Table of Contents
I. Takeaways and Summary
II. Introduction to GDPR for Startups: Understanding the Fundamentals
III. Who is Who: Defining Roles Under GDPR
IV. Adopt these Data Processing Principles
V. Your Startup Needs a Lawful Basis in Order to Process Personal Data
VI. Rights of the Data Subject
VII. What is the Relationship Between the Controller and the Processor?
VIII. Fines and Penalties Under GDPR
IX. Startup Checklist and Steps for GDPR Compliance
X. GDPR FAQ
XI. GDPR Compliance Tips for Startups
I. TAKEAWAYS AND SUMMARY
The General Data Protection Regulation (GDPR) is a EU regulation that primarily provides data protection for individuals. It applies to “controllers” and “processors”. Startups, companies, tech groups, etc. handle personal data all of the time. Depending on what the startup is doing it will be classified as either a controller or a processor. A controller is one that determines the purposes and means of processing personal data while a processor processes personal data. Both a controller and processor must accomplish its tasks safely and lawfully according to GDPR. If these rules aren’t followed massive penalties will be brought down on violators. GDPR also gives special rights to individuals whose data is being handled.
Key Point 1: Complying with GDPR: GDPR applies to EU based organizations OR non-EU based organizations that target, offer goods, etc. to EU based individuals. Figure out your startup’s role under GDPR when it comes to dealing with personal data: it’ll be either a controller or a processor. Make sure the collection of data, storage, processing of data, etc. is done properly. Allow individuals whose data you are using to exercise their rights.
Key Point 2. A controller decides the purposes and means of data processing: A startup/company is acting as a data controller under GDPR when it decides the purposes and means of how personal data is processed. The controller is the primarily responsible party when it comes to handling and processing data. GDPR places obligations on the controller to make sure that contracts with processors are in order. The controller shall only use data processors that are able to process data safely. GDPR gives certain principles to abide by when dealing with an individual’s data.
Key Point 3. A processor processes the data and must have a legally valid basis for doing such: A startup/company is acting as the data processor when it processes personal data; and it must do so legally in accordance to GDPR. There must be a contract between the controller and the processor to govern this process. The meaning of process is extremely broad under GDPR and includes actions like manipulating, using, and handling data. A valid underlying basis for processing is required in order to process data, such as consent from the individual.
Key Point 4. Appointments to overlook the process: Certain parties such as a data protection officer are designated to assist in making sure things are done by the book, that proper procedures are being followed, etc.
Key Point 5. Individuals have rights over their data: The data subject, i.e. the EU individual whose data it is, has special rights with respect to its data such as the right of erasure of data and the right to be forgotten.
Key Point 6. Parties must take care to deal with breaches: If there is a data breach or other problem then the issue must be addressed in a prompt manner as according to GDPR.
Key Point 7. You better abide by the rules: Failure to abide by GDPR and its privacy concerns can result in massive penalties to the responsible party (not just a slap on the wrist).
Use the checklist in this article to help you approach GDPR systematically. Use the FAQ in this article to help fill in gaps in knowledge.
II. INTRODUCTION TO GDPR FOR STARTUPS: UNDERSTANDING THE FUNDAMENTALS
Data privacy is all of the rage these days. Lots of asshole companies are shelling your data for big bucks. Essentially, companies give you services that you pay for not via money but through data. Or they sell your data to create another revenue stream. There are lots of other issues.
A. Problems with data and data handling currently
You can easily tell that there are a few problems with companies utilizing data as a currency and selling your data.
a. data is a bizarre version of currency that doesn’t have good historical precedent that liquid money has had for many thousands of years;
b. data is heavily tied to an individual and gives rise to privacy concerns;
c. the transaction involving data is not consensual as the lay person does not understand what is being transacted; and
d. data privacy and handling issues are not properly regulated, just yet.
I’m sure you can think of more issues.
B. GDPR’s objectives
GDPR attempts to resolve some of these issues and is point blank attempting to achieve these things:
a. protect people by making rules regarding the collecting, processing, and movement of people’s personal data; and
b. protect and establish rights and freedoms of people particularly as it relates to their right to the protection of their personal data.
C. GDPR is applicable in two circumstances
So it’s clear that there are data privacy issues and that GDPR exists to deal with these concerns. When does GDPR apply to startups? GDPR applies in two situations:
a. the startup is located in the EU; or
b. the startup is not in the EU but is offering goods or services, targeting, etc. those in the EU.
If one of the above is true then GDPR will be applicable to the situation and must be followed. Who needs to follow it exactly? Essentially GDPR basically lays it out for three primary parties: the people or startup deciding what to do with personal data (i.e. the controller), the person whose data it is (i.e. the data subject), and the people (startup) who are manipulating the data (i.e. the processor). It restricts and governs the roles and rights of each of these parties.
D. GDPR applies to protection of personal data
Thus far I have explained that GDPR applies to data protection and privacy issues, concerning EU individuals, or startups in the EU. But to what type of data does it exactly apply to? GDPR is concerned about the protection of personal data. Personal data is defined as information that relates to an identified or identifiable individual.
You should interpret this broadly and err on the side of caution. GDPR is really concerned about individual privacy. Information that is truly anonymous is not applicable to GDPR.
