Essential GDPR Compliance Tips: A Guide for Startups
The EU General Data Protection Regulation (GDPR) is a complex piece of legislation that has significantly strengthened data protection rules in the European Union (EU). EU-based companies and companies that target EU customers must take steps to ensure compliance with GDPR.
Early stage startups, in particular, have a unique opportunity to establish strong data privacy strategies by designing privacy into their products or operations from the beginning. This can also provide a competitive advantage in today’s privacy-conscious world.
This publication will not cover all the key definitions, exceptions, and intricacies of GDPR. However, these subjects will be explored in upcoming publications
Without further ado, let’s jump into the breakdown of GDPR compliance for startups.
1. CONDUCT DATA MAPPING AND MAINTAIN RECORDS OF PROCESSING ACTIVITIES (ROPA)
To ensure compliance with GDPR, it is crucial to understand the sources of the personal data processed within a startup. One effective way to achieve this is by conducting an internal data mapping identifying the personal data, the purpose of its usage, and the individuals (data subjects) and other information.
While GDPR mandates ROPA for companies with 250+ employees. However, even companies with fewer than 250 employees may be required to maintain a ROPA if their processing activities may pose a risk to the rights and freedoms of data subjects, if the processing is “not occasional”, if they handle special categories of personal data, or if they process personal data related to criminal convictions and offences. In today’s business environment, data processing activities are a crucial part of every business. Given that the GDPR does not provide further clarification on the meaning of “not occasional,” it recommended that startups begin creating their ROPA using spreadsheet tools, and subsequently automate the process as the company grows and manual processes become unmanageable.
So, what exactly is a ROPA?
The ROPA is a register of all personal data processing activities within an organisation. A ROPA is a comprehensive register of personal data processing activities.
The ROPA should be written, signed by the Data Protection Officer or a representative of the company, and updated regularly, at least annually.
According to GDPR Article 30, a ROPA must include at a minimum:
- Contact details of the data controller, processor, and representatives
- Purpose and lawful basis of processing
- Categories of data subjects and types of personal data processed
- Recipients’ details and international data transfer safeguards
- Technical and organisational security measures description
- Data retention periods (where possible).
Start by exploring ROPA templates on EU Data Protection Authorities’ official websites. An example of such a template can be found on the website of the Finnish Data Protection Ombudsman here.
2. IDENTIFY THE LAWFUL BASIS FOR EACH PROCESSING ACTIVITY
Organisations are required to handle personal data in a lawful, fair and transparent manner under the GDPR. Therefore, before undertaking any personal data processing activity, the primary question to address is: “What is the specific basis or purpose for processing this personal data?” Now, what does this mean?
There are six lawful bases provided under the GDPR for personal data processing. The most directly applicable ones for startups are:
- Consent. When the data subject has given their freely given, specific, informed and unambiguous consent for the processing of their personal data for a specific purpose. It is important to note that the data subject has the right to withdraw their consent at any time upon request.
- Contractual obligation. When processing personal data it is necessary to perform a contract between the startup and the data subject or to take steps to enter into a contract.
- Legal obligation. When processing is necessary to comply with an obligation under applicable law that the startup is subject to.
- Legitimate interest. The company has a legitimate interest in processing personal data, taking into account the context of the processing and the relationship between the company and the data subject. Processing personal data for the purpose of preventing fraud also constitutes a legitimate interest of the company.
The definitions for each basis are relatively straightforward, but it can be difficult to determine the appropriate basis for a specific data processing activity. We will delve deeper into the specifics of each lawful basis more in-depth in future publications.
3. TRAIN YOUR STAFF
At the core of a startup’s success is the people and data protection compliance should be deeply ingrained in a company culture. As part of GDPR compliance efforts, it is essential to conduct regular training and workshops to ensure that staff remain aware of their responsibilities.
It’s important to ensure that training is tailored and interactive for each department. For instance, development teams should be trained on concepts such as “privacy by design” and how to incorporate it into new product workflows or what are the newest cybersecurity measures for SaaS products. A marketing team should be knowledgeable about email marketing requirements and the HR team should understand how to handle GDPR requests or process personal data lawfully.
