The new General Data Protection Regulation (GDPR) laws of the EU are already in force, and the transition period for companies to become compliant ends on May 25, 2018. It’s high time for startups, too to know what GDPR is, and what it requires from company processes, documentation, technology, UX, and contracts. It’s a substantial amount of work, but the potential sanctions are significant as well. Therefore - better get moving right now.

On June 14, Takeoff Partners and Exove organized a morning info session tailored for startups and early stage companies to understand, manage, and mitigate the effects of GDPR. GDPR has had businesses buzzing for some time already, and for reason: While the new data protection laws will bring lots of protection for the individual, for companies it’s more like ‘bad news’; i.e. a lot of work. Let Exove’s CEO Janne Kalliola explain. The content of the presentation is also available on SlideShare.

So what is GDPR?

In a nutshell, it harmonizes the managing of personal data in EU member states and gives new rights to individuals. The reach of GDPR does not stop at the EU borders either; it will affect all organizations that have operations in Europe or are handling EU citizens’ data regardless of the location of their headquarters.

• In force in all member states without any need for local legislation
• Local legislation needs to be GDPR compatible
• Adds rights to individuals and responsibilities to companies
• Applies to ALL companies that manage and process data of EU citizens, with or without knowing it
• GDPR is in force already, we’re on a transition period that ends on May 25, 2018
• Maximum sanctions amount to 20MEUR or 10% of revenue; depending on which one is bigger. Lesser sanctions exist as well.
  
  

In the legislation, there are two data handling roles

• Controller
  • Company that collects data and controls its usage
  • Responsible for and able to demonstrate compliance with the regulation, also including work done by data processors
• Processor
  • Processes data on behalf of the controller
  • Must be contractually bound to the controller and follow written orders
  • Must return and delete data after contract ends

Example: The cloud hosting service provider Amazon Web Services is a data processor, and the controller of the data must have a written contract with AWS.

Personal data is broadly defined

• Broadened definition, includes any information concerning an identified or  identifiable natural person, such as name, phone number, email address, car license plate, dynamic IP address,…
• Pseudonymized data that can be made identifiable with additional data
• GDPR also defines sensitive data that needs to be handled with special care (political affiliation, health data, genetic and biometric data,…)
• Children identified as vulnerable individuals that require special protection, age limit 16, before which needs parental consent
  
  

Other major concepts under the GDPR

• Transparency and consent – an individual needs to know how and why their data is used, and companies need to have a valid reason for using the data (there are several valid reasons, such as contractual, legal, and based on consent)
• Using data for marketing purposes is not a valid reason without consent
• If consent is given, it can be withdrawn anytime
• Privacy by design and default from the ground up
• Accountability – burden of proof is with the organizations; requires process documentation, paper trails of decisions, even privacy impact assessments in some cases

Startups: Adopt “a German mindset”; in other words document things even though there’s typically no time for doing that.

Rights of the individuals

• Access to data – Individuals need to be able to see what data is collected about them; by request within a month, first copy for free
• Rectification of inaccurate data
• Right of erasure - Individuals can ask data to be removed
• Object of processing, individuals can stop e.g. direct marketing. Notifications of service are not marketing; Startups, make your own analysis of what is and what is not marketing.
• Portability - Individuals have the right to have their data ported to them or to another service free of charge
• Restricting processing – Individuals can ask a company to stop processing their data temporarily
• Profiling and automated decision making - Profiling based on sensitive data requires explicit consent, and individuals may ask manual intervention to an automated data processing / decision making IF there’s a significant (legal, financial) impact

Case considering legal obligations: For instance, an employee can’t stop their employer from providing payroll information to the tax authorities because it’s a legal obligation.

Data transfers

• Transfers outside the European Economic Area are restricted but not forbidden
• Transfers require an adequate level of data protection, such as following the EU model clauses
• Companies need to maintain control over who has access to individual data
• Safe Harbor is now replaced with Privacy Shield, a brand new deal to self-certify US companies to allow hosting data regulated by the GDPR. In other words, data can for instance reside in the US, however the users will need to know it

About the approach to personal data in Europe vs. the US: In the US, private information is traditionally viewed as sellable; in Europe, it’s a human right. That’s a big philosophical difference. Hence in a way GDPR is a backlash of EU to some of the US companies that “make us individuals the product”.

Data breaches

• Processors need to inform the controllers ‘without undue delay after becoming aware of it’ of breaches, without exceptions
• Controllers need to inform the authorities within 72 hours after becoming aware (Note: This also applies during holidays like Christmas, etc!)
• In some cases the controller will also need to inform the data subjects about the breach
  
  

Implication on UX

• Consent is more regulated than before
  • Needs to be specific and unambiguous, cannot be part of other written agreements
  • Must be active; no pre-ticked checkboxes
  • Must be reversable
  • Record of the given consent is required
  • Consent cannot be required for a service that also works without processing personal data
• Privacy policy is more important than before
  • Data needs to have storage times plus other tidbits
    
    

Changes in contracting

• The Controller of the data must have written contract with every Processor
  • Responsibility goes to the end of the subcontracting chain
• The contract has mandatory clauses stipulated by GDPR
• The actions done by a processor must be defined in writing
• Best bet: Have ready-made processes to anonymize data if you do data dumps
• What about an individual developer’s responsibility? The compliance responsibility is the company’s to begin with, and it would require very gross negligence for an individual employee to go to jail for a data breach.
  
  

Advice to a startup

• This is real, so be prepared, start already
• You’ll need to design around the data!
• Everything you do now should already be compliant with GDPR
  • Data architecture
  • User rights and how they are implemented
• Train your people
• Get help if you don’t know how to proceed
  
  

You’ll need to know where you stand

• Understand GDPR
• Understand how data flows in your system
  • Where, what, why
  • Check if it’s flowing out of the EU or to another Controller
• You must have defined and followed procedures for handling personal data
  • Typically non-existent in startups
• You’ll need to have written contracts with all your partners related to personal data
• You’ll need to move now and be compliant by May 25, 2018
  • The might be some leeway but again – maybe not
    
    

It’s normally best to end an article with a positive note but let’s make a small exception here:  

If you do nothing, you’re asking for trouble

The good thing of course is that there’s still 11 months of time to work on your

• Internal processes
  
• Documentation
  
• Contracts
  
• Technology
  
• User interfaces
  

Should you need legal and consultative help, Exove has partnered with the law firm Bird&Bird around GDPR. They conduct both gap analyses and the actual compliance work based on the specific requirements of each company.