Young entrepreneurs tend to put data protection aside because it seems somewhat of a nuisance. But truth is: implementing data protection measures right at the early stage of your startup will be beneficial in the long run. Don’t do it like Delivery Hero who got one of the highest GDPR fines ever imposed in Germany amounting to €195.000.
To help you find your way through the jungle of data protection and GDPR, we listed a few key things you should be aware of. This is by no means a comprehensive list of legal advice, but rather a useful guide to kickstart your mission of being GDPR compliant.
In short, the GDPR applies when you process personal data. But what does that actually mean? Let’s start with a with basic definitions:
What is personal data?
Personal data refers to any information relating to a natural person which can be used to:
a) directly identify the individual or
b) indirectly identify an individual through combinations of other data. But you are not supposed to go above and beyond to test whether the combination would actually reveal an identity. Rather consider all the means that are reasonably likely to do so. The time, cost, effort and technology required should be reasonable.
Examples of personal data: name, ID, location data, phone number, social security number, tax data, cookies, IP address, biometric data or also pseudonymized and encrypted data.
What does ‘processing personal data’ mean?
‘Processing’ personal data refers to an
a) automated (electronic) operation performed on personal data or
b) non-automated (non-electronic) operation performed on personal data stored in a filing system. The data of this filing system (eg. employee records) must be sorted according to 2-3 criteria in order for the GDPR to apply (eg. only alphabetical order is not enough).
Examples of processing operations: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure, dissemination, alignment or combination, restriction or erasure.
Under which legal basis can you process personal data?
1. Vital interest: To protect someone’s life.
2. Public task: To perform a task in the public interest.
3. Contract: Because the processing is necessary for a contract you have with the individual.
4. For compliance with legal obligations.
5. Due to the legitimate interest of the data controller (most flexible lawful basis).
If you want to dive deeper, the Information Commissioner’s Office provides a comprehensive guide to the GDPR where you can easily search through definitions at a glance.
Now let’s have a look at more hands-on recommendations on what to look out for:
Be aware of the principle ‘Privacy by Design and by Default’
If you are developing a technical prototype that processes personal data, I promise it is worthwhile thinking about data protection now. According to the basic principle ‘Privacy by Design and by Default’, the product must be designed in a way that data protection is already implemented in the default settings. We dedicated an extra blog article to this important principle.
Create a Privacy Policy for your Website
A website might be the only lead of your startup at the beginning, so it better be good. As should be your privacy notice. People who go to your website have the right to know what you do with their personal data.
Writing a privacy policy doesn’t have to be a daunting process. We dedicated an article to this providing 14 easy steps for writing any kind of privacy policy. Check it out.
Collect consent for Cookies
Although cookies are already covered in the previously mentioned privacy policy it’s worth highlighting a few basic requirements. There are three simple rules you need to follow regarding cookies and any other similar technology that stores personal data on your user’s device:
- Tell the user the cookies are there.
- Explain what the cookies are doing and why.
- Get user’s consent to store cookies on their device.
You can make use of consent management providers like usercentrics for an opt-in solution (cookies banner) for your website.
Take note that you don’t have to collect consent for functional cookies that are necessary for the technical execution of your website, but only for advertising and/or conversion cookies.
Collect consent for Newsletter
Many startups decide to start a newsletter after setting up a website. Make sure to also use a double-opt-in process in which the user actively agrees to the subscription. For instance, in the first step, the user goes to your website and subscribes. And in the second step, you send the user an email to confirm her/his identity. In case a user unsubscribes make sure to not send any more emails to that person.
Still able to keep up? If not, it is perfectly normal. If you have any questions or you feel like you need support, you can also ask the Berlin Data Protection Supervisor for advice. You can even book consultation hours for your startup.
If you have already implemented all the things listed above stay tuned for part 2!
Do you want to turn your idea into a business and be part of a motivated group of like-minded entrepreneurs?
Applications for the High-Tech SeedLab Batch 2021 open on October 15th 2020. If you have questions about the program or your application, please contact [email protected].
This program is financed by the European Social Fund (ESF), as well as the State of Berlin.