Making Your Company GDPR Ready
On a road to enhanced user privacy, A new EU regulation set to take effect in May requires companies do some heavy lifting
The EU General Data Protection Regulation (or GDPR for short) will take effect May 25, 2018. It’s a regulation not to be casually dismissed, as the financial liability for non-compliance is up to 20 million euro or 4% of the global annual turnover of the organization, whichever is highest.
For daily updates, subscribe to our newsletter by clicking here .
Essentially, you might say that the GDPR makes what should theoretically already be an official standard required by law and consistent across countries. It ensures that companies that collect data about EU citizens are protecting the data adequately, and that EU citizens have “digital rights” over this data, meaning that they can know what data is kept about them and access it (right of access), consent to what data is used for, are able to move that data to another company (data portability), and can tell a company to delete all data about them (right to erasure), while resting assured that the company is protecting their privacy adequately and that it will alert them immediately of any data breach.
GDPR applies to any EU based organization--regardless of where its servers are. Consumer-facing companies are more immediately affected, but B2B companies may also be affected as they may hold and process data on EU citizens which is provided by consumer-facing companies.
Personal data according to GDPR does not only constitute email addresses, home addresses, credit card details, but also IPs, advertising IDs and other online identifiers, and location data. In fact, even processing such data and not directly collecting it, puts a company under GDPR compliance requirements.
GDPR differs from data protection and privacy laws in the U.S. where legislation is more closely ties to specific verticals like healthcare, and financial services. Laws in the U.S. also differ by state. Aspects such as international data export are not covered by U.S. laws, and data retention guidelines also vary. Nevertheless, the looming introduction of GDPR seems to have already made a global impact on privacy regulation, and it is fair to assume countries outside the EU will revisit their laws in light of it.
If GDPR applies to your startup, then it can have implications on multiple levels including Technical, Legal, and Organizational processes (both internal and intra-organizational).
Following, are some steps that can help companies become GDPR ready.
1. Security, encryption, and breach notifications. Proper security measures must be taken to prove that you protect personal data. These might include the use of encryption, adequate data security architecture that promotes security and creates a separation between certain databases, and access control management. Adequate physical security measures also need to be in place to prevent unauthorized access to systems and machines. Companies will now be required by law to also notify authorities and users of a data breach within 72 hours.
2. Letting users know how their data is used. Under GDPR it is not possible to collect vast amounts of data about your users and decide later how you are going to use it and for what purpose – without first making this clear to your users. You need to define and inform your users when they sign up for your service how you are going to use their data. If you’re going to use it for marketing, for example, or share the data with any other third party, you must obtain explicit consent for this. To be able to delete user data upon requests, companies will need to re-plan data mapping.
3. Nominating Data Privacy Officers (DPOs). Companies are required to appoint a person who will be responsible for being “on top” of the GDPR compliance efforts and serve as the point of contact for any outside entity that wishes to assess their GDPR compliance level. This person should probably report to the CEO and have adequate power in the company, since these efforts will require company-wide cooperation, across legal, product, marketing, and research and development.
4. Adopting a "Privacy First" mindset. When designing new products, companies need to adopt a "Privacy First" philosophy to be able to comply with GDPR from the get-go. According to an EY survey, the most difficult aspects of GDPR for companies to achieve are enabling the right to be forgotten, data portability and explicit consent requirements.
4) Consulting with professionals. Companies might want to consider engaging a third party, a professional service provider with expertise in GDPR readiness and works with technology companies.
5) Preparing for GDPR audits. Companies need to be prepared for GDPR requisites. This means having data and privacy operations logged and documented and ready to be presented. It may also include security and access logs, security playbooks, details on what training was provided to employees and when.
Ran Levitzky is a principal at Israel-based venture firm Viola Ventures.