data privacy

How do Texas startups comply with GDPR?

Your Name ·

Even if your startup is in Houston or Dallas your startup may need to comply with GDPR under certain circumstances. Here’s what to do.

  1. Figure out if GDPR applies to your company

  2. Figure out which role you play under GDPR

    You’re a controller if you decide the purposes and means of processing. You’re a processor if you—wait for it—process personal data. Keep in mind that it is possible to be both a controller and a processor.

  3. Adopt GDPR principles

    You must abide by these principles under GDPR: that data is processed lawfully & fairly, that there’s a purpose limitation, that data is not excessively collected (minimization), that the data is accurate, that you implement ideas of storage limitation, and that processing is done confidentially and with integrity,

  4. Figure out the purpose and basis for processing

  5. Implement technical and organizational safeguards

    Your startup needs be properly capable and beefed up to handle data/data processing.

  6. Make appointments under GDPR

    You may have to assign a Data Processing Officer if you regularly process data or if you handle sensitive data; also assign a representative (similar to a corporate registered agent for business filings but in the EU for data protection purposes).

  7. Allow data subjects to exercise their rights

    Under GDPR data subjects have certain rights to their data. Make sure you allow them to exercise these rights. Remember that some rights will be unavailable depending on the basis used for processing.

  8. Make sure contracts, privacy policy, etc. are properly in place

    There are relationships you’ll need to tend to—between the data subject, controller, and processor. See here for what you need in those documents.

  9. Maintain good records

    Depending on the size of your organization you may need to keep good records of processing activities. It’s a smart idea to keep records regardless.

  10. Report if you have any breaches or if there are other issues

    You have a duty to report breaches and other issues under GDPR.

    Don’t relax immediately though. You may also have to report to individuals in different states as well.

  11. Review this article to make sure you’re understanding is well-rounded

    Remember—bits and pieces of information are largely useless. Make sure you have a good organized understanding of all of this. Read this article for an overview of GDPR.

Data protection and startups: what basis do I use under GDPR?

Your Name ·

I’m going to talk about basis for processing under GDPR today because this is where a lot of individuals get confused.

Do NOT mess around with this topic because it will get you into hot water. By now you should know that there are severe penalties under GDPR. It’s not a subject to take lightly.

As I’ve mentioned before, under GDPR, you can’t just process personal data for the hell of it. You have to have a purpose for processing and you have to have a lawful basis for such. A lawful basis is different than a purpose. Think of it this way: the purpose is why you’re going to process data. The basis is the underlying justification for how you’re legally able to process data. It’s the grounds for processing. There are only six available bases for processing. You must pick the basis that’s appropriate for your purpose.

This article is in three parts. The first part tells you when to use which basis. The second part goes over the legitimate interests basis which is one of the more confusing bases for individuals. I’ll end by giving tips on this topic.

If you don’t know what GDPR is, if you don’t know how GDPR works, or if you’re completely confused on this topic read this other article first: GDPR 101: What Startups Need to Know about GDPR

I. WHEN TO USE WHICH BASIS

i. CONSENT BASIS:

Meaning: the data subject has given consent to the processing for one or more specific purpose

Use this when:

  • you can offer someone a genuine choice.

Don’t use this when:

  • you can’t offer the person a genuine choice. If you plan on processing data by using a different basis regardless of what the data subject says and you still ask for consent—that’ll get you in trouble. Asking for consent in that situation is misleading.

  • you’re going to process regardless of if the data subject is going to withdraw consent. In that case you’re not selecting the right basis. Keep in mind that one of the points of consent is that a data subject can withdraw consent as appropriate.

  • you switch to a different basis for processing (from consent to a different basis). In that case requesting consent is not sincere.

ii. CONTRACT BASIS:

Meaning: processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract

Use this when:

  • there’s a contract with the data subject or in anticipation of one (beginning stages of a contract). Keep in mind that it needs to be the data subject that is a party to the contract.

Don’t use this when:

  • if you have a contract with someone to process someone else’s data.

  • processing is not necessary to meet the purpose for processing. If you can meet the purpose without processing the data, then you can’t use this basis.

iii. LEGAL OBLIGATION BASIS:

Meaning: processing is necessary for compliance with a legal obligation to which the controller is subject;

Use this when:

  • your purpose is to comply with a legal obligation and it’s necessary to process data (think: some law is requiring you to do this or some legal principle). Generally speaking you’re probably not going to be using this basis very much.

