Since its inception in 2018, the General Data Protection Regulation (GDPR) has thrown many companies, consumers, and individuals into a bit of a confused frenzy.
It’s understandable too - suddenly there was talk of huge fines being imposed, rules of non-EU companies also being effected, what was still allowed regarding data collection, and what no longer was - I can say from my own experience here in the SpinLab, that getting ready for the GDPR was no simple task.
Since 2018, talk and general confusion about the GDPR has somewhat settled down, but it’s certainly still a very important topic for startups we host in our accelerator program. After all, it’s important for startups to get a grasp on this early on, as resources, time, and money are always limited.
It’s best to be proactive with anything regarding data security, especially when the longevity and survival of your startup can be directly effected by possible GDPR fines.
We’re going to do our best to breakdown the information in his video in a way that is easy to understand in the principles below.
For the sake of transparency, we must emphasize that we at the SpinLab are NOT lawyers. The information presented in these guidelines is a summarized version of everything Stefan mentions in this video, and the information is valid as of October 2020. Please refer to your own legal consul (or consider hiring CMS!) for official instruction on how to handle your company’s specific GDPR needs. The information presented here are meant to be used as guidelines to give one an idea of what to expect with the GDPR, not as concrete legal advice.
Again, GDPR stands for General Data Protection Regulation. It’s a European Regulation, and at the time of writing this article, it is the toughest privacy law in the world.
From a marketing perspective, the GDPR is a good thing. I am going to say it again, the GDPR is a GOOD THING for marketers!
Why? Because gone are the days of receiving random irrelevant spam email offers. Companies are now forced to target specific buyer personas, obtain permission, and only communicate with people who want to receive that communication.
That sounds harsh, but believe me, in the end this is much more effective for companies and consumers alike.
If you are a company based in the EU, you are automatically bound to the regulations of the GDPR.
Furthermore, even non-EU-based companies are subject to the regulations of the GDPR, if you sell to people in the European Union!
This is something that should not be overlooked by startups! If you have a SaaS company that is, for example, founded in Singapore, by people from Singapore, and sells primarily to people in ASIAPAC, the INSTANT you take on a lead from an EU country, your company is now subject to GDPR regulations!
Startups MUST have this scenario at the forefront of their strategies when rolling out your go-to-market strategies.
Companies found guilty of being in violation of GDPR laws can be fined one of two things (whichever is greater)
Those figures are no joke. I don’t know about your startup, but I can’t think of a single startup in our portfolio that could suddenly afford to take a 20 Million Euro fine. That’s game over man.
The basis of the GDPR lies rooted in the belief that it is the fundamental right of an individual to own one’s privacy. The official definition for what is considered personal information is - Anything that can directly OR indirectly identify an individual.
Our practical definition to stay safe is - assume every bit of information you want to collect from people is considered personal information in the eyes of the GDPR.
Personal information, according to the GDPR, can be, but is certainly not limited to things such as: Name, Email, cookies, ethnicity, political affiliation, religion, IP address, etc. etc. etc.
When you’re reading through various GDPR privacy policies, you’re likely going to run into these terminologies which are the two key bases of data protection:
Ok, now that the basics are out of the way, let’s dive into some specific principles that you can use to evaluate the current status of your own startup’s GDPR compliancy.
If you understand these principles, you can actually deal with every single data problem you could encounter, or at the very least, you’ll be able to identify that you have a data issue.
All data that is being processed must be on a legal basis. Simply put, that means you need to have a valid reason to collect the data in the first place. Furthermore, the people you’re collecting data from need to be informed of everything that is being collected and why.
This is why it is imperative to have a privacy policy on your website that informs the individuals about what you are collecting and why.
For examples moving forward in this article, we’re going to use the name of the made up company - Techno Heaters
Let’s say I am the CEO of Techno Heaters and I decide that I need a full time marketing manager. Naturally, in 2020, it’s common practice to be able to promote open job positions online, so I create a job application form for the marketing manager position on my website.
That is our legal basis - the application process for a job offer. As a company, I now have the legal basis to execute related tasks such as preparing employment contracts and job applications.
Transparency here should be satisfied by having a privacy policy link on the job application page, that clearly states why we are collecting the information, how we are collecting it, and why.
This simply means you have a legitimate reason for collecting data.
For Techno Heaters, the fact that I need a new marketing manager and am seeking job applications online is my legitimate purpose for collecting data.
In many cases, your legal basis and your purpose limitation should correspond.
This principle means you should only be collecting data that is relevant for the current purpose.
I'm still on the hunt for my marketing manager for Techno Heaters. As this is a job offer, it makes sense that I need to collect information such as:
It absolutely makes no sense, to collect data such as:
The information in the second list is completely irrelevant to the candidate’s capacity to perform in the role of a marketing manager for a startup, therefore they do not satisfy the principle of data minimization.
The personal data from individuals you collect must always be kept accurate and up to date. This applies for as long as you have the information stored.
I've finally made a decision to hire Nancy Johnson as my marketing manager for Techno Heaters.
Within her first six months of working at Techno Heaters, she gets married and decides to take the last name of her new husband, which is Samuels.
It is now my responsibility to update all of her records that I have on file to now be Nancy Samuels, as she is no longer Nancy Johnson.
Data should only be stored for as long as it has served its purpose. Once that purpose is served, you, as the data controller, no longer have a legal right to keep that information stored.
Nancy Johnson is now the happy marketing manager at Techno Heaters. But she wasn’t the only application, I received in total 100 applications for the position, but only Nancy was hired for the job.
That means I have to notify the other 99 applicants, so I can thank them for their time and their applications, and to let them know that the position has been filled and is no longer available.
Once that email is sent to the other 99 applications, I no longer have a valid reason for keeping their data in any of my records. The data has served its purpose, and It’s now my responsibility to delete all of that information.
Simply put, it’s your responsibility to make sure the data you’re collecting stays secure.
This means implementing technical measures in your systems like end to end encryption on your site, two-factor authentication for user logins, firewalls, etc.
Furthermore this involves developing an internal structure that delegates who can have access to what within your own internal organization. It’s very unlikely that everyone in your company is going to need access to all the data you collect.
As a the data controller, it is your responsibility to be able to demonstrate that the company is operating in accordance with all of these principles. Simply put, that means you need to have everything documented.
Have evidence for EVERYTHING.
Should misfortune befall you, and should you find yourself before a European Court facing charges of being in violation of the GDPR, evidence of proper documentation records may be the only thing that stand between you and a 20 Million Euro fine.
As I mentioned earlier on, GDPR is a good thing. It’s making companies more accountable, and it’s making marketing better for consumers in all industries.
If you follow the steps in this guide, and hire a reputable legal expert to help you on your startup’s GDPR journey, the GDPR should pose no problems to your operations.
If you liked this article, be sure to subscribe to our blog to keep up to date with the latest tips, tricks, and strategies from the European Startup Scene.