In this article, I’m going to define some of the parties, go over various roles, objectives, responsibilities, rights, and other matters. Then I’ll give a checklist of things to do in order for the startup to comply with GDPR and finally I’ll finish off with a FAQ.
As a side note, GDPR also explains what kinds of items the EU member states are to regulate. Essentially authorities of different governmental bodies get to enforce GDPR. Don’t worry too much about this.
III. WHO IS WHO: DEFINING ROLES UNDER GDPR
All right—so now I want to go over who is doing what with data and explain how their function is impacted or regulated under GDPR. Essentially your startup does some stuff with data. What does that mean exactly for GDPR purposes? The answer is that you need to figure out what kind of role you’re playing as according to GDPR and then go from there. That will tell you what you can do and can’t do with data and privacy and all of that. According to GDPR, depending on what you’re doing with people’s data your startup will be classified as having a certain role. The startup has a role as either a controller or a processor. I explain what that means below. While I’m at it I’ll explain what the data protection officer is as well. And if your startup isn’t doing anything with anyone’s data—what role do you have then? None really and in that case you don’t need to worry about GDPR. Note: a more robust, checklist of objectives is down below in this article for the different parties.
A. Controller
Definition: this is the startup/company/group that determines the purposes and means for how personal data is processed (the how and why). Think of the controller as the main-decision maker. If your startup is deciding these kinds of issues when it comes to data then your startup is a controller under GDPR. If you’re unsure who is the controller and who is the processor, think about about who is the one calling the macro shots as far as why this data needs to be processed—that one will be the controller.
Practical Objectives of the Controller:
If your startup is a controller then you’ll have certain principles and objectives to deal with. Here they are.
1. Put in appropriate technical and organizational measures to protect data and to make sure processing is performed properly
GDPR looks to make sure that companies that are behaving as controllers have safeguards when it comes to personal data. The controller needs to ensure the privacy of data (e.g. data is not made available to an indefinite number of people). GDPR repeatedly makes it clear that you need to adopt proper organizational measures to protect data. Your startup needs to make sure that it has proper data protection best practices procedures in place.
2. Be the main decision-maker
While a lot of the technical data handling and such will be done by the processor, the controller is the one that’s pulling the strings and is the main decision-maker. The controller is deciding the “purpose” and “means” of processing.
3. Shoulder responsibility
Just because you may not be doing a lot of the technical processing work does not mean you’re scot-free from GDPR. Controllers have the highest level of compliance responsibility. GDPR also puts the responsibility of compliance on the part of your processors on you. You must use and contract with processors that provide sufficient guarantees to implement appropriate technical and organizational measures.
When it comes to data protection and safe practices, it is ultimately the controller that bears most of the responsibility.
B. Processor
Definition: this is the company that is doing stuff with the data. It’s analyzing it, it’s breaking it down, it’s doing cloud services action with it, etc. As I’ve mentioned—processing is very broad in GDPR. It includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, dissemination, and other operations performed on data. If your startup is doing those kinds of activities then it is a processor.
Practical Objectives of the Processor:
If your startup is a processor then you’ll have certain principles and objectives to deal with. Here they are.
1. Process personal data only when there is a proper contract in place
The processor shall engage with a controller to set out subject matter and duration of processing, nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. This is governed by contract between the controller and processor.
2. Have a proper basis for processing data
Make sure there is a proper basis for processing data. If you’re going to process personal data you have to have a lawful underlying reason for processing. There are only a handful of types of basis that are valid. You can’t just start processing data for whatever reason you want. More on this below.
3. Refrain from engaging with other processors or sub-processors without prior specific or general written authorization of the controller
When data processing obligations are transferred to a different processor, note that if the other processor fails to fulfill its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processors’s obligations.
4. Implement organizational and technical measures
As a processor you have responsibility to use proper data protection practices.
These organizational and technical measures include:
psuedonymisation and encryption of personal data
ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services
ability to restore availability and access to personal data in a timely manner in the event of an incident
process for regularly testing, evaluating effectiveness of measures
5. Be careful about high risk
Take special precautions if processing is using particularly new technologies and is a high risk to individuals. In such a scenario, the controller must consult the data protection officer and carry out a data protection impact assessment and consult the supervisory authority.
6. Take certain actions when there’s a problem
As a processor you have a responsibility to let the appropriate parties know if there has been a data breach or other problem. You must notify data controllers without undue delay when the processor learns of a data breach.
C. Data subject
Definition: an identified or identifiable EU natural person whose data is being collected/processed. The data subject is not the startup. But it’s the person whose data the startup is doing stuff with.
Practical Objectives of the Data Subject:
The natural person whose data is being subjected to all these rules does not necessarily have an objective so to say. Rather, this person instead has a number of rights as far as what happens/can happen with their data and has a number of remedies available to them.
GDPR aims to protect the handling of a data subject’s personal data. What is personal data? Personal data is any information relating to a person. This includes name, location data, social media usernames and information, biometric data, government ID numbers, and a whole of other information. GDPR also highlights what it calls special categories of personal data that include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, etc. The processing of these types of data receives increased scrutiny.