Though not explicitly required, maintaining training records demonstrates compliance with the accountability principle of GDPR. It can serve as valuable resources for onboarding new employees too.
4. PROTECT THE DATA AT ALL COST
It is vital to keep all data secured in a secure and encrypted environment. Therefore, it’s important to adopt a range of measures such as encryption, data sharing restrictions and reducing the amount of data collected and stored. Startups should regularly review and delete any data that is no longer needed, conduct regular vulnerability scans on systems, devices and networks to identify potential security risks and stay up-to-date with the latest security measures to prevent data breaches.
5. UNDERSTAND IF YOU NEED TO APPOINT A DATA PROTECTION OFFICER (DPO)
The GDPR requires certain organisations to appoint a Data Protection Officer (DPO) and provide their details to the relevant Data Protection Authority.
To assess whether a startup needs to designate a DPO, it’s important to carry out a test that includes the following questions:
- Does a startup’s core activities require regular and systematic large-scale monitoring of data subjects?
“Core activities” are the central actions taken to achieve the startup’s goals. For instance, consider a fintech startup offering a SaaS product to predict customer credit scores. Selling this solution is the core activity. In contrast, processing personal data of the sales team for employment purposes is ancillary, not the main focus.
“Regular and systematic” processing refers to non-accidental, planned data handling that occurs consistently or at fixed intervals. Assessing if data processing is “large scale” involves factors such as the number of individuals impacted, data volume, duration, and geographical scope etc.
- Does a startup process special categories of data (for example, race or ethnicity, health data or genetic or biometric data etc) or data related to criminal convictions and offences on a large scale?
Regardless of the assessment outcome, it’s advisable to document the results in writing. This will help demonstrate compliance and provide a record of the decision-making process in case of any audits or investigations.
6. CONDUCT A DATA PROTECTION IMPACT ASSESSMENT (DPIA)
A DPIA is a tool used to identify and evaluate potential risks to individuals’ rights and freedoms resulting from data processing activities. It is required under the GDPR when the processing is likely to result in a “high risk” to individuals. The goal of a DPIA is to ensure that appropriate measures are taken to mitigate these risks and protect individuals’ rights.
The GDPR does not define “high risk” as such, but the following non-exhaustive may be useful guidance when assessing whether DPIA is mandatory:
- There is a systematic and extensive evaluation of the personal aspects of an individual, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- There is a processing of a special category or criminal offence data on a large scale;
- There is systematic monitoring of publicly accessible areas on a large scale.
Conducting a DPIA, even if not explicitly mandated, serves as a valuable tool to ensure GDPR compliance.
Conducting a DPIA involves several steps, such as:
Data Mapping: Map out all categories of personal data and processing activities.
Risk Identification: List and assess risks in terms of likelihood and severity, considering data sensitivity and affected individuals.
Mitigation Measures: Identify legal, technical, physical, and organisational measures for each risk. If there are any risks that cannot be mitigated and they are of high risk, it is mandatory to inform the respective Data Protection Authority and seek guidance from them
Documentation: Record the DPIA process, including analyses and mitigation strategies.
Integration: Integrate the outcome of the DPIA in practice. This step is of essential importance because to mitigate the risks it is necessary to put the findings of the DPIA into action by integrating any necessary changes or new findings into the workflow of the data processing activities.
Lastly, review: The DPIA is not a one-off exercise but rather a living document that needs to be reviewed. As a matter of good practice, the Article 29 Working Party recommends that all DPIAs should be re-assessed after 3 years, or sooner if circumstances have changed quickly.
7. ASSESS THIRD-PARTY RISKS IN THE PROCESSING ACTIVITIES
GDPR mandates companies, whether data controllers or processors, to ensure third-party compliance. Controllers are responsible for the entire data protection chain and must collaborate with compliant processors. To ensure compliance with this requirement, it’s important to:
- Create a list of data processors and understand the personal data they access, aided by an organised ROPA.
