Data protection since May 2018: The GDPR for Start-ups
On 25 May 2018, a new epoch began for data protection in Europe: the General Data Protection Regulation (Regulation EU 2016/679 – GDPR) now forms the European framework for data protection. Even if numerous national and European provisions continue to apply to the protection of personal data, the GDPR places demanding requirements on corporate structures and on the processing of personal data. With this in mind, start-ups should not only take the general GDPR considerations into account, but should ask themselves some additional questions.
The GDPR builds upon the approach taken by the previous data protection law and modernises this approach based on the experience gathered over the last 20 years, as well as the relevant case law. The GDPR contains a number of new elements that are designed, on the one hand, to strengthen the protection of the rights of data subjects and, on the other hand, to facilitate the transfer of data within the digital internal market for companies. The GDPR introduces the basic principles of data protection through technology and default privacy settings (“privacy by design” and “privacy by default”) in order to ensure that data protection interests are taken into account in business process and products from the very start. New transparency requirements strengthen the rights of data subjects and give them more control over their personal data. A new element in this regard is the right to data portability, which allows a data subject to demand that a company transfer any personal data, which the data subject made available the company based on consent or a contract, to or back to another company. The regulation also gives data protection authorities the power to impose fines on data controllers and processors of up to EUR 20 million or four percent of the worldwide annual group turnover. In addition, data subjects may claim compensation for non-material damage caused as a result of serious violations of the data protection provisions. Previously, companies were obliged to notify and ensure that prior checks were performed on processing operations that were likely to present specific risks. These requirements have been abolished. In their place is an instrument that is unfamiliar to German companies, and requires the evaluation of the risks before starting data processing: the data protection impact assessment.
What is key: the company is responsible
One of the key principles that the GDPR seeks to establish is the responsibility of companies to ensure effective data protection. While a company wishing to process personal data is now freed from a number of the bureaucratic notification requirements, it is now expected to independently ensure effective data protection in all its commercial activities in all areas of the organisation and all products from the very start. Company processes and products should therefore be designed with data protection in mind from early on in the development process.
What does this mean in practice?
All companies are required to maintain a register of all the processing activities that occur under their authority. Many companies have therefore already taken a comprehensive inventory of all data processing procedures performed internally. In addition, the GDPR requires every company to document and ensure the legality of all data processing. The processing inventory can also be used to fulfil this central documentation function. Companies must perform a data protection impact assessment for all processing that poses a particular risk for the data subject. A data protection impact assessment must be made, in particular