data protection

Data protection and startups: what basis do I use under GDPR?

Your Name ·

I’m going to talk about basis for processing under GDPR today because this is where a lot of individuals get confused.

Do NOT mess around with this topic because it will get you into hot water. By now you should know that there are severe penalties under GDPR. It’s not a subject to take lightly.

As I’ve mentioned before, under GDPR, you can’t just process personal data for the hell of it. You have to have a purpose for processing and you have to have a lawful basis for such. A lawful basis is different than a purpose. Think of it this way: the purpose is why you’re going to process data. The basis is the underlying justification for how you’re legally able to process data. It’s the grounds for processing. There are only six available bases for processing. You must pick the basis that’s appropriate for your purpose.

This article is in three parts. The first part tells you when to use which basis. The second part goes over the legitimate interests basis which is one of the more confusing bases for individuals. I’ll end by giving tips on this topic.

If you don’t know what GDPR is, if you don’t know how GDPR works, or if you’re completely confused on this topic read this other article first: GDPR 101: What Startups Need to Know about GDPR

I. WHEN TO USE WHICH BASIS

i. CONSENT BASIS:

Meaning: the data subject has given consent to the processing for one or more specific purpose

Use this when:

  • you can offer someone a genuine choice.

Don’t use this when:

  • you can’t offer the person a genuine choice. If you plan on processing data by using a different basis regardless of what the data subject says and you still ask for consent—that’ll get you in trouble. Asking for consent in that situation is misleading.

  • you’re going to process regardless of if the data subject is going to withdraw consent. In that case you’re not selecting the right basis. Keep in mind that one of the points of consent is that a data subject can withdraw consent as appropriate.

  • you switch to a different basis for processing (from consent to a different basis). In that case requesting consent is not sincere.

ii. CONTRACT BASIS:

Meaning: processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract

Use this when:

  • there’s a contract with the data subject or in anticipation of one (beginning stages of a contract). Keep in mind that it needs to be the data subject that is a party to the contract.

Don’t use this when:

  • if you have a contract with someone to process someone else’s data.

  • processing is not necessary to meet the purpose for processing. If you can meet the purpose without processing the data, then you can’t use this basis.

iii. LEGAL OBLIGATION BASIS:

Meaning: processing is necessary for compliance with a legal obligation to which the controller is subject;

Use this when:

  • your purpose is to comply with a legal obligation and it’s necessary to process data (think: some law is requiring you to do this or some legal principle). Generally speaking you’re probably not going to be using this basis very much.

Don’t use this when:

  • processing is not necessary to meet the purpose for processing. If you can meet the purpose without processing the data, then you can’t use this basis.

iv. VITAL INTERESTS BASIS:

Meaning: processing is necessary in order to protect the vital interests of the data subject or of another natural person

Use this when:

  • there’s a life or death situation and you need to process data. This one is not difficult to understand.

Don’t use this when:

  • processing is not necessary to meet the purpose for processing. If you can meet the purpose without processing the data, then you can’t use this basis.

v. PUBLIC INTEREST BASIS:

Meaning: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Use this when:

  • you have to do some governmental function or similar.

Don’t use this when:

  • processing is not necessary to meet the purpose for processing. If you can meet the purpose without processing the data, then you can’t use this basis.

vi. LEGITIMATE INTERESTS BASIS:

Meaning: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Use this when:

  • you are able to take full responsibility for justifying your processing.

Don’t use this when:

  • you feel like it’s the broadest basis, and so you select it. It is true that this is the most broad basis out of the six, but there’s also more scrutiny attached with it.

  • processing is not necessary to meet the purpose for processing. If you can meet the purpose without processing the data, then you can’t use this basis.

II. WHAT IS THE LEGITIMATE INTERESTS BASIS?

This basis is often the most confusing basis for individuals to understand. What is a legitimate interest? This is pretty broad, vague, and has not been fleshed out thoroughly. I suspect this to change in the next few years. You can see Recital 47 for some examples of legitimate interest. When thinking about the legitimate interests basis, consider the following:

i. Can you reach the purpose without processing the data? If yes, then don’t use legitimate interests as a basis.

ii. There are many legitimate interests. GDPR is intentionally broad on this. However, the key consideration is if the general ideas of data protection can still be adhered to. What does this mean? You know all of those principles of GDPR—the goals and objectives of it? You really must consider the principles of data protection as it relates to your interests in processing data. Be careful of just saying “oh I have a legitimate interest so I can process this.” No. It doesn’t work that way. You have to consider data protection as a matter of policy. Don’t play games with this.

iii. Figure out if the need for processing is outweighed by the interests or rights of the data subject. This is not a willy-nilly consideration. You need to really analyze this part.

III. TIPS FOR UNDERSTANDING BASIS UNDER GDPR

  1. Have a basis. You have to process data lawfully and you must have a basis for processing. There are only six available bases that are lawful. So if you don’t have a basis that means that you’re processing data unlawfully.

  2. Difference between PURPOSE and BASIS. Purpose is why you’re processing data; basis is what underlying principle you are using that will allow you to process data.

  3. Purpose first. First thing you should do is decide the purpose for processing data. Then select the basis. This will help you abide by the ideas/principles of purpose limitation.

  4. Know from the get-go. Know what basis you’re going to use before you start processing data. You will need to put the purpose of processing and basis in your documentation. It’s best to know these items from the start. You can change to a different one later, but that may be deemed to be unfair to the data subject. Doing too much bullshit will put you in hot water with regulators.

  5. Put this stuff in your privacy notice. Privacy notice should include the purpose for processing and the lawful basis.

  6. No best basis. There’s no overall best basis or anything like that. There’s just the best basis for the purpose. If one basis fits better than another, that’s fine—go with the better one from the start.