- Assess third parties involved in data processing, including new tools or services, using steps such as auditing privacy policies, sending data protection questionnaires, and establishing GDPR-compliant Data Processing Agreements (DPAs).
- Have written DPAs in place, defining roles, responsibilities, and data security provisions.
8.UNDERSTAND DATA BREACH REPORTING REQUIREMENTS
Personal data breaches can have severe repercussions for a startup, both in terms of reputation and finances. To avoid such incidents, startups should put in place cybersecurity measures, educate employees on best practices, and implement other preventive measures. However, in today’s digital landscape, data breaches are an unfortunate reality. It’s crucial for startups to be aware of what to do in case of a data breach and to have a plan in place to handle them.
A data breach involves unauthorised access, alteration, or disclosure of personal data. Breaches range from major cyber-attacks to human errors, like emailing data to the wrong person. Startups must notify the Data Protection Authority within 72 hours if a breach may risk individuals’ rights, including financial loss or confidentiality breaches. Affected individuals must also be informed, detailing the breach’s specifics and mitigation measures.
Maintaining a breach register, even for internal incidents, and establishing incident reporting policies are essential practices for startups to respond effectively.
9. HANDLE DATA SUBJECT REQUESTS EFFECTIVELY
Startups must be prepared to offer individuals the ability to exercise their data protection rights with regard to their personal data.
For example, a data subject has the right to access all data the startup has processed about them. When they submit a data subject access request (DSAR) the startup has 1 month to provide a complete copy of any personal data they have been processing.
When startups receive requests from data subjects, it’s essential to have a streamlined process in place. This includes having a designated point of contact responsible for handling those requests, as well as a clear and documented procedure for verifying the identity of the data subject and processing their request promptly.
It’s also advisable to give broad privacy settings to users so they can easily change, delete and otherwise exercise their rights.
10. ENSURE COMPLIANCE WITH INTERNATIONAL DATA TRANSFER REQUIREMENTS
Startups handling personal data should ideally store it within the EU. However, if personal data is transferred to a third country (outside the EU or EEA) this international data transfer is subject to stringent requirements under the GDPR.
The key consideration is whether the third country has an “adequacy decision”. This means the European Commission has verified that the country or international organisation in question maintains an adequate level of data protection. Such countries allow data transfers without additional safeguards. A list can be found on the European Commission’s website here.
If there’s no “adequacy decision”, GDPR permits international data transfers only if companies implement appropriate safeguards for data protection, ensuring utmost security for personal data.”
11. PUT TOGETHER A COMPLIANT PRIVACY POLICY
Creating a compliant Privacy Policy is not just a legal requirement but an opportunity for startups to showcase their commitment to safeguarding personal data. It should not be long and full of legal jargon, but rather short, in plain language and easy to understand . Here’s what you need to include:
- Company’s Contact Details: Company’s name, location, and contact information. If applicable, provide details of a Data Protection Officer and/or EU Representative.
- Types of Personal Data: Be specific about the personal data that is collected, such as names, email addresses, IP addresses, and billing information.
- Reasons and Legal Basis for Processing: Clearly outline the reasons for processing personal data and the legal basis for each activity, selecting from the six available legal bases.
- Data Retention Period: Specify how long different types of personal data will be retained, ensuring compliance with the principle of storage limitation.
- Recipients of Personal Data: While no need to list every recipient, disclose major ones like email marketing tools or payment processors, being transparent about data sharing practices.
- International Data Transfers: Explain the mechanisms and measures used for international data transfers, ensuring compliance with GDPR regulations.
- Data Subject Rights: Detail the rights granted to data subjects under GDPR and describe how users can exercise these rights.
- Updates: Clearly indicate the effective date of the Privacy Policy and outline how users will be informed about any changes.
Disclaimer. This publication is provided for informational purposes only and should not be construed as legal advice or consultation. The information presented in this publication is intended to offer general guidance on the subject matter and is not intended to be legally comprehensive. It is highly recommended that anyone contemplating action based on the content of this publication seek full and specific legal advice from a legal professional.