GDPR – a small word with a potential BIG impact on your start-up

If data is the name of your game, you’ve probably already heard of this 4-letter acronym for new European regulation that’s coming into effect on May 25, 2018. If you haven’t been following the buzz and think it’s irrelevant to your start-up, think again.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European regulation that will set a new standard for data privacy and consumer rights. It will give EU citizens more control over their personal data, including easier access to it, simpler portability between service providers, the right to erase their personal data and to be notified if it has been hacked.

While businesses will have to apply suitable technological and organisational measures to secure personal data and its privacy, as well as keep detailed records of all their data processing activities, this regulation is meant to make their regulatory life easier too. All the data protection rules will be streamlined under a single set of EU-wide rules and a single supervisory authority (in the company’s EU base country), saving money, increasing effectiveness and creating new business opportunities.

Why should you care?

The GDPR won’t just cover businesses that operate in an EU member state and store or process personal data. It will extend to require compliance also by businesses that operate outside of the EU and offer goods and services that collect and process personal data, or that monitor the behaviour of individuals in the EU. 

This regulation should be taken seriously because companies that won’t comply will be exposed to serious fines with penalties up to €20 million, or 4% of the company’s total worldwide annual turnover, whichever is higher.

Not just the “where” but “how”?

The GDPR examines the control over personal data, rather than its possession. It creates two different types of roles that affect the extent of responsibilities: data controllers and data processors. Data controllers are companies that determine the purpose or the way in which the personal information is processed. Data processors, like their name, process personal data under the controller's instructions (many service providers are processors). Under the GDPR, the controllers have the primary responsibility for compliance, although the processors also have direct compliance obligations.

Which types of data need to be protected?

The definition of personal data will cover a broad range of personal information, from technical cookies and IP addresses to political affiliation and biometric information.

Personal data covers any information that relates to an identified or identifiable natural person (defined as a "data subject"):

·         Basic identity information such as name, address and ID numbers
·         One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person
·         Online identifiers such as location, IP address and cookies

Sensitive personal data is a special category of personal data that will be subject to additional protections and restrictions:

·         Racial or ethnic origin
·         Political opinions, religious or philosophical beliefs or trade union membership
·         Health, sexual orientation and data concerning the person’s sex life
·         Genetic data or biometric data

The new requirements in a nutshell

The need for clear and separate consent: while companies already need the consent to process data, consent will no longer be bundled. Companies will need to get separate permission (and explicit permission when the data is sensitive) to use customer data for marketing, maintenance, support, fraud check, etc. Consent will have to be clear, in accessible form, with the purpose of the data processing attached to the
The “right to be forgotten”: users will have the right to withdraw their consent, which means companies will have to delete any information they hold.
Data portability: customers will be able to ask for a copy to their data, requiring the company to confirm that they process the customer’s personal data and provide a machine-readable copy of it. They might also have to provide extensive supporting material on the type of data and reasons for processing it. And all this must happen within a month of the request.
Privacy by design: since the new regulation also addresses security matters, companies will have to be able to provide a “reasonable” level of data protection in addition to privacy. They will have to be able show that safeguards to privacy and security are built into products (such as mobile apps) and services, from the earliest stage of development. As a means of achieving this design goal and avoiding security risks, the regulation specifically mentions encryption and pseudonymisation to separate personally-identifiable information from other data.
Privacy impact assessment: companies will have to identify any security vulnerabilities to mitigate the risk of data breaches and protect the rights and freedoms of their data subjects.
Data breach notification: if a breach will happen, businesses will have to report it to the supervisory authorities and to the individuals affected within 72 hours of detecting the breach.
Data protection officers: under certain circumstances, companies will have to appoint a point person to direct and oversee the execution of all their data protection policies and procedures, including handling the public requests and informing supervisory authorities about breaches.

How can this affect your start-up? 

If you are a data controller or processor offering goods and services (even for free) or monitoring user behaviour of EU data subjects (e.g. when users are tracked by techniques that apply a profile to enable decision making or predict personal preferences), you will need to appoint a representative in the EU.

If you are a services provider, you will need to assess whether you have obligations as a data processor and build them into your policies, procedures and contracts.

Steps you should take

Your customers will want to ensure that your services and operations are compliant. Consult with your legal counsel on the regulatory requirements that pertain to your activities. Allocate resources to implement technical and organisational security and privacy measures. Set out or update your policies and procedures, as well as any documentation on the information you process and store. If you have European operations, you should contact a local specialist to perform a Data Protection Impact Assessment.

Being proactive will help you not only be better prepared, but also show leadership with your customers and end-users, retaining your competitive edge.

Maya Nix, Canadian and Israeli lawyer turned start-up marketer
Image source: Shutterstock/Wright Studio