D. Data Protection Officer (DPO)
Definition: I mentioned that I would explain what the DPO is. The DPO is an expert person that the controller/processor designates to overlook activities and make sure that rules are abided by.
Practical Objectives of the Data Protection Officer:
1. Be designated by controller/processor as appropriate
2. Advise controller/processor of their GDPR obligations
3. Act as the contact point and cooperate with the Supervisory Authority (basically independent public authority set up by an EU member state).
4. Have expert knowledge of data protection law and practices
5. Be able to advise in an independent nature despite its designation by an affiliated party
IV. ADOPT THESE DATA PROCESSING PRINCIPLES
GDPR stresses a number of principles when it comes to data processing. These are not necessarily strict rules per se but ideas that you need to adopt. A lot of people think that a regulation just lays it flat out that you must do X, Y, and Z. Yes, GDPR does do this but it also gives. general principles that you need to follow. In this section I go over those principles. How do you put translate these principles into practical ideas? You adopt the principles into your technical systems, practices, and policies.
The controller is responsible and shall be able to demonstrate compliance with the following principles:
A. Lawfulness, fairness, and transparency: data is to be processed lawfully, fairly, and in a transparent manner in relation to the data subject; i.e. be transparent about what you’re doing.
B. Purpose limitation: personal data is collected only for specific, explicit, and legitimate purpose. i.e. can only be collected for a specific purpose.
C. Minimized: data collected should be limited to only what is necessary in relation to the purposes for which they are processed.
D. Accurate: reasonable steps must be taken to ensure that data that is inaccurate is erased or rectified without delay.
E. Storage limitation: data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
F. Integrity and confidentiality: data should be processed in a manner that ensures appropriate security
G. Processing special categories of personal data: processing is prohibited if it reveals certain sensitive information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, processing of genetic data, etc. for the purpose of uniquely identifying a natural person or similar. If processing personal data relating to criminal convictions and such then must be diner under control of official authority or other type of proper safeguard.
V. YOUR STARTUP NEEDS A LAWFUL BASIS IN ORDER TO PROCESS PERSONAL DATA
I mentioned that when it comes to data handling there is the controller and the processor. The controller is deciding the purposes and means of data processing. On what basis can data be processed and handled? That issue is covered in this section.
Let’s say your startup gets its hands on some data in the course of business. You can’t just start processing and doing stuff with it. GDPR does not work that way and does not allow you do to that. You have to have a lawful REASON for processing it. And remember—processing is very broad and it includes a ton of stuff.
So there has to be a valid lawful basis in order to process personal data. There are only a few available bases available for processing. For some of the items, “processing is necessary” for a specific purpose. What does this mean? It means that if you can meet your purpose without processing the personal data then you can’t use that particular basis as a lawful basis.
Figure out your lawful basis before you start processing and write it down. More on steps in a checklist down below. But for now just understand the concepts.
Here are the allowable bases in order to process personal data:
A. There is consent
Consent is a major basis for processing. When processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing. In order for consent to be valid the following must be true:
1. consent is clearly distinguishable from other matters
2. consent is in an intelligible and easily accessible form, using clear and plain language
3. the data subject has the right to withdraw his or her consent at any time
4. withdrawal of consent shall not effect the lawfulness of processing based on consent before its withdrawal
5. prior to giving consent, the data subject shall be informed thereof
6. it shall be as easy to withdraw consent as it is to give it
7. if the data subject is a minor, then the controller needs to make reasonable effort to verify that consent is given or authorized by the holder of parental responsibility over the child.
B. Necessary for performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
This can be a lawful basis for processing if processing an individual’s personal data is for the delivery of a contractual service to them or because they requested the action prior to entering into the contract.
C. Processing is necessary for compliance with a legal obligation to which the controller is subject
You can use this basis when processing is necessary to comply with the law or statutory reason.
D. Processing is necessary in order to protect the vital interests of the data subject or of another natural person
e.g. processing is necessary to protect someone’s life
E. Processing is necessary for public interest reasons or in exercise of official authority vested in the controller
F. Processing is necessary for the purposes of legitimate interests pursued by controller or third party, except where interests of fundamental rights and freedoms of data subject outweigh those interests
VI. RIGHTS OF THE DATA SUBJECT
I mentioned that the data subject has certain rights under GDPR.
The controller shall facilitate the exercise of data subject rights as below. The information shall be provided without undue delay and in any event within one month of receipt (3 months if excessively complicated) of the request.
Reasonable requests shall be provided free of charge. If requests are excessive, then the controller can charge a reasonable fee.
Note: this is an important point a lot of people miss—some of these rights will be unavailable to the individual based on the lawful basis for processing. So for example, if the processing is on the basis of legal obligation then the individual’s right to erasure may not be available to the individual. You can understand that—if a court order requires a certain processing of data, the individual can’t just demand to have that data erased.
A. Right to be informed: individuals have the right to be informed about collection, use, and what’s going on with their personal data
B. Right of access: data subject has the right know whether or not personal data concerning him/her is being processed, and the purposes of processing, categories of personal data concerned, recipients to whom the personal data has been disclosed
C. Right to rectification: data subject has the right for the rectification of inaccurate personal data concerning him or her
D. Right to erasure (right to be forgotten): right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data where one of the following grounds applies: personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or where consent is withdrawn
E. Right to restriction of processing: data subject has ability to restrict processing in certain circumstances such as when the accuracy of the data is contested or the processing is unlawful
F. Right to data portability: data subject has the right to receive the personal data concerning him/her which they have provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller
G. Right to object: the data subject shall have the right to object to processing of personal data, particularly when it concerns direct marketing purposes. This right shall be explicitly brought to the attention of the data subject.
