Introduction
In just two months, your business will face the most extensive regulatory change in data privacy policy in the last 20 or so years. If you have employees, customers, affiliated companies or business partners in the EU, then your organisation will probably be affected by the new General Data Protection Regulation (the “GDPR”) which will enter into force on May 25, 2018. For almost all businesses this is a big deal. There Internet is overflowing of articles and blogs on this subject so unless you have been hiding somewhere remotely for the past year and a half with no Internet connection we’re pretty sure you’ve stumbled upon one or two articles on this subject before. The overflow of information about the GDPR might seem overwhelming but it is also a means to measure the importance of this subject and if you haven’t already done your research, the time is running out to do so.
Consider this blog as an introduction on the subject, from the in-house counsel perspective (or the startup’s perspective). We will follow up with additional, more specific blogs on GDPR.
-
What is GDPR?
In short, GDPR was adopted by the European Commission to give European citizens more control over their personal data. With new technologies, data had become an increasingly valuable asset, and the legislator was concerned companies would collect personal data in a careless manner, and with no good reasons for it, at the cost of people’s integrity.
GDPR regulates the processing of “personal data”, which is now broadly defined as “any information relating to an identified or identifiable natural person”. Under certain circumstances, personal data now includes online identifiers such as IP addresses and mobile device IDs. The new rules will in practice apply to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU (even via an online store).
Many rules in the GDPR follow current legislation on data privacy on national levels. In Sweden, for example, the Personal Data Act (Sw. Personuppgiftslagen) includes most of what GDPR states. Certain things are new with GDPR however. For example, the rules around individual consents become stricter, and there are restrictions regarding how long a company may hold personal data. Also, the information must be portable from one company to another and must be erased upon request. And of course, there are the fines, the terrifying fines. If the regulations aren’t met, the GDPR calls for penalties up to 20 million Euro or 4 percent of global annual turnover, whichever is higher. These fines you’ve probably heard of already: they make company boards nervous and management teams stay awake at night, but they make GDPR experts, lecturers and legal advisors sparkle with joy, since the customers’ fear of what might happen is a great tool for generating business for GDPR consultants.
-
Should I even bother?
The first question you need to ask yourself is, of course: Should I even bother? As a startup, there are a million things happening in your business at once, and you are often scarce on either manpower or money, or both. Increasing sales and developing a product that meets your customers’ pain will intuitively seem like a higher prio than making sure you are 100% compliant with a new privacy regulation.
There are two main reasons you might want to consider doing at least the bare minimum to become GDPR compliant:
- The fines – remember: 20 million Euro or 4 percent of global annual turnover, whichever is higher.
- The increased knowledge among your customers and employees – the fact that your customers and employee might start asking about your data handling. The new legislation, as well as some recent court cases, have made people increasingly aware of their right to integrity and privacy. And for some companies, being GDPR compliant on a bare minimum level might not even be enough. Instead, maybe they want to be best in class, because they believe this will position them on their market, and help them win more business.
-
What should I do first?
Now that you’ve decided that you do want to become compliant with GDPR after all, you need to decide what “level” of compliance you are aiming for. Will you be “good enough compliant” or “the poster child of GDPR”?
Next, you must do what you do in the beginning of every new project: You will involve your peers and team members and make sure they are just as excited to work with the implementation of GDPR as you are! Now, this will often be somewhat of a challenge, since people tend to think there are many things that are both more fun and more important than tracing down personal data. For this reason, make sure to have your CEO’s and board’s blessing to run this project. Because of the potential fines, this is often the case – most boards think that 20 million Euro is a decent amount of money, and that the risk of being GDPR non-compliant isn’t one worth taking.
-
What should the action plan look like?
Now, you were able to get the CEO’s blessing to run the project. What do you do?
- Identify which personal data is being collected and processed for what purpose, for how long it will be processed, and from where the information was collected (this is often called an Information Audit). This is often a time consuming step, since you need to involve many colleagues in the work – typically from HR, marketing, customer, IT and accounting.
- Review and analyze whether the personal data is being handled in accordance with GDPR (=GAP analysis). For this step, it may make sense to involve external counsel, with expertise on GDPR and privacy policy, unless you have someone in-house that can help you of course.
- Point down the actions required in order for your company to reach GDPR compliance
- Make sure you only collect and process the personal data you actually need for your business – no “good to have for a rainy day” collection of data.
- Identify the lawful bases for processing the personal data, and document it. If the lawful basis is “consent”, then make sure such consents are given in the correct format.
- Make sure you don´t save personal data any longer than necessary or required. You are not allowed to keep data “forever” or “until someone asks for it to be deleted”, if this is actually not required.
- If you process customer data: Make sure the data processing agreements you sign with your customers (“DPA”) are up to date
- Make sure you have DPA in place with your own subcontractors, which process data on your behalf.
- Adopt an integrity policy in relation to your employees, which will state how the employee´s personal data will be handled. This policy shall be incorporated in your employment agreements.
- Review your own terms of service, and make sure you make a clear distinction between your company’s role as a data controller and data processor
- Review your privacy policy on your website, to make sure it fulfils the requirements in the GDPR to explain to your visitors and customers how their personal data will be handled.
- Adopt a standard clause that you can use for contractor agreements and other supplier agreements, and where you make sure you have the right to do whatever you have to, in order to remain GDPR compliant, and where you make sure your counterparty applies the applicable rules as well.
- Make sure you have the technical ability to comply with the requirements regarding data portability (= move data from one IT environment to another in a safe and secure way, without hindrance to usability), rectifying personal data, giving personal subjects access to their personal data, and deleting personal data.
- Make sure you have the security level required.
- Make sure you know what rules that apply if you have others process any personal data on your behalf that is transferred outside the European Economic Area.
- Make sure you have effective processes to identify, report, manage and resolve any personal data breaches.
- Implement the actions required
- Assign a Data protection officer as required
- Do a training for all employees involved in personal data handling
- Tell all your customers that you’re GDPR compliant, and help them solve their own concerns (FAQ, whitepaper on website etc)
- Follow up in May 2018 that everything has been done in accordance with plan
-
Where can I get free advice?
There are numerous blogs and websites out there, that are very hands on and informative. Here are some examples:
https://www.datainspektionen.se/dataskyddsreformen/
And of course, stay tuned with our own follow up blogs on GDPR!