What is GDPR?
The General Data Protection Regulation (GDPR) is an updated privacy law for the digital age. At its core, GDPR is a new set of rules designed to give EU citizens more transparency on what data they are sharing, how it’s being used and granting more control over their personal data. The rules simplify and make clear the obligations of businesses and the rights of individuals in the digital economy. The regulation takes effect on May 25, 2018. If the GDPR applies to you, you’ll need to make sure your systems are in place immediately.
Who does GDPR affect?
The GDPR affects all businesses that offer products to the European Union or collect personal data from the EU citizens. The statute seems to indicate that the GDPR applies to non-EU citizens if they are going online in the EU, and to EU citizens when they are outside of the EU.
Ask the following questions:
Does your startup process EU data? Processing means collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation or any other operations on data.
Is that data considered “personal data”? This includes data that could identify a person and extends to data which while, in isolation, does not identify a person, would do so when combined with another piece of data. Of course, there’s the obvious data such as names, email addresses and phone numbers. But beyond that, online identifiers (e.g., IP addresses, device identifiers, Twitter handles, etc.), location data and a range of sensitive data such as medical data – could be considered personal data.
If you answered yes to both of those questions, the GDPR applies to you.
So, even if you are a startup in the US, this likely impacts you if you touch Europe at all. For instance, if you sell products or services to Europe, the GDPR applies to you. If you collect emails from European citizens, the GDPR affects you. It’s safe to say that if your startup is online at all, you should assume the GDPR affects you.
According to a PWC survey, GDPR compliance is the top data protection priority for 92% of US organizations.
Rather than trying to set up two different data policies for EU and non-EU, it’s probably a good idea for your startup to apply the higher GDPR standard to all of your clients / customers. This will be a pain now, but will save you the headache down the line.
What are the GDPR penalties?
Is compliance with GDPR really that big of a deal? The answer is, actually… yes. Here’s why, the penalty for violation of GDPR is actually pretty stiff. Fines can go up to 20,000,000 EUR, or up to 4 % of the total worldwide annual revenue of the preceding financial year, whichever is higher.
What rights does an individual have?
Startups need to understand the basic rights that the GDPR affords individuals, as it will affect the design of your product or services. These rights are:
Right to Be Informed: When personal data is collected the company must provide all of the following information:
the identity and the contact details of the company collecting the data;
the purposes of the processing;
the legitimate interests pursued by the company;
the recipients or categories of recipients of the personal data, if any;
the fact that the company intends to transfer personal data outside the EU;
the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
the existence of and logic behind automated decision-making and its consequences.
Right of Access: The individual has the right to access to their personal data and the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed;
the period for which the personal data will be stored;
the existence of automated decision-making and its consequences.
Right of Rectification: The individual has the right to rectify inaccurate personal data concerning him or her.
Right to Be Forgotten: The individual has the right to require the company to erase personal data concerning him or her without undue delay.
Right to Restrict Data Processing: The individual has the right to restrict the processing of personal data when the accuracy of the personal data is contested, the processing is unlawful, or the controller no longer needs the personal data to provide the product or service.
Right to Data Portability: The individual has the right to receive the personal data concerning him or her, which he or she has provided to the company, in a structured, commonly used and machine-readable format. The individual also has the right to transmit those data to another company (even a competitor) without hindrance from the company.
Right to Object: The individual has the right to object to the processing of their personal data. When the individual objects to processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to Human Decisions: The individual has the right not to be subject to a decision based solely on automated processing, when such automated decision making will significantly affect him or her.
What steps should I take?
Ok. I get it. GDPR is important, and it applies to me. So, what should my startup do about it?
Know Your Data
One of the biggest barriers to compliance is the fact that most startups don’t even know what data they hold, where they hold it, or what application servers are accessing it. They know they have a bunch of data, but they don’t know what exactly it is.
The GDPR covers two categories of protected information: “personal” and “sensitive personal.”
Personal Data: Personal data under the GDPR law refers to anything that can be used to identify a person, directly or indirectly including but not limited to the following:
Online identifiers (IP address, cookie strings, etc.)
Sensitive Personal Data: Sensitive personal data under GDPR law is considered much more sensitive and thus comes with greater protections and more stringent regulations. Sensitive personal data includes but isn’t limited to the following:
The GDPR requires higher standards for processing sensitive personal data. If your startup is processing sensitive personal data, make sure you meet the heightened requirements.
Kids: What about the kids? The GDPR includes additional rules for kids. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. It’s the responsibility of the company to make a reasonable effort to verify such consent.
Know Your Role
The GDPR splits data collectors, in this case your startup, into two categories, Data Controllers and Data Processors. The Data Controllers determine the purposes and means of the processing of personal data. The Data Processor actually processes that data. Though it’s possible for a startup to play both the Data Controller and Data Processor roles, these days with the rise of the No-Stack Startup, it’s much more likely that your startup only plays one role.
For instance, if you rely on Stripe, Plaid or Braintree to process your payments, you are the Data Controller, they are the Data Processor. If you rely on Mailchimp or SendGrid to collect emails addresses and send emails, you are the Data Controller, they are the Data Processor. If you use Salesforce or ProsperWorks for your CRM, you are the Data Controller, they are the Data Processor.
The old regulations used to only apply to Data Controllers, but the new GDPR applies to both parties. So, regardless of your role, it is now your responsibility to ensure that the other company is compliant to the new GDPR standards.
Getting consent for collecting data from individuals is a cornerstone of GDPR. Consent is one of the lawful bases for processing personal data and one of the permitted means by which personal data may be transferred to a third country outside of the European Union. The GDPR defines consent as any freely given, specific, informed and unambiguous indication that he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
When your startup is gathering information, implement the following:
Check boxes: consent requires a positive opt-in action so no pre-checked boxes allowed to show the user taking action.
No precondition of service: consent cannot be a precondition of signing up to receive a service (unless it is absolutely necessary for that service) and it can’t be bundled together with consent for other terms and conditions
Specific: the consent must specifically relate to what you are using the data for. Strictly speaking, this means getting separate consents for each type of processing
Informative: individuals need to know who the “controller” of their personal data is – and also that they have a right to (easily) withdraw consent at any time
In some cases, such as processing Sensitive Personal Data, explicit consent is required.
Keep it Clean
If your startup’s data storage is a mess, the GDPR is a good excuse to clean it up. Compliance with the new rights granted to your users requires the ability for you to clearly understand what information you are collecting, keep it secure and to be able to retrieve, delete it, and share it quickly. So, take this opportunity to clean up your databases and servers.
Data Protection Officer
It’s a good idea for a startup to create a Data Protection Officer to oversee data security strategy and compliance with GDPR. However, it’s not required unless you either process Sensitive Personal Data; or regularly monitor/process data from EU citizens on a large scale. Large scale, unfortunately is not defined. Apparently, an earlier draft defined large scale as employing 250 or more people or processing data pertaining to 5,000 or more individuals in any consecutive 12-month period. But that definition was dropped out before the final draft. Most startups probably don’t meet the large-scale requirement.
The GDPR mandates that both Data Controllers and Data Processors that are based outside the EU nominate a representative inside the EU. This is similar to the registered agent requirement for incorporating in most US states. However, if you are not processing data on a large scale or are not processing Sensitive Personal Data, your startup is exempt.
The goal is to:
Cut out the legalese;
Simplify technical information;
Use short and clear sentences; and
Draft with the average user in mind.
For most privacy policies, we organize the information in the following manner:
What information we collect
How we use the information
How we store and secure the information
How we share the information
How long we keep the information
How to access and control your information
How we transfer information internationally
Other important privacy notices