H. Rights regarding automated individual decision-making: the data subject shall have the right not to be subject to a decision based solely on automated processing unless consented to by the data subject or necessary for a contract between data subject and data controller.
I. Right to lodge a complaint: every data subject shall have the right to lodge a complaint with a supervisory authority
J. Right to effective judicial remedy against a supervisory authority: each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
K. Right to an effective judicial remedy against a controller or processor: each data subject shall have the right to an effective judicial remedy where his or her rights have been infringed as a result of the improper processing of data.
L. Right to compensation: any person who has suffered material or non-material damage as a result of infringement of GDPR has the right to receive compensation from the controller or processor.
VII. WHAT IS THE RELATIONSHIP BETWEEN THE CONTROLLER AND THE PROCESSOR?
A lot of what I have discussed so far should give you the clue that there is a relationship between a controller and a processor and that various responsibilities need to be clarified. The legally binding document that addresses these concerns between the controller and the processor is the Data Processing Agreement (DPA). So make sure you have this. Note that some parties, in rare occasions, do not call this a DPA and they may call it something else. Regardless, the main point is this: there needs to be a written contract between the controller and the processor that defines the terms of processing and other matters.
The DPA (or similar) needs to have the following:
- set out the subject matter of the processing
- duration of the processing
- the nature and purpose of the processing
- the type of personal data
- categories of data subjects
- the obligations and rights of the controller
- processes data only on instructions from controller
- ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- implementation of technical and organizational safeguards
- only engage with other processors as per authorization from controller
- assist controller in ensuring compliance
- delete or return all personal data at choice of controller
- makes available to the controller all information necessary to demonstrate compliance
VIII. FINES AND PENALTIES UNDER GDPR
Up above I detailed how to comply with GDPR rules and regulation. You need to figure out your role under GDPR as either a controller or a processor. You need to adopt proper data processing principles, have a proper basis for processing, enable data subjects to exercise their rights, and define the relationship between the controller and the processor.
Now I’m going to explain what happens if you don’t do those things—the answer to the “What ifs?” or “What if I don’t comply with GDPR?”
The following actions will be taken, most likely in order:
1. Disciplinary action or warning from the supervisory authority
While you may have heard that penalties under GDPR are huge, it’s not like they slap that on you on day 1. If you violate GDPR (and assuming it’s not a huge violation) you may get off with some type fo disciplinary warning from the supervisory authority. If they’ve warned you and you still keep violating GDPR then you’re more likely to be fined.
2. Fines and penalties under GDPR
If you violate GDPR you may be fined the greater of up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year.
This, in other words, is a ton of money. Fortunately for many companies this has not happened as of yet. However recent trends as of July 2019 show that regulators are stepping up their penalty game.
You can see a list of fines and notices here.
3. Lawsuits promulgated under GDPR
As I’ve mentioned before, lawsuits can severely damage your startup.
GDPR in Chapter 8: Remedies, Liability and Penalties states that any person who has suffered material or non-material damage as a result of an infringement of the regulation shall have the right to receive compensation from the controller or processor for the damage suffered. Thus, plaintiffs have a legal theory upon which to pursue damages.
IX. STARTUP CHECKLIST AND STEPS FOR GDPR COMPLIANCE
Here is the checklist to follow for complying with GDPR.
___ 1. Figure out if GDPR is applicable to you
If you are located in the EU (either as a controller, processor, or data subject) then GDPR is applicable to you.
If you are located outside of EU but collect or process personal data of individuals inside the EU, then GDPR applies.
If you are not in the EU and the data subject is not in the EU, then don’t worry about GDPR.
[Article 3]
___ 2. Decide if you are a controller, processor, or data subject under GDPR
Controller: You are a controller if you decide the why and how the data is processed
Processor: You are a processor if you process data (remember that this is broad)
Data subject: You are a data subject if you are a natural person in the EU whose information is being collected or processed
There are only a few real roles within GDPR. You will likely find yourself to be the controller, processor, or the data subject. Keep in mind that you may be both a controller and a processor or be a joint-controller with another party.
[Article 4]
___ 3. If you are the controller do the following:
___ 3a. Implement appropriate technical and organizational safeguards
One of the points that GDPR stresses is that parties need to take responsibility and make sure that they take proper measures to protect systems and data. In order to implement appropriate technical and organizational safeguards, do the following and if the data is of a high-risk nature, make your safeguards even more robust.
___ create internal company documents and practices that govern policies regarding data and data privacy and protection
___ educate employees and workers
___ institute proper cybersecurity protocols
___ draft a privacy policy
One of the most important items to include is the purpose of the processing as well as the lawful basis for which the data will be processed.
Additionally, include the information from Article 13 of GDPR if the personal data is collected from the data subject. Or include the information from Article 14 if personal data is not obtained from the data subject.
