GDPR Compliance for Startups

Even if you aren't in Europe, there's a good chance your start-up business will need to comply with the General Data Protection Regulation (GDPR). Breaching the rules can carry significant fines.

The good news is that as a start-up, you have a great opportunity to set up and exercise good data practices from the outset. Here's what you need to know, and what you should do to make sure your startup is compliant with the GDPR.

The GDPR is a European Union regulation, meaning it has automatic legal force in its own right in all EU member countries.

Don't dismiss the GDPR as irrelevant if you are outside the EU, however. You must comply with it if any of three circumstances apply:

• Your business has an establishment in a European Union country
• You handle data about a citizen of a European Union country regardless of your own location
• You, or somebody acting on your behalf, physically processes data in a European Union country. This includes facilities such as data centers.

Given this broad scope, even if you aren't currently affected it's very possible the GDPR will start applying to you as you establish and grow your business.

This means it's definitely worth knowing the rules and thinking about what you'd need to do to comply if the situation arises.

Although it's an extremely lengthy document, the GDPR boils down to a simple principle: You can only process personal data in one of six limited situations known as a "lawful basis."

The GDPR defines "process" very broadly and it effectively covers anything you do with personal data. In particular it includes collecting, using, sharing and selling data.

Meanwhile "personal data" means information that relates to an identified or identifiable natural person. "Natural person" means a human rather than a legal entity such as a corporation.

The Lawful Bases

The GDPR sets out six lawful bases under which you can lawfully process personal data. Four of these involve very specific scenarios that are unlikely to apply to most cases when your start-up business processes data:

• You are contractually obliged to process data. For example, an auto insurance broker could lawfully use a customer's date of birth to search for policies which use age to determine the premiums.
• You must process the data to comply with a law. For example, a business may legally have to share details of employee salaries with tax authorities.
• You must process the data to protect somebody's vital interests: in other words to protect their life. This most commonly applies with medical information in an emergency situation.
• You are carrying out a task in the public interest or exercising official authority. This rarely applies to private businesses.

Note that each of these bases is only lawful if processing the data is the only way to perform the relevant task.

The two remaining legal bases are more likely to be relevant to a business. One is legitimate interests. This means the data processing is necessary to achieve the goals of your business. This basis only applies if your legitimate interest is not outweighed by the privacy rights of the data subject (the person the data is about).

The UK's Information Commissioner's Office suggests that the legitimate interest basis is most suitable in cases where you use data in a way the data subject could reasonably expect and where the effect on their privacy is as limited as possible.

For example, an insurance company could likely rely on the legitimate interest basis to use people's email address to send a reminder when their policy was about to lapse.

The Woodland Trust gives some examples of its legitimate interests:

The final legal basis is that the data subject has given consent to the data processing. This comes with several requirements:

• The consent must be active and positive. You can't simply assume the data subject has consented unless they opt out. The burden is on you to prove the consent.
• The consent must be meaningful. This means the data subject must understand what they are consenting to and be given a genuine choice whether to consent or not. You should only make consent a mandatory requirement of providing goods or services where there's no way to do so without processing the data.
• The consent must be specific and only cover data processing for a stated purpose. You'll need fresh consent to use the data for a different purpose, even if you've already collected it.
• The consent is not permanent. The data subject has the right to withdraw consent later on.

Make sure your startup is clear on what legal basis/bases it will be processing data under.

Key Requirements of the GDPR

If you fall under the jurisdiction of the GDPR, you must also take some specific actions beyond following the general restriction on processing.

If you transfer personal data to a country outside of the EU, you must make sure it has broadly the same level of protection that the GDPR offers.

With some countries this is covered by an agreement with the EU known as an "adequacy decision." With other countries you'll need to take extra steps, for example by using contract terms with partners that bind them to protecting the data.

You must appoint a dedicated data protection officer if your main business activities involve large scale personal data processing, if you handle data about criminal records, or if you handle data about:

• Biometric data used to identify somebody
• Data about somebody's sexual orientation or activity
• Genetic data
• Health Data
• Political opinions
• Racial or ethnic origin
• Religions/philosophical beliefs
• Trade union membership

The data protection officer is responsible for your business complying with the law. This can involve training your staff, setting your data policies, handling public complaints and dealing with supervisory authorities.

Your data protection officer should have professional experience and knowledge of data protection issues. You can outsource the role of data protection officer to somebody outside of your business, which is a good option for a start-up company. Whether your data protection officer is an employee or third party, they must have the necessary access and authority to perform their duties.

You must take reasonable measures to protect against unauthorized access, deletion or alteration to any personal data you store. This can include physical, technical and organizational security measures.

Here's how OnTheGoSystems details some of its security measures in its Privacy Policy:

While you don't have to be very detailed about what security you have in place, you do need to have something in place and need to disclose that you make efforts at keeping data secure.

Privacy by Design and Default

The GDPR specifically requires organizations to follow two principles commonly summarized as "privacy by design" and "privacy by default." Being a start-up business is a major advantage in complying with these principles as you can take the necessary measures right from the start rather than have to revamp the way you do things after already establishing your systems.

