Young entrepreneurs tend to put data protection aside because it seems somewhat of a nuisance. But truth is: implementing data protection measures right at the early stage of your startup will be beneficial in the long run. Don’t do it like Delivery Hero who got one of the highest GDPR fines ever imposed in Germany amounting to €195.000.
To help you find your way through the jungle of data protection and GDPR, we listed a few key things you should be aware of. This is by no means a comprehensive list of legal advice, but rather a useful guide to kickstart your mission of being GDPR compliant.
In short, the GDPR applies when you process personal data. But what does that actually mean? Let’s start with a with basic definitions:
What is personal data?
Personal data is any kind of information that relates to and identifies an individual. This may be a name, a number or also an online identifier such as an IP address or cookies. If you have information which, combined with other information, allows you to indirectly identify someone, it also counts as personal data.
What does ‘processing personal data’ mean?
‘Processing’ refers to any operation performed with that data whether automated or not. For instance, this can mean collecting, storing, modifying, publishing, combining or destroying.
Under which legal basis can you process personal data?
1. Vital interest: To protect someone’s life.
2. Public task: To perform a task in the public interest.
3. Contract: Because the processing is necessary for a contract you have with the individual.
4. For compliance with legal obligations.
5. Due to the legitimate interest of the data controller (most flexible lawful basis).
If you want to dive deeper, the Information Commissioner’s Office provides a comprehensive guide to the GDPR where you can easily search through definitions at a glance.
Now let’s have a look at more hands-on recommendations on what to look out for:
Be aware of the principle ‘Privacy by Design and by Default’
If you are developing a technical prototype that processes personal data, I promise it is worthwhile thinking about data protection now. According to the basic principle ‘Privacy by Design and by Default’, the product must be designed in a way that data protection is already implemented in the default settings. We dedicated an extra blog article to this important principle.
When cold calling, comply with the German Act Against Unfair Competition
Many startups use cold calling to acquire first customers. Let’s take the example of a first telephone call: Unless you asked for their consent beforehand, cold calling is only allowed if the company presumably would have given their consent because the call is related to their key business. When you call, the potential customer you contact may not feel harassed in any unreasonable manner at any point in time.
Create a Privacy Notice for your Website
A website might be the only lead of your startup at the beginning, so it better be good. As should be your privacy notice. People who go to your website have the right to know what you do with their personal data. This information needs to be only one click away.
Collect consent for Cookies and Plugins
There are three simple rules you need to follow regarding cookies and any other similar technology that stores personal data on a user’s device:
- Tell the user the cookies are there.
- Explain what the cookies are doing and why.
- Get user’s consent to store cookies on their device. You can make use of consent management providers like usercentrics for an opt-in solution for your website.
Collect consent for Newsletter
Many startups decide to start a newsletter after setting up a website. Make sure to use a double-opt-in process in which the user actively agrees to her/his subscription. For instance, in the first step, the user goes to your website and subscribes. And in the second step, you send the user an email to confirm her/his identity. In case a user unsubscribes make sure to not send any more emails to that person.
Still able to keep up? If not, it is perfectly normal. If you have any questions or you feel like you need support, you can also ask the Berlin Data Protection Supervisor for advice. You can even book consultation hours for your startup.
If you have already implemented all the things listed above stay tuned for part 2!
Do you want to turn your idea into a business and be part of a motivated group of like-minded entrepreneurs?
Applications for the High-Tech SeedLab Batch 2021 open on October 15th 2020. If you have questions about the program or your application, please contact email@example.com.
This program is financed by the European Social Fund (ESF), as well as the State of Berlin.