Entrepreneurs are busy people having to distribute their precious time between technical implementation, marketing and monetization. Data privacy is not very high on the list of things that need to get done but the GDPR knows no mercy or the concept of a test or beta phase.
As soon as the data of real people is processed, the rules of GDPR apply. Looking into data privacy early prevents bad decisions and can ultimately shape a more sustainable business plan.
In this guide, I want to provide basic requirements and actions for young businesses to avoid privacy debt. Ignoring GDPR responsibilities can result in fines, invalidate the business case, leave organizations open to legal action and negatively affect the credibility of the startup.
Why this is important
The GDPR became enforceable on 25 May of 2018 and is a regulation for all member states of the EU. It affects all organizations that collect data from EU residents and has become a model for many national laws outside of the EU.
Violators of the GDPR may be fined up to €20 million or up to 4% of the annual turnover of the business. Solid investors will check if the paperwork of a startup includes the necessary documents regarding data privacy.
GDPR compliance is an advantage, adding value to the business and giving customers the security that their rights are taken seriously.
The GDPR was written by lawyers and is filled with legal terms. To understand it requires to decipher the language and terms. Here are some basic explanations for common wording in the data privacy regulation law.
Data Subjects are individuals. The natural person whose data is being processed. This can be a customer or an employee.
Data Controller describes the entity that “determines the purpose, condition and means” of the processing of personal data. This is the entrepreneurs’ startup or small company.
Data Processor is the entity that processes data on behalf of the Data Controller. Sometimes companies are the Controller and Processor at the same time but the Processor role can also be outsourced to a third party.
Personal Data is any information relating to an identified or identifiable natural person. Examples are e-mail addresses, names, birth dates, financial data.
Sensitive Personal Data is a set of “special categories” that must be treated with extra caution. This category includes racial or ethnic origin, political opinions, religious beliefs, health data and more.
Data Privacy Mindset
With the right approach and by following a few rules it is possible for small businesses to implement a robust approach to data privacy. Collecting data of users is a responsibility that startups and entrepreneurs need to prioritize. The following points are by no means a GDRP compliance guide but a good foundation to build on top.
A good way to start the process is by performing data classification. This must involve the data directly requested from users (e.g. name, email address, day of birth, password) and also data that is collected during the use of a service (e.g. log files, browser information, IP address). Documenting the categories of all data collected is the base for the next steps.
The data flow of data provides the ability to implement appropriate protective measures. Those can be technical, organizational or contractual. Documentation of where data is stored and which services are involved is essential. Data classification and data flow documentation underline the purpose of data processing.
Transparency and consent
Personal data can only be processed and stored with the consent of the user. The purpose of the data collection has to be made clear to the user and any change to it requires new consent. Being transparent about data processing is a major goal of the GDPR. Creating a transparent message of how customer data will be used builds company integrity and emphasizes the commitment to GDPR compliance.
Point of Contact
Customers have the right to request information about their data usage (data subject access requests) and can also request the erasure of their data. Every data processor needs to provide therefore a point of contact. Please keep in mind to properly authenticate a person before handing out information.
The Newsletter Example
Our example startup develops a mobile application and has a promotional website where interested people can sign-up for a newsletter.
Let’s recap. The collection and processing of data from EU residents require the following disclosure of information:
What data is processed? Just the e-mail address or is the startup collecting more information like IP address, country, and gender?
What is the purpose of the collection? In our case this is market analysis, sending out newsletters and maybe selecting early adopters for the application. It’s important to be specific about the purpose and changes to the purpose require additional consent.
The involvement of third parties has to be disclosed to the user. Which other companies receive the e-mail address? Where is the data stored and processed?
How can the user contact the data processor and request the erasure of the data? Keep in mind that this includes the deletion of the data from third-parties.
Applied Data Privacy for the Newsletter
The following information has to be included:
What personal information you collect
What you use it for
Whether you use third-party service
The controls users have and how they can get into contact
Implied consent is no longer an option. Consent under GDPR has to be expressed - to ask for consent, the user has to understand the question and implication and then make a genuine choice.
The following example is non-compliant with GDPR. It implies consent to the processing activities and the user is not made aware of what the signup means, what the data is used for or how to get more information.
The rights and freedoms of the user are violated by providing a non-transparent sign-up.
With a good foundation, it is possible to gradually mature the data privacy processes and supporting documents.
Data privacy is never done but instead a continuous process and has to be part of the DNA of any successful company.