Startup company – adopt ‘a German mindset’ to comply with GDPR by May 2018
The new General Data Protection Regulation (GDPR) laws of the EU are already in force, and the transition period for companies to become compliant ends on May 25, 2018. It’s high time for startups, too to know what GDPR is, and what it requires from company processes, documentation, technology, UX, and contracts. It’s a substantial amount of work, but the potential sanctions are significant as well. Therefore - better get moving right now.
On June 14, Takeoff Partners and Exove organized a morning info session
tailored for startups and early stage companies to understand, manage, and mitigate
the effects of GDPR. GDPR has had businesses buzzing for some time already, and
for reason: While the new data protection laws will bring lots of protection
for the individual, for companies it’s more like ‘bad news’; i.e. a lot of
work. Let Exove’s CEO Janne Kalliola explain. The content of the presentation is
also available on SlideShare.
So what is GDPR?
In a nutshell, it harmonizes the managing of personal data in EU member states and gives new rights to individuals. The reach of GDPR does not stop at the EU borders either; it will affect all organizations that have operations in Europe or are handling EU citizens’ data regardless of the location of their headquarters.
- In force in all member states without any need for local legislation
- Local legislation needs to be GDPR compatible
- Adds rights to individuals and responsibilities to companies
- Applies to ALL companies that manage and process data of EU citizens, with or without knowing it
- GDPR is in force already, we’re on a transition period that ends on May 25, 2018
- Maximum sanctions amount to 20MEUR or 10% of
revenue; depending on which one is bigger. Lesser sanctions exist as well.
In the legislation, there are two data handling roles
- Controller
- Company that collects data and controls its usage
- Responsible for and able to demonstrate compliance with the regulation, also including work done by data processors
- Processor
- Processes data on behalf of the controller
- Must be contractually bound to the controller and follow written orders
- Must return and delete data after contract ends
Example: The
cloud hosting service provider Amazon Web Services is a data processor, and the
controller of the data must have a written contract with AWS.
Personal data is broadly defined
- Broadened definition, includes any information concerning an identified or identifiable natural person, such as name, phone number, email address, car license plate, dynamic IP address,…
- Pseudonymized data that can be made identifiable with additional data
- GDPR also defines sensitive data that needs to be handled with special care (political affiliation, health data, genetic and biometric data,…)
- Children identified as vulnerable individuals
that require special protection, age limit 16, before which needs parental
consent
Other major concepts under the GDPR
- Transparency and consent – an individual needs to know how and why their data is used, and companies need to have a valid reason for using the data (there are several valid reasons, such as contractual, legal, and based on consent)
- Using data for marketing purposes is not a valid reason without consent
- If consent is given, it can be withdrawn anytime
- Privacy by design and default from the ground up
- Accountability – burden of proof is with the organizations; requires process documentation, paper trails of decisions, even privacy impact assessments in some cases
Startups: Adopt “a
German mindset”; in other words document things even though there’s typically
no time for doing that.
Rights of the individuals
- Access to data – Individuals need to be able to see what data is collected about them; by request within a month, first copy for free
- Rectification of inaccurate data
- Right of erasure - Individuals can ask data to be removed
- Object of processing, individuals can stop e.g. direct marketing. Notifications of service are not marketing; Startups, make your own analysis of what is and what is not marketing.
- Portability - Individuals have the right to have their data ported to them or to another service free of charge
- Restricting processing – Individuals can ask a company to stop processing their data temporarily
- Profiling and automated decision making - Profiling based on sensitive data requires explicit consent, and individuals may ask manual intervention to an automated data processing / decision making IF there’s a significant (legal, financial) impact
Case considering
legal obligations: For instance, an employee can’t stop their employer from
providing payroll information to the tax authorities because it’s a legal
obligation.
Data transfers
- Transfers outside the European Economic Area are restricted but not forbidden
- Transfers require an adequate level of data protection, such as following the EU model clauses
- Companies need to maintain control over who has access to individual data
- Safe Harbor is now replaced with Privacy Shield, a brand new deal to self-certify US companies to allow hosting data regulated by the GDPR. In other words, data can for instance reside in the US, however the users will need to know it
About the approach to
personal data in Europe vs. the US: In the US, private information is traditionally
viewed as sellable; in Europe, it’s a human right. That’s a big philosophical
difference. Hence in a way GDPR is a backlash of EU to some of the US companies
that “make us individuals the product”.
Data breaches
- Processors need to inform the controllers ‘without undue delay after becoming aware of it’ of breaches, without exceptions
- Controllers need to inform the authorities within 72 hours after becoming aware (Note: This also applies during holidays like Christmas, etc!)
- In some cases the controller will also need to
inform the data subjects about the breach
Implication on UX
- Consent is more regulated than before
- Needs to be specific and unambiguous, cannot be part of other written agreements
- Must be active; no pre-ticked checkboxes
- Must be reversable
- Record of the given consent is required
- Consent cannot be required for a service that also works without processing personal data
- Privacy policy is more important than before
- Data needs to have storage times plus other
tidbits
- Data needs to have storage times plus other
tidbits
Changes in contracting
- The Controller
of the data must have written contract with every Processor
- Responsibility goes to the end of the subcontracting chain
- The contract has mandatory clauses stipulated by GDPR
- The actions done by a processor must be defined in writing
- Best bet: Have ready-made processes to anonymize data if you do data dumps
- What
about an individual developer’s responsibility? The compliance responsibility
is the company’s to begin with, and it would require very gross negligence for
an individual employee to go to jail for a data breach.
Advice to a startup
- This is real, so be prepared, start already
- You’ll need to design around the data!
- Everything you do now should already be
compliant with GDPR
- Data architecture
- User rights and how they are implemented
- Train your people
- Get help if you don’t know how to proceed
You’ll need to know where you stand
- Understand GDPR
- Understand how data flows in your system
- Where, what, why
- Check if it’s flowing out of the EU or to another Controller
- You must have defined and followed procedures
for handling personal data
- Typically non-existent in startups
- You’ll need to have written contracts with all your partners related to personal data
- You’ll need to move now and be compliant by May
25, 2018
- The might be some leeway but again – maybe not
- The might be some leeway but again – maybe not
It’s normally best to end an article with a positive note but let’s make a small exception here:
If you do nothing, you’re asking for trouble
The good thing of course is that there’s still 11 months of time to work on your
- Internal processes
- Documentation
- Contracts
- Technology
- User interfaces
Should you need legal and consultative help, Exove has partnered with the law firm Bird&Bird around GDPR. They conduct both gap analyses and the actual compliance work based on the specific requirements of each company.