In part 1 of this blog series I shared a few key things that startups should be aware of when it comes to data protection. We covered cold calling, the privacy notice and cookies amongst others.
Next let’s have a look at further aspects such as documentation that you should start thinking about. This is by no means a comprehensive list of legal advice but rather a guide to help kickstart your mission of being GDPR compliant.
Document your processing activities
Once your startup starts growing there will be more processes subject to data protection. To keep the overview and comply with GDPR’s provisions on documentation, these are best practices you can follow:
- Do regular audits to keep track of what, where, why and how your company processes personal data. Distribute questionnaires and talk to the staff if necessary to get a complete picture.
- Use the information from your audits to create and maintain a Record of Processing Activities. No matter in which form you decide to set up this collection of records (with Excel or any other tool), it has to be visualized in a granular and meaningful way. Start with the broadest information and gradually narrow down the scope. As reference, take a look at this template and check Article 30 of the GDPR which contains a list of things you need to include in the record.
- In these records pay special attention to documenting the appropriate technical and organisational measures you take to ensure data security. Common measures are pseudonymization and encryption of data (e.g. ‘AnonymizeIP’ in Google Analytics).
- Your startup probably has fewer than 250 employees. This means that you only need to document processing activities that you do on a regular basis, and not something you do occasionally.
Set up Data Processing Agreements (DPA)
If your startup passes on personal data to a third party to process the data for you, they are the ‘data processor’ and you are the ‘data controller’. The latter is the main decision-maker, defining the ‘why’ and the ‘how’, whereas the processor acts on behalf of the controller. For example, say you want to improve your website and start using a tracking tool like Google Analytics. In this case, you would be the data controller who provides instructions and the necessary data to Google Analytics, the data processor, in order for them to deliver analytics.
In such a case, you need to set up a contract called ‘Data Processing Agreement’ (DPA) to define what each other’s responsibilities and liabilities are. See here more information about the DPA with Google Analytics regarding the example mentioned earlier. Article 28 (3) of the GDPR states what this contract has to include as for instance the duration, type and purpose of the processing. Otherwise, there are many templates out there such as this one by bitkom which you can use as inspiration. Don’t forget to include these processing activities in your record (see above).
Set up a Joint Controllership Agreements (JCA)
When two or more ‘data controllers’ are involved, this is called a ‘Joint Controllership’. For example, if two HealthTech startups come together to conduct a study, they would be both joint controllers. Employees from both startups would decide on the study’s scope and approach, and have access to patient data.
In this case, set out an agreement (no contract necessary) to make clear which party is responsible for what and under which scope. It would be enough to include it in your terms and conditions, policies or privacy statements.
Does your startup need a Data Protection Officer (DPO)?
Your company needs a DPO once a minimum of 20 people work on operations that process personal data. If you process any sensitive personal data you have the obligation to get a DPO no matter how many people are involved. For instance, in the case of HealthTech and FinTech startups it is very recommendable to get a DPO. If any patient data or bank account details get stolen or lost, it is useful to have someone on your side who is familiar with the process of reporting the data breach to the national data protection authority (DPA).
Still able to keep up? If not, it is perfectly normal. If you have any questions or you feel like you need support, you can also ask the Berlin Data Protection Supervisor for advice. You can even book consultation hours for your startup.
Do you want to turn your idea into a business and be part of a motivated group of like-minded entrepreneurs?
Applications for the High-Tech SeedLab Batch 2021 open on October 15th 2020. If you have questions about the program or your application, please contact firstname.lastname@example.org.
This program is financed by the European Social Fund (ESF), as well as the State of Berlin.