___ have a data breach plan
___ track thoroughly your own handling of data; keep records
___ have terms of service agreements drafted
___ perform data breach risk assessments
___ look at best practices within your industry; make sure appropriate certifications are in place; use guidelines provided by data privacy organizations.
___ have more robust safeguards if there is a large risk to the rights and freedoms of natural persons including physical, material or non-material damage/where processing may give rise to discrimination, identity theft, fraud, financial loss, etc.
___ implement appropriate data protection policies within your startup and use appropriate safeguards like pseudonymisation
[Article 24]
___ 3b. Have a plan in place to facilitate the exercise of rights of data subjects
These are the rights that I mentioned above. The best way to do this is have a system in place that will allow individuals to do what they need to do. Do this BEFORE you start handling data. Document how you will allow these rights to be exercised and allow it from a technical perspective.
The rights again are: right of access, right of rectification, right to erasure, right to restriction of processing, right to receive notification, right to data portability, various rights regarding automated individual decision-making, right to object, right to lodge a complaint, rights regarding judicial remedies, and right to compensation.
[Article 12]
___ 3c. Designate a data protection officer (DPO) in writing
Someone in your company can be designated as the DPO. As mentioned, this person is designated to help make sure rules are abided by. GDPR gives protections to make sure that this person isn’t compromised in terms of conflicts of interest. The DPO needs to have expert knowledge of data protection law. The DPO’s contact details need to be in the Data Processing Agreement. Additionally, make sure that the DPO has proper resources to carry out its tasks (i.e. don’t hide the ball with your DPO). The DPO should be allowed to operate relatively independently when it comes to items that the DPO feels needs to be implemented for safeguarding data.
[Article 37]
___ 3d. Do a Data Protection Impact Assessment (DPIA) if the type of processing is likely to result in a high risk to the rights and freedoms of natural persons
One of the areas of concern that GDPR attempts to address is the safeguarding of data or processing of data that may be of high risk to people. In order to figure out what kinds of safeguards need to be implemented a Data Protection Impact Assessment (DPIA) should be performed.
Here’s how that’s done. The DPO shall advise on this according to GDPR and do a study on the risk assessments. The DPIA must contain:
- systematic description of processing operations and purposes including interest pursued by the controller
- an assessment of necessity and proportionality of the operations in relation to the purposes
- an assessment of the risks to the rights and freedoms of data subjects
- the measures proposed to address the risks, including safeguards, security measures, and mechanisms to ensure protection of data and demonstrate compliance.
If the DPIA indicates that there is high risk, then the Supervisory Authority will need to be consulted.
[Article 35]
___ 3e. Have a plan in writing with the processor. Sign a Data Processing Agreement (DPA)
Essentially you need to make sure that parties you work with are compliant. Make sure you have the following:
- the subject matter of the processing
- duration of the processing
- the nature and purpose of the processing
- the type of personal data
- categories of data subjects
- the obligations and rights of the controller
- processes data only on instructions from controller
- ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- implementation of technical and organizational safeguards
- only engage with other processors as per authorization from controller
- assist controller in ensuring compliance
- delete or return all personal data at choice of controller
- makes available to the controller all information necessary to demonstrate compliance
[Article 28]
___ 3f. When collecting data, at the time obtained, provide data subject with the following information
___ contact information
___ contact details of the DPO
___ purposes, legitimate interests, and legal basis for processing
___ recipients or categories of recipients of the personal data
___ if applicable, the fact that controller intends to transfer personal data
___ period for which the personal data will be store, or if not possible, the criteria used to determine that period
___ existence of the rights of the data subject such as right of erasure
___ rights regarding consent and withdrawal of consent when processing is based on consent
___ explain the right to lodge a complaint with a supervisory authority
[Article 13]
___ 3g. Ask for consent when collecting data
___ Be able to demonstrate that data subject has consented to the processing of his or her personal data
The way you do this is by getting consent in writing and having a paper trail
___ Have the consent distinguishable from other matters in an intelligible and easily accessible form using clear and plain language
___ Make sure consent is freely given
Consent is not freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
___ Consent must be given for one or more specific purpose under Article 9(2)
Be articulate when you explain the purpose needed for the consent
___ Allow data subject to withdraw his or her consent at any time.
Prior to giving consent, the data subject shall be informed thereof. It should be easy to withdraw as it is to give consent. Make it easy for the data subject. Don’t play any games.
[Article 7]
___ 3h. Record data processing activities
You need to do this if you are employing more than 250 person or processing is high risk to data subjects (even if you have less employees it is still a good practice to do this)
Maintain a record of the following information:
- name and contact details of the controller and DPO
- purposes of processing
- description of categories of data subjects and categories of personal data
- categories of recipients to whom data will be disclosed
- any transfers to a third country or organization
- the envisaged time limits for erasure of the different categories of data
- a general description of the technical and organizational security measures
[Article 30]
___ 4. If you are the processor do the following:
___ 4a. Implement appropriate technical and organizational safeguards
___ create internal company documents and practices that govern policies regarding data and data privacy and protection
___ educate employees and workers
___ institute proper cybersecurity protocols
___ have a data breach plan
___ track thoroughly your own handling of data. Keep records.
___ perform data breach risk assessments
___ look at best practices within your industry, make sure appropriate certifications are in place, use guidelines provided by organizations.
