to request information about their data usage (data subject access requests) and can also request the erasure of their data. Every data processor needs to provide therefore a point of contact. Please keep in mind to properly authenticate a person before handing out information.

The Newsletter Example

Our example startup develops a mobile application and has a promotional website where interested people can sign-up for a newsletter.

Operating a website and a newsletter are powerful tools to build and maintain relationships with customers. But it requires a comprehensive privacy policy and user consent as personal data is being collected. The involvement of any third-party has to be disclosed to the customer as well.

Let’s recap. The collection and processing of data from EU residents require the following disclosure of information:

  • What data is processed? Just the e-mail address or is the startup collecting more information like IP address, country, and gender?

  • What is the purpose of the collection? In our case this is market analysis, sending out newsletters and maybe selecting early adopters for the application. It’s important to be specific about the purpose and changes to the purpose require additional consent.

  • The involvement of third parties has to be disclosed to the user. Which other companies receive the e-mail address? Where is the data stored and processed?

  • How can the user contact the data processor and request the erasure of the data? Keep in mind that this includes the deletion of the data from third-parties.

Applied Data Privacy for the Newsletter

Privacy Policy

Draft a comprehensive yet simple Privacy Policy and make it accessible to your users. With the collection of the above information, it will be easy to meet the obligations.

The following information has to be included:

  • What personal information you collect

  • What you use it for

  • Whether you use third-party service

  • The controls users have and how they can get into contact

Consent

The privacy policy is a passive document that gives information to the interested user, consent, on the other hand, is a clear affirmative action that signifies agreement to the processing of personal data.

Implied consent is no longer an option. Consent under GDPR has to be expressed - to ask for consent, the user has to understand the question and implication and then make a genuine choice.

Here is an appropriate example of newsletter signup. The user is made aware of the purpose and a link to the privacy policy is provided.

good consent

The following example is non-compliant with GDPR. It implies consent to the processing activities and the user is not made aware of what the signup means, what the data is used for or how to get more information.

bad consent

The rights and freedoms of the user are violated by providing a non-transparent sign-up.

Conclusion

With a good foundation, it is possible to gradually mature the data privacy processes and supporting documents.

Writing a Record of processing activities, performing a Data protection impact assessment, or consulting with the authorities are the next steps a company needs to take in accordance with GDPR.

Data privacy is never done but instead a continuous process and has to be part of the DNA of any successful company.