Disclaimer: this post should not be interpreted or relied upon as legal advice.
With the increasing speed of data collection and data monetization driving the evolution of business models, the EU General Data Protection Regulation (or GDPR for short) will take effect May 25, 2018. It’s a regulation not to be casually dismissed, as the financial liability for non-compliance is up to EUR 20M or 4% of the global annual turnover of the organization, whichever is highest! It’s one of the most significant regulatory events in e-privacy/data protection history, and as such you’d do well to assess how your startup might be affected and what you can do to make sure you’re ready.
What is GDPR?
The GDPR is a regulation that aims to ensure that companies collecting data about EU citizens are protecting the data adequately, and that EU citizens have “digital rights” over this data, meaning that they can know what data is kept about them and access it (right of access), consent to what data is used for, move that data to another company (data portability), and even tell a company to delete all data about them (right to erasure), while resting assured that the company is protecting their privacy adequately and that it will alert them immediately of any data breach.
Essentially, you might say that the GDPR makes what should theoretically already be core values of “good companies” – an official standard required by law and consistent across countries, which is why GDPR is a good thing for us all.
GDPR differs from data protection and privacy laws in the US, where laws are more vertical related (i.e. Healthcare, Financial Services, etc.). They also differ by state depending on how advanced they are in this area (like California for example, which is more advanced than others). The definition of Personal Data is also different in the US. For example, data aspects such as international data export are not generally covered in the US laws, and data retention guidelines also differ. Nevertheless, the looming introduction of GDPR seems to have already made a global impact on privacy regulation, so it’s fair to assume many outside the EU will revisit their laws in light of it.
Comparison of the Length of European Data & Privacy Related Directives/Regulation
Does GDPR apply to YOUR startup?
The GDPR applies to any EU based organization (regardless of whether your servers are outside the EU) or any organization outside the EU that processes personal data collected on EU citizens – so naturally, B2C companies are more immediately affected, but B2B may also be affected as they may hold and process data on EU citizens which is provided by B2C companies.
So, for example, are you an Israeli consumer app/service startup with users in France? If so, GDPR applies to your startup. There are of course finer details and definitions (for example the number of citizens you hold data on), but the purpose of this blog post is not to be a legal reference, so we’ll stick with the basics.
It’s important to note, that personal data does not only constitute email addresses, home addresses, credit card details, and alike, it’s also IPs, advertising IDs and other online identifiers, location data, and additional pieces of data you probably collect on your users. There are also specific definitions of a Data Collector vs. Data Processor which goes to emphasize that even processing such data and not directly collecting it, still puts you under GDPR compliance requirements.
What should you do to be GDPR-ready in 2018?
If GDPR applies to your startup, then it can have implications on multiple levels including Technical, Legal, and Organizational processes (both internal and intra-organizational).
1) Make sure the technical aspects of your data security and confidentiality are satisfactory.
Proper security measures must be taken to prove that you protect personal data. These might include use of encryption, adequate data security architecture that promotes security and creates a separation between certain databases, access controls, least privileges, etc. it’s important to note, you must also show you have adequate physical security measures in place to prevent unauthorized access to systems and machines. But bear in mind, you will now be required by law to also notify authorities and users of a data breach within 72 hours.
2) It’s now all about documentation, transparency and enabling “data subject rights”.
There are also considerations such as providing users with “the right to be forgotten” – i.e. they can ask you to delete all the data you accumulated on them which goes back to the technical aspects of how your map your data, so that you know how to go back and delete data relating to a specific user. Data portability is also a consideration (like asking Spotify to port all your playlist to Apple Music, for example).
What Are the Biggest Concerns for You and/or Your Organization (in Relation to the GDPR)?
3) Nominate a Data Privacy Officer (DPO).
Appoint someone who will be responsible for being “on top” of the GDPR compliance efforts and serve as the point of contact for any outside entity that wishes to assess your GDPR compliance level. This person should probably report to the CEO and have adequate power in the company, since these efforts will require company-wide cooperation, across legal, product, marketing, and R&D. In addition, make sure that any third parties you work who also have access to your data – comply as well.
Work with your Product team to change mentality and move to a “Privacy by Design”, and “Privacy by Default” state of mind. Take a Privacy-First approach when designing new products so that they will be GDPR compliant from the get go. According to an EY survey, the most difficult aspects of GDPR were the right to be forgotten, data portability and explicit consent requirements.
4) Consider consulting with a third-party professional to help you get GDPR-ready.
You might want to consider engaging a third party, professional service provider who has expertise in GDPR readiness and works with technology companies. From my discussions with such providers, I found that an initial assessment and gap analysis report – which you can use as your GDPR-readiness blueprint – may cost you under $10K, so if you consider the impact of a GDPR breach of compliance, it’s worth the investment. You can then choose whether you’d like to further engage this third party to accompany throughout the process, or whether you feel confident to carry out the readiness plan yourself.
5) Be prepared for a GDPR audit!
Just as you’d prepare in advance to be IPO ready or M&A ready early on rather than encounter obstacles too far down the track that might result in high costs and delays, have your data and privacy operations clearly logged and documented and ready to be presented. This may include security and access logs, security playbooks, details on what training was provided to employees and when, a list of security measures and practices that were applied to your environments, all your documentation and written policies, and so on.
In a few years when the GDPR dust settles, I would like to believe we’ll live in a better, more transparent world, and that we as consumers will be in a position where we can better understand and take control over data that is now increasingly collected about us, often without our knowledge, let alone consent. Make no mistake, GDPR has repercussions on a global scale so it will not be long before regulation in other geographies will catch up. As we welcome in the new year, getting GDPR-ready is a positive step towards making our world better.