Privacy by design means that you have measures in place to make sure you secure data and protect the rights of data subjects. The key is that you make these measures part of your standard operating procedures rather than try to remember to do things on a one-off basis.

Times you could incorporate privacy by design include:

• When choosing or configuring software
• When setting up a checklist for how you deal with a new customer
• As part of a contract when you share data with another company

Privacy by default is the principle that you reduce or remove the risk of unintentionally processing data unlawfully.

This can include:

• Making sure you only collect the data that's necessary for the limited specific purpose
• Making sure data can't go to a third party without an authorisation process that confirms you have any necessary consent and safeguards
• Making sure data subjects have a clear process for correcting, updating or asking you to delete data and your procedures will handle such requests without delay

Have a GDPR Privacy Policy

Although the GDPR does not specifically say you must have a Privacy Policy, it's the only practical way to satisfy many of its requirements, in particular that you provide data subjects with specific information.

When writing a GDPR Privacy Policy, remember it serves two purposes:

• It provides the necessary information, thus meeting the GDPR requirements
• It makes it easier to show the data subject had enough information to give meaningful consent, meaning you can use this as a legal basis for processing data

You must always provide the following information:

• Your organization's name and contact details
• The specific purposes for which you process personal data
• Which lawful basis applies
• How long you keep data or how you will decide how long
• The data subject's right to object to processing and the consequences of doing so
• The data subject's general rights under the GDPR
• The fact the data subject can complain to a supervisory authority

You must also provide any of the following information that is relevant:

• Your data protection officer's contact details (if you have one)
• What your legitimate interests for processing are (if you use that legal basis)
• Who you share data with
• Whether you transfer data outside of the EU and, if so, where and how you safeguard it
• The data subject's right to withdraw consent (if you use that legal basis)
• Whether the data subject is legally or contractually obliged to provide personal data and what happens if they don't
• Whether you use the data for automated decision-making such as profiling

How to Display Your GDPR Privacy Policy

The GDPR specifies that you must provide this information in a "concise, transparent, intelligible and easily accessible form, using clear and plain language." You should strike a balance of being precise but understandable.

At a minimum, you should present your Privacy Policy as a standalone web page and then prominently link to it from key locations such as:

• Your website footer
• Any navigation menu on your website or mobile app
• Any page through which a user can provide personal data, such as a "create account" page

Depending on its length, you could also have the content of the Privacy Policy available as a pop-up window or a drop-down display accessible in relevant locations, for example directly before any checkbox or confirmation button where the user gives consent to data collection or processing.

Here's an example of adding your Privacy Policy to your website footer, from Luminosity:

And here's how Bitmoji displays its Privacy Policy in an in-app menu:

Here's how Wave links its Privacy Policy to a form where an email address is collected from new users. Users are also informed that by signing up, they're agreeing to the Privacy Policy:

Penalties for Breaching the GDPR

The GDPR is enforced by data protection authorities in European Union countries, known as supervisory authorities. Which authority deals with a particular case can depend on the location of the data processor, the data subject or the processing itself.

A supervisory authority can order several remedies for a breach including:

• Issuing an official warning
• Temporarily or permanently banning you from processing personal data
• Ordering you to correct or delete data
• Stopping you from transferring data to other countries

The supervisory authority can also issue financial penalties, known in most EU countries as an administrative fine. The amount will depend on the circumstances of the breach including what steps you took to reduce the likelihood and effect of a breach, the damage it caused, and whether you have breached the GDPR before.

The maximum amount depends on which part of the GDPR you breached. For less serious cases which are generally administrative breaches, the maximum penalty is €10 million or two percent of your worldwide revenues in the previous financial year, whichever is higher.

For more serious cases, which generally involve breaching the fundamental principles of the GDPR, the maximum penalty is €20 million or four percent of your worldwide revenues in the previous financial year, whichever is higher.

Although the most high-profile fines to date have involved major businesses, plenty of smaller and newer companies have paid the price for a breach. For example, a UK pharmacy supplier which only started up in 2015 was fined €320,000 in 2019 for failing to physically secure patient records.

Summary

Let's recap what the GDPR means for your startup business.

• The GDPR applies if your organization, the data subject, or the data processing itself is in an EU country. There's no exemption for small or new businesses.
• The key principle of the GDPR is that you can only process personal data on a specific legal basis. The two most relevant for businesses will usually be that the data subject gave consent or that their privacy rights don't outweigh your legitimate interests in processing the data.
• Consent must be meaningful with the data subject able to make a genuine and informed choice.

• The GDPR also requires you to:

  • Safeguard data that you transfer outside of the EU
  • Appoint a data protection officer if your main business is large-scale data processing or if you handle data about criminal records or data designated as sensitive
• Potential penalties for breaching include bans on data processing and significant fines
• Under the GDPR, you must follow the principles of "privacy by design" and "privacy by default"
• You should have a prominent, clearly written Privacy Policy that includes key information which the GDPR requires you to give to data subjects. This is particularly important when you rely on consent to lawfully process data.