Should startups adhere to GDPR?
Absolutely. GDPR applies to all organizations that collect, process, and store personal data of residents of the European Union, including third-party processors.
GDPR compliance for startups or small businesses may look challenging at first, but we are here for you. Here are practical and actionable steps for GDPR compliance.
1. Data Inventory
The very first step for any company is to inventory the infrastructure and all the platforms, services, software, all endpoints to find personal and sensitive data that has already been collected. The company should know the types of personal and sensitive data in use, where is it stored, whose data it is, and if there is consent for the purpose it was collected. Ideally, this would help you to have a data map and outline privacy processes, violations, or possible threats. For each found personal and sensitive data and usage company should have a legal basis.
Conducting a data inventory is a crucial first step toward achieving GDPR compliance. This process will help you determine how your data is stored, shared, and secured, as well as identify who is responsible for it and who has access to it, both internally and externally. By doing so, you can ensure that your organization is equipped with the necessary knowledge to take further steps towards GDPR compliance.
2. Data Expiration
As per the storage limitation principle personal and sensitive data must be deleted or anonymized as soon as they are no longer needed for the purposes they were collected. It is important to map data types with data privacy policies or notices to ensure that data is processed accordingly and for a period specified. Afterwards, all instances of data should be deleted or anonymised immediately. It is critical to check your entire infrastructure: on-premise, hybrid, and cloud, and any used software.
3. Consent, Privacy Notice and Cookies
Consent is a legal basis for processing personal data of a data subject. Under GDPR, consent should be free, specific and informed. It should specifically and unambiguously identify the agreement between parties to process the data. It must be clearly stated for which purposes, how and which data will be collected. Additionally, the data subject (user) at any point in time must have the right to withdraw consent.
Create or update your privacy policy and make your data collection and processing transparent.
Your privacy policy should specify the types of data you collect, what you use it for, the legal basis for collecting, how long you will store the data, your cookie usage policy, whether you transfer the data, and whether you share it with third parties or plug-ins.
Under GDPR, cookies can be considered personal data because they store enough data that can be used to identify an individual. The user must have a choice so that the consent given is clear and specific.
A standard practice is to have a cookie banner or pop-up when a user visits a website that allows them to consent or decline the use of cookies.
4. Data Access and Data Subject Access Request (DSAR)
Data Subject Access Request (DSAR) play a key role in GDPR compliance implementation. Forms are usually filed offline or via emails but can be integrated into your website and/or customer portal.
Under GDPR, users also have the right to receive their data and store it for further personal use i.e. data portability. Businesses that collect data should provide the user with the ability to download or transfer the data elsewhere.
5. Privacy Processes and Transfers
As per the data minimisation principle only “adequate, relevant and not excessive in relation to the purpose for which they are collected and/or processed” data should be chosen for processing. With the data inventory map, consent and expiration policies it should be clear now, what data should be deleted or anonymised immediately. Afterwards, the company should look and analyse deeply what processes of collecting, storing and transferring data are used. It is not enough to delete data on time, but to identify are data sources and reasons for its collection.
When there is a need to transfer personal data from user to user or from system to system, all the processes must adhere to GDPR principles as well. Data should stay in the EU.
6. Secure Storage
Under GDPR, all data a company collect should be either stored in the EU or subject to European privacy laws. Your business could be using secure storage, platforms and cloud-based services.
If you use large cloud vendors there should not be compliance issues as they have data centres around the globe. If you are using other SaaS cloud vendors, ensure that you meet the data sovereignty regulations of GDPR.
7. Awareness and Training
For all of the above people are crucially important. Most of the processes even automated should have a certain level of surveillance from responsible employees. It is the company’s main responsibility to streamline data privacy processes, document them, educate and train. Such critical processes should also be constantly reviewed and updated.
8. Data Breaches
Implementing all the principles above, data inventory, data limitation and consent, data minimisation and expiration would result in the minimisation of data your company collect, process and store. With fewer data to steal, the risk of theft or data breach is going to decrease as well.
To prevent data breaches, there should be additional steps implemented:
- anonymization or pseudonymization
- data deletion
- regular vulnerability scans on systems, devices, and networks to identify potential security gaps.
- internal processes and guidelines for data breach reporting, in the event of a data breach. Each company has to have to contact the data protection authority within 72 hours of becoming aware of the breach. There should also be a company statement notifying the customers about data breach events.
Conclusion
GDPR compliance is not a simple task, especially without a dedicated professional DPO or Data Privacy Operations team, but it could be significantly simplified by DataPlain. We automate all the mentioned steps, inventory the entire infrastructure, categorize data types, identify data privacy processes and give recommendations, automate data expiration, and highlight possible risks, threats and abnormal user or system behaviour.