h

Blog

Legal ICT

Rockstart Law School. GDPR: What is changing and what do you need to change?

Setting up and running a startup requires knowledge of the industry that you are in. It also requires knowledge about finance, marketing, customer service, management, and legal matters. There is no way of knowing everything you need to know, which is why the network that supports you becomes a valuable tool and asset.

Rockstart Law School is a combination of blog posts by outside contributors and vlog posts by Rockstart’s very own legal counsels Els Metten and Lisette Schuilwerve. They will show the roadmap to the legal side of starting and running a startup company. Rockstart Law School focuses on the Dutch law system and is meant as a resource and gives you lessons learned and suggestions, but is not meant to be used in the place of legal advice. Always consult your lawyer, but we hope these series of posts will give you a greater understanding of the legal needs and points of attention that you may encounter during your startup journey.


The General Data Protection Regulation (GDPR) is a new pan-European privacy law. From May 25, 2018, your organization must comply with this strict new law. So what is changing? And what do you need to change?

1. YOUR ACTIVITIES ARE MUCH MORE LIKELY TO BE COVERED BY EU PRIVACY LEGISLATION

If your organization processes personal data of a person who is in the EU, you must comply with the GDPR. It does not matter if your organization is not established in the EU or if the processing does not take place within the EU. And if there was any doubt before: the definition of personal data now explicitly includes online identifiers, such as IP and MAC addresses or a cookie-ID.

2. YOUR PRIVACY STATEMENT MUST BE EVEN MORE TRANSPARENT

You must explain clearly and fully, using plain language, how you use personal data and why. Furthermore, you must advise people of their rights, such as the right to view their data, to amend or erase it if there are clear mistakes, to object to excessive processing, and to take their data to another service provider. If you create interest profiles, you must be able to destroy them upon request. Finally, you should not forget to explicitly advise people of their right to file a complaint with the supervisory authority, as this is now required by law.

3. YOU MUST ALSO PUBLISH AN INTERNAL PRIVACY POLICY

You need to document how personal data is handled and secured within your organization.

Raising awareness of this policy among employees is key. Periodic training will also be required.

4. YOU MUST KEEP RECORDS OF ALL PERSONAL DATA PROCESSING ACTIVITIES

The records must include, among other things, a description of the personal data processed, the purpose of processing them, and how they are protected. This obligation applies to organizations with more than 250 employees, but also to organizations with fewer than 250 employees provided they process personal data on a regular basis or they process special categories of personal data.

5. YOU MUST DOCUMENT ALL DATA BREACHES INTERNALLY

Under current privacy legislation, you are required to document only those data breaches that you are obliged to report to the supervisory authority. The GDPR makes it compulsory to document all data breaches internally, even those which you are not required to report. If you process personal data on a client’s behalf, the GDPR also imposes a legal obligation to report all data breaches that occur during such activities to the client, so that they can notify the supervisory authority.

6. YOU NEED TO KNOW WHERE YOUR PERSONAL DATA IS STORED, AND MAY NEED EXTRA SAFEGUARDS

If you store personal data with a third party abroad, you must check whether the data is stored within or outside of the EU. The latter is only permitted if the third party meets strict legal requirements, e.g. the country in question has been certified by the European Commission. With regard to third parties in the United States, the so-called Privacy Shield offers the necessary safeguards. However, please note that customers may demand that their data simply does not leave the EU at all.

7. YOUR DATA PROCESSING AGREEMENTS WITH SUPPLIERS AND CUSTOMERS MUST BE REVISED

The GDPR contains more specific requirements for data processing agreements, which must be concluded if you process personal data on behalf of another organization, or if another organization processes personal data on your behalf. For example, if you process personal data on behalf of another organization, you need permission before subcontracting any processing operation.

8. YOU MUST CARRY OUT A THOROUGH PRIVACY IMPACT ASSESSMENT (PIA) FOR RISKY ACTIVITIES

A PIA is an extensive assessment intended to identify privacy risks, and to eliminate such risks as much as possible so that privacy is not put in jeopardy beyond what is strictly necessary and proportionate. You may not carry out a processing activity which poses a risk to privacy until after the PIA has been conducted and its outcomes have been implemented.

9. YOU MUST BETTER MINIMISE THE PERSONAL DATA YOU PROCESS AND STORE

Even though current privacy legislation already requires data minimization, you may be keeping data longer than necessary, ‘because you never know’. Under the GDPR you must take active steps to erase information as soon as it has lost its relevance. You must also put in place policies for the assessment of the relevance of information and its erasure in case of irrelevance.

10. YOU MUST IMPLEMENT ‘PRIVACY BY DESIGN’ AND ‘PRIVACY BY DEFAULT’

This means that privacy considerations must be identified and incorporated at every step in the development process. In addition, the default settings of any new service must be as privacy-friendly as possible.

11. YOU MAY BE ASKED TO STOP PROFILING, OR EXPLAIN EXACTLY WHAT YOU ARE DOING

If you create interest profiles or risk analyses for your clients, visitors, etc., you must be able to explain to them how you do this and why at their request. This also applies to activities which may seem trivial or highly ordinary, such as cookies for personalized advertising.

12. YOUR SECURITY MEASURES MUST BE FIT FOR PURPOSE, BOTH NOW AND IN THE FUTURE

The security of personal data is crucial. In this day and age, if you don’t restrict access to only those users with a need-to-know, using strong (multi-factor) authentication and encryption, if you don’t use TLS, firewalls, anti-virus software, or if you don’t patch your software and systems in time, you are at serious risk. You are also at risk if you do not regularly evaluate and update your security measures.

13. YOU MUST BE ABLE TO HANDLE REQUESTS FROM PERSONS ABOUT THEIR PERSONAL DATA

The GDPR provides more rights to individuals to access, correct or erase their data, or take their data with them to another provider. Under normal circumstances, any request from a person regarding their personal data should be handled within one month. Is your helpdesk up to speed?

14. YOU MAY NEED TO APPOINT A DATA PROTECTION OFFICER (DPO)

A data protection officer is an independent person who advises and reports on GDPR compliance. Appointing a DPO is compulsory if you process more sensitive personal data (such as medical records) on a large scale, or if you are engaged in regular and systemic monitoring of people’s activities on a large scale. The DPO can be appointed either internally or externally, for example, one of Legal ICT’s (virtual) privacy officers.

15. YOU MAY NEED TO OFFER ‘DATA PORTABILITY’

If you offer an online service that allows people to store their personal information, they must be able to export all their information in a commonly used digital format for transfer to another organization. This might involve downloading photos, social media posts or forum contributions.

16. YOU MAY NEED TO PAY SPECIAL ATTENTION TO BIOMETRIC DATA

Does your organization make use of fingerprints or other biometrics, e.g. for access control? Then you need to comply with the GDPR’s strict protection regime for biometric data.

17. YOU NEED TO COMPLY, TO AVOID FINES WHICH ARE DRASTICALLY HIGHER

Under the GDPR, the supervisory authorities may issue penalties of up to the higher of 20 million euro or 4% of global turnover. Privacy now really requires boardroom attention.


This post first appeared at the website of our friends at Legal ICT.



Also on Rockstart