  7. Yes you can switch basis: you can switch basis but you must have a very good reason to do so. The reason you need a good justification for switching is because switching is considered unfair to the individual; so switching comes with increased scrutiny. If you decide to switch make sure you inform the individual. Keep in mind that switching from consent to a different basis is especially frowned down upon as that means that the individual did not have a genuine choice to begin with when giving consent.

  8. Understand what “necessary” means. Some of the bases require that the processing is “necessary”. Be careful about using these bases. And understand what this means. This does not mean that that you can only use these bases if the world is going to end. It’s not that strict. It doesn’t mean that processing has to be completely essential. ICO states that “ . . . it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data.”

  9. Applies to Texas startups: as a reminder, GDPR can and does apply to Texas startups. If you’re in Dallas or Houston and you’re doing business activities with EU individuals, or targeting them, etc. then you will need to abide by these rules.

  10. Not all rights apply. As you know, GDPR gives rights to individuals. Note that the basis you select affects what rights are available to the individual. For example, the individual may not have the right to object to processing if the basis is based on contract.

  11. Be careful about legitimate interests. Yes, it’s the broadest principle. If you are considering this basis then make sure you do the proper diligence and make sure you’re able to properly justify using it.

  12. Contact. Shoot me an email if you have any questions on this topic.

Startups and cybersecurity insurance FAQ

Your Name ·

What is cybersecurity insurance?

As I’ve mentioned before, cyber, cybersecurity and similar terms are still unsettled in a number of industries including the legal industry. The insurance industry is also warming up to these types of items and ideas. In essence, cybersecurity insurance or cyber liability insurance is an insurance policy designed to help cover liability and losses that may result from data breaches, cyber attacks, and similar events.

Does my startup need cybersecurity insurance?

YES: if your company is sizable or handling data is a core business practice

NO: if your company just started and you have not established an MVP

Don’t panic about getting cybersecurity insurance on day one. Remember formational issues. This is all a process. Use the sidebar to help you go through the different phases of a business in a systematic way.

What is the difference between D&O, E&O, CGL, FLI insurance

Commercial General Liability Insurance (CGL): this is the basic type of insurance policy and most every business needs this. It’s the broad insurance policy that covers general business risks such as covering bodily injury or property damage on business premises or similar due to business operations, etc. Note that many CGL insurance policies do not cover cyber attacks.

Directors and Offers Liability Insurance (D&O): this is a type of insurance that indemnifies for losses for wrongful acts of directors and officers

Errors and Omissions Insurance (E&O): this is a type of insurance that protects in the service-providing industry—it’s about focusing on the failure to perform or financial loss caused in the service or product sold by the policyholder.

Fiduciary Liability Insurance (FLI): this is a type of insurance that is designed at protecting businesses’ and employers’ assets against fiduciary related claims of mismanagement of a company’s employee benefit plan. If administrators violate Employee Retirement Income Security Act (ERISA), FLI insurance may be involved.

There are a billion other types of insurance out there. These are just some of the bigger ones. Work with your insurance provider to see what exactly you need for the industry that your startup is in.

What is covered under a cybersecurity insurance policy?

Different items. Don’t think that just because you have “some type of cybersecurity insurance” that you’re totally set. You’ll need to do some research into what is appropriate for your type of business. Some types of cybersecurity insurance policies cover data breaches (covers your costs when information is attacked). Others, such as cybersecurity liability insurance, covers costs when the startup is accused of negligently allowing a cyber event for a third-party.

Additionally, what is covered will vary from policy to policy. One important item to consider is total coverage vs. coverage per incident. Just because you get a million dollar policy, that does not mean that if you suffer a breach you can recover $1 million. You have to look at timing issues and the amount per incident under a policy.

Additionally, you’ll also have to see what is covered vs. what’s not. There may be some types of data breaches or causes of data breaches that won’t be covered under a policy. See what’s excluded and what’s not under an insurance policy.

Who should I talk to and who should I get insurance from for my startup?

Talk to at least three insurance providers. There are lots of insurance companies out there such as Travelers, CNA, etc. Rates vary wildly—often for the same exact thing. It is a good idea to do some searching because of this issue. The other important item to remember is that you should get insurance from a reputable company. Don’t reach for the bottom of the barrel. The last thing you need is for some cyber event/data breach to happen and you have a lousy insurance company play games with you.

What is this about privileged communications?

Okay. This is something you may have heard rumblings about. Essentially it is this: your communications with your lawyer are privileged (this means something specific—but for now just think that the confidentiality of it is protected). However you can blow that privilege if there is a certain type of third-party present during that communication. So essentially, if you are talking to your lawyer about something very confidential about a particular data breach or other cyber event, the communication’s protections may be blown if there is a third-party present (in this case an insurance agent). Work with your lawyer to discuss what kinds of communications are appropriate with an insurance agent.

Can you list the steps to get insurance?

Yes:

  1. talk to insurance providers;

  2. understand how policies work;

  3. decide how much coverage you need;

  4. talk to insurance providers again with a better understanding of all of this;

  5. fill out the application (which may be time consuming with a number of technical questions).

How much does coverage cost?

The annoying answer is that it depends. If you’re handling sensitive data and you’re in the health care industry, then it will likely be higher. If your company has high revenues and is in the data handling business, then you’ll likely be paying more for coverage because you need that coverage to be adequate.

If policies are too expensive, see what you can do about getting that rate down. Can you deal with having a higher deductible? How much coverage do you actually need? There are ways to play with the numbers to get something appropriate for your startup. And again, talk to more than one insurance provider.