___ have more robust safeguards if there is a large risk to the rights and freedoms of natural persons including physical, material or non-material damage/where processing may give rise to discrimination, identity theft, fraud, financial loss, etc.
___ implement appropriate data protection policies within your startup and use appropriate safeguards like pseudonymisation
[Article 28]
___ 4b. Have an agreement with the controller (DPA)
Essentially you need to make sure that parties you work with are compliant. Make sure you have the following clauses or account for the following ideas:
- that data is processed data only on instructions from controller
- ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- implementation of technical and organizational safeguards
- only engage in processors as per authorization from controller
- assist controller in ensuring compliance
- delete or return all personal data at choice of controller
- makes available to the controller all information necessary to demonstrate compliance
___ 4c. Make sure data can be lawfully processed.
Recall that there must be a lawful basis for processing. Make sure the basis you are using to process data is at least one of the following:
* consent: consent has been given for one or more specific purposes
* contract: processing is necessary for the performance of the a contract to which the data subject is a party or will enter into
* legal obligation of controller: processing is necessary for compliance with a legal obligation to which the controller is subject
* protection of vital interests: processing is necessary in order to protect vital interests of the data subject or another natural person
* legitimate interests of controller or third party: it’s necessary for public interest or in the exercise of official authority vested in the controller (subject to the data subject’s fundamental rights)
[Article 6]
___ 4d. Have a lawful basis for processing AND satisfy a condition when processing special categories of data or criminal offense data
Special category data:
Be careful about processing special categories of personal data. Some types of data revealing racial or ethnic origin, political opinions, etc. for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited unless explicit consent given by the data subject.
Have a lawful basis and satisfy one of the conditions for processing listed in Article 9 Paragraph 2: https://gdpr-info.eu/art-9-gdpr/
Criminal offense data:
When processing data relating to criminal convictions etc. make sure you have a lawful basis and either process it under the control of official authority OR meet a specific condition under Article 10 https://gdpr-info.eu/art-10-gdpr/
[Article 9, 10]
___ 4e. Maintain a written record of all processing activities
If you are employing more than 250 person or processing is high risk to data subjects (yes, most startups don’t have that many employees but even if you have less employees it is still a good practice to do this):
- name and contact details of processors and controllers
- categories of processing carried out on behalf of each controller
- any transfers of data to a third country or international organization
- a general description of the technical and organizational security measures
[Article 30]
___ 4f. Do NOT engage with other processors/sub-processors without authorization from the controller
___ 6. Items to complete if things go wrong
___ 6a. Have the plan already in place to deal with data breaches and other problems
As I’ve said elsewhere, it is important that you have a plan in place ALREADY and BEFORE troubles arise. Decision making gets fuzzy if you’re trying to do this when you’re already in the thick of it.
___ 6b. Notify the supervisory authority
Controller shall without undue delay and where feasible, not later than 72 hours after having become aware of a breach, notify in detail the supervisory authority of the breach. You must do this unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Processor should notify controller without undue delay.
[Article 33]
___ 6c. Notify the data subject
If it’s likely that the breach will result in high risk to the data subject, the controller shall communicate the data breach to the data subject without undue delay. Describe it in clear and plain language. This is not necessary if any of the following conditions are met:
- controller has implemented appropriate technical and organizational protection measures (in particular those that render the data unintelligible such as encryption)
- controller has taken steps to ensure that high risk to data subjects won’t materialize
- it would involve disproportionate effort (in which case a public communication may suffice)
___ 6d. Work with supervisory authority to fix any violations
The authorities are helpful in this regard of not just blanket fining the maximum allowable amount against companies. Authorities will often issue a warning or tell a company that there is an issue. Expect that type of leniency to decrease as time goes on however.
X. GDPR FAQ
Does GDPR apply to my startup?
If your startup is in the EU OR you’re targeting, soliciting, etc. EU individuals then GDPR applies to your startup.
[Article 3]
Do I have to follow GDPR if I collect data from my spouse/sibling/family member/friend?
Depends on why you’re doing it. This Regulation does not apply to the processing of personal data:
in the course of an activity which falls outside the scope of Union law;
by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
by a natural person in the course of a purely personal or household activity;
by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security
So if you’re collecting data from a family member and you’re doing it for some household activity in that case GDPR would not apply.
[Article 2]
Does my startup need to abide by GDPR if my company is in Texas and the data processing is happening in Texas?
Yes; GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
the monitoring of their behaviour as far as their behaviour takes place within the Union.
In other words, if your Texas startup is targeting, soliciting, etc. EU individuals then GDPR applies to your startup.
Do I need to appoint a data protection officer (DPO)?
Yes if the core activities of the controller or processor consist of processing operations; or if the core activities of the controller or processor consist of processing on a large scale special categories of data such as race, ethnic origin, genetic data, etc. or personal data relating to criminal convictions and offenses.
Am I data processor under GDPR?
Processing is very broad under GDPR. It is likely that if you are manipulating personal data and doing something with it that you are a processor. A controller is the one that determines the why and how the personal data is being processed. Under Article 4 processing is:
“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
Thus, unless you are the one that is determining the why and how; and you are performing operations on the data you are a data processor.