Don’t use this when:

  • processing is not necessary to meet the purpose for processing. If you can meet the purpose without processing the data, then you can’t use this basis.

iv. VITAL INTERESTS BASIS:

Meaning: processing is necessary in order to protect the vital interests of the data subject or of another natural person

Use this when:

  • there’s a life or death situation and you need to process data. This one is not difficult to understand.

Don’t use this when:

  • processing is not necessary to meet the purpose for processing. If you can meet the purpose without processing the data, then you can’t use this basis.

v. PUBLIC INTEREST BASIS:

Meaning: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Use this when:

  • you have to do some governmental function or similar.

Don’t use this when:

  • processing is not necessary to meet the purpose for processing. If you can meet the purpose without processing the data, then you can’t use this basis.

vi. LEGITIMATE INTERESTS BASIS:

Meaning: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Use this when:

  • you are able to take full responsibility for justifying your processing.

Don’t use this when:

  • you feel like it’s the broadest basis, and so you select it. It is true that this is the most broad basis out of the six, but there’s also more scrutiny attached with it.

  • processing is not necessary to meet the purpose for processing. If you can meet the purpose without processing the data, then you can’t use this basis.

II. WHAT IS THE LEGITIMATE INTERESTS BASIS?

This basis is often the most confusing basis for individuals to understand. What is a legitimate interest? This is pretty broad, vague, and has not been fleshed out thoroughly. I suspect this to change in the next few years. You can see Recital 47 for some examples of legitimate interest. When thinking about the legitimate interests basis, consider the following:

i. Can you reach the purpose without processing the data? If yes, then don’t use legitimate interests as a basis.

ii. There are many legitimate interests. GDPR is intentionally broad on this. However, the key consideration is if the general ideas of data protection can still be adhered to. What does this mean? You know all of those principles of GDPR—the goals and objectives of it? You really must consider the principles of data protection as it relates to your interests in processing data. Be careful of just saying “oh I have a legitimate interest so I can process this.” No. It doesn’t work that way. You have to consider data protection as a matter of policy. Don’t play games with this.

iii. Figure out if the need for processing is outweighed by the interests or rights of the data subject. This is not a willy-nilly consideration. You need to really analyze this part.

III. TIPS FOR UNDERSTANDING BASIS UNDER GDPR

  1. Have a basis. You have to process data lawfully and you must have a basis for processing. There are only six available bases that are lawful. So if you don’t have a basis that means that you’re processing data unlawfully.

  2. Difference between PURPOSE and BASIS. Purpose is why you’re processing data; basis is what underlying principle you are using that will allow you to process data.

  3. Purpose first. First thing you should do is decide the purpose for processing data. Then select the basis. This will help you abide by the ideas/principles of purpose limitation.

  4. Know from the get-go. Know what basis you’re going to use before you start processing data. You will need to put the purpose of processing and basis in your documentation. It’s best to know these items from the start. You can change to a different one later, but that may be deemed to be unfair to the data subject. Doing too much bullshit will put you in hot water with regulators.

  5. Put this stuff in your privacy notice. Privacy notice should include the purpose for processing and the lawful basis.

  6. No best basis. There’s no overall best basis or anything like that. There’s just the best basis for the purpose. If one basis fits better than another, that’s fine—go with the better one from the start.

  7. Yes you can switch basis: you can switch basis but you must have a very good reason to do so. The reason you need a good justification for switching is because switching is considered unfair to the individual; so switching comes with increased scrutiny. If you decide to switch make sure you inform the individual. Keep in mind that switching from consent to a different basis is especially frowned down upon as that means that the individual did not have a genuine choice to begin with when giving consent.

  8. Understand what “necessary” means. Some of the bases require that the processing is “necessary”. Be careful about using these bases. And understand what this means. This does not mean that that you can only use these bases if the world is going to end. It’s not that strict. It doesn’t mean that processing has to be completely essential. ICO states that “ . . . it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data.”

  9. Applies to Texas startups: as a reminder, GDPR can and does apply to Texas startups. If you’re in Dallas or Houston and you’re doing business activities with EU individuals, or targeting them, etc. then you will need to abide by these rules.

  10. Not all rights apply. As you know, GDPR gives rights to individuals. Note that the basis you select affects what rights are available to the individual. For example, the individual may not have the right to object to processing if the basis is based on contract.

  11. Be careful about legitimate interests. Yes, it’s the broadest principle. If you are considering this basis then make sure you do the proper diligence and make sure you’re able to properly justify using it.

  12. Contact. Shoot me an email if you have any questions on this topic.