What do I do under GDPR if there is a data breach?
A. put out notice to the appropriate parties usually within 72 hours; and
B. make sure appropriate technical and organizational protection measures are applied to the data
It is possible that notification is not necessary depending on the situation. Use the checklist above to decide exactly what to do.
[Article 33, Article 34]
Am I a controller under GDPR?
Yes if you are determining the purpose and means of the processing of personal data. Note that it is possible to be both a controller and a processor. There are also situations where there may be joint controllers.
[Article 4]
Am I a data subject under GDPR if I live in the U.S.?
No. The regulation applies to those data subjects that live in the EU.
[Article 3]
Where does the GDPR excel?
It provides an excellent jumping point for future data privacy regulations. It also does a good job of having stringent penalties—no more simple wrist-slapping on huge data privacy infringers.
What is a privacy shield?
The Privacy Shield serves as a framework/system that ensures an adequate level of protection for transfers of data from the EU to a different territory. I will write a separate article on this later.
Does my startup need to appoint a data protection officer (DPO)?
Here’s how to figure that out. Your startup must appoint a DPO if:
a. your startup’s core activities require large scale, regular, and systematic monitoring of individuals; or
b. your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offenses; or
c. you are a public authority or body; or
d. if you voluntarily wish to appoint a DPO
[Article 37]
Who can be a data protection officer (DPO) under GDPR?
This person can be a staff member or other of the controller or processor or fulfill the tasks on the basis of a service contract. The person needs to be well versed in data protection policies and GDPR.
[Article 37]
Can a minor give consent under GDPR?
Yes, but only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.
[Article 8]
Where does GDPR fail?
The failures we have yet to see. There’s a model in this industry that you keep breaking things and fixing things as you go along. The problem so far has been that there are a number of startups and companies that are repeatedly violating GDPR and they are simply getting a slap on the wrist. Expect that to change within the next few years as companies get more accustomed to following the regulations and the tolerance of regulators diminishes.
Where can I read more information about GDPR?
Honestly, just read the regulation. It’s well written. Here is where you can find the regulation: https://gdpr-info.eu/ Use this article as a guide and read more in detail on the relevant sections that you are interested in.
What happens if my startup does not comply with GDPR?
Okay. So you may have heard that the maximum penalty is a fine of 20 million euros or 4% of the company’s annual global turnover, whichever is higher. This means that it could theoretically be in the billions.
If you don’t comply, the most likely thing that will happen is that you’ll be contacted about the infringement and you will be instructed to fix the issue in order to comply with GDPR. Fines will then be levied on further infractions. In other words, GDPR has a lot of teeth, but regulators have been extremely forgiving in how they go about getting you to comply. Expect that to change.
I didn’t follow GDPR when I started my startup, will I be fined a billion dollars?
No. The trend has been fairly gentle. You may (not even definitely) get a warning. From there there will be an escalation of fines. And you will be instructed to fix compliance issues. Yes, the maximum penalty under GDPR is 20 million euros or 4% of global turnover. But you will likely not be penalized the maximum amount. The maximum is relatively high compared to other regulations in part to get big players to pay attention to GDPR.
So don’t worry too much. Yes you need to comply with GDPR. But don’t freak out about past issues as long as they are not ongoing.
What is personal data under GDPR?
Technically, personal data means any information relating to an identified or identifiable natural person. You can imagine what that means. It includes items like:
names
phone numbers
driver’s license number
email addresses
home address
social media usernames
financial information like credit card numbers, bank account numbers, etc.
identification numbers like social security number
genetics information
biometric data
many other forms of information
[Article 4]
Does my startup need to appoint a data protection officer (DPO)?
Not necessarily: it is only required for controllers and processors whose main operations concern regular and systematic monitoring of data subjects on a large scale or processing activities that are in regards to data which concern criminal convictions and offenses.
If your startup is doing regular processing and the like then yes you should appoint one. It is not difficult. Keep in mind that the DPO can be an “in-house” individual.
What do I do if things went wrong?
Figure out if there has been a breach. A breach under GDPR is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Not all breaches are the same. Not all of them harm the data subject. If however it could result in risk to the data subject then notify the Supervisory Authority without delay and no later than 72 hours from learning of the breach. If you don’t do it within 72 hours then make sure to explain why there is a delay.
If you need step by step instructions, go to the checklist above and follow the directions under what to do if things go wrong.
Can I have a pre-ticked box for consent?
No. Silence and pre-ticked boxes, or inactivity do not constitute consent.
[Recital 32]
What are the rights of the data subject?
I’ve highlighted those up above. They are:
Right to be informed
Right of access
Right to rectification
Right to erasure (right to be forgotten)
Right to restriction of processing
Right to data portability
Right to object
Rights regarding automated individual decision-making
Right to lodge a complaint
Right to effective judicial remedy
Right to an effective judicial remedy against a controller or processor
Right to compensation
The important thing is to not necessarily know all of these off the top of your head but rather to design your platform with those in mind. Another trap that many people miss in understanding GDPR is that these rights are not always available to individuals. The rights that are available are subject to the lawful basis of processing that is used.
[Chapter 3]
Who can be a Data Protection Officer?
This is pretty flexible and can be a staff member of the controller or processor or someone on a contractual basis.
[Article 37]
What are the tasks of the Data Protection Officer?
- Inform and advise the controller and processor of their GDPR obligations
- monitor compliance with GDPR
- cooperate with the supervisory authority
- act as contact point for the supervisory authority
- have due regard to the risk associated with processing operations
[Article 39]
What is a GDPR representative?
Unless the processing is occasional (or if there’s not processing of a special category of data on a large scale), the controller or processor that is outside of the EU should designate a EU-based representative. The representative should act on behalf of the controller or processor and may be addressed by any supervisory authority.
Basically, the EU wants an EU-based contact point if the controller or processor aren’t based in the EU. In some ways it is like having a registered agent in a state for corporate filings.
[Article 27]
What is data processing?
Data processing is extremely broad in GDPR. Think of any action that’s technical action performed on the data as amounting to processing. The GDPR in Article 4 describes processing as any operation or set of operations which is performed on personal data such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, restriction, dissemination or otherwise making available, etc.
Am I the controller or the processor of data under GDPR?
Determining roles: some times it is difficult to know who is a controller and who is a processor. Keep in mind that it is possible that there are joint controllers. In such a situation they need to transparently determine their respective responsibilities for compliance. The essence of that arrangement shall be made available to the data subject.
The easiest way to figure out is this:
If you are responsible for deciding why and how the data will be processed you will be considered the controller. If you are processing the data on behalf of a data controller then you are the data processor.
I know. This can get confusing. Keep in mind that there are some situations where you will be considered joint-controllers or even both a controller and a processor. I have even seen situations where in a contract the role flips between controller and processor. If you are a processor typically and you help the controller determine the purpose and the means of processing then you will be considered a joint controller.
What if the contract says my startup is the processor but I think my startup is the controller?
This is a question of what is more “correct”—the substance or the form? It does not matter what is in the contract. If your startup determines the “purposes and means” or processing, your startup is a controller—it doesn’t matter how you are described in the DPA or other contract.
What is the future of GDPR?
In regards to GDPR, I suspect we will see the following:
certifications issued by independent groups to allow companies to say that they comply with GDPR.
a lot of complaining from some big profile companies about GDPR
similar laws put in place in other jurisdictions will develop laws and regulation that are modeled of GDPR
size of fines to increase over time
companies will still violate GDPR and hope that they are small enough to not be caught; companies will still hide the ball from individuals and individuals will still not know to what they are exactly consenting. The cat and mouse game will continue (or maybe it’s just started).
Does GDPR apply to companies?
The rules and regulations of GDPR applies to companies in that companies need to follow GDPR. However, if you’re wondering about the protections of company’s ‘data’ then no, information about companies or public authorities is not personal data. But information individuals as their roles in a company (such as employees, directors, etc.) may be personal data as it is individually identifiable.
Does GDPR apply to a deceased person?
Information about a person who has died is not personal data; therefore GDPR, does not apply to it.
What kinds of fines will there be under GDPR?
Under GDPR violators may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. That is a MASSIVE amount for some companies.
While these numbers can be quite scary, regulators have not yet fined companies that much. The biggest fines have been laid down by Information Commissioner’s Office (ICO), which is a UK body to uphold information rights. Just this July 2019 Marriott was fined 99 million pounds and British Airways was fined 183 million pounds.
[Article 83]
XI. GDPR COMPLIANCE TIPS FOR STARTUPS
1. Re-read the takeaways and summary at the top of the article. Just understand the basics at the least. It’ll put you past 99% of the people out there.
2. Try to limit the amount of data you collect. Do minimization techniques. Taking in less data makes you more exacting in what you’re doing and that you have data protection discipline.
3. Really know and understand what the basis for processing is. This is extremely important for GDPR compliance. A lot of talk I hear is how GDPR is just about consent. It’s not. There are other types of basis to explore.
4. Practice good data handling housekeeping. There’s that idea—how you do anything is how you do everything. Set a good tone within your startup.
5. Don’t get tricky with consent issues. I see a lot of companies still mess this up. Don’t get too cute. Consent shouldn’t be a difficult thing.
6. Give users more control over its data. Create a digital section and really empower users to take control over their data.
7. There may be times that you didn’t necessarily have consent for a particular data. See if you can use the contract basis as a basis for processing. You won’t be able to use performance of a contract as a basis when dealing with sensitive personal data that is high risk in nature. For that you will need explicit and clear consent. But for other issues you may be able to rely on performance of a contract.
8. The substance is more important than the form: if contract says you’re a controller but you’re behaving like a processor, then you’re a processor.
9. Try not to switch basis for processing, particularly mid-stream. The one that is most risky is to switch from consent basis to some other basis. That will get you in trouble. Purposes can change, and you might be able to continue processing under the original basis if there’s compatibility.
10. When processing special category of personal data (sensitive data) make sure to have a lawful basis for processing AND satisfy a condition for processing. See Article 9 Paragraph 2 for list of conditions.
11. Don’t bundle consent requirements with other terms and conditions. Keep it separate.
12. Document, document, document everything you can. It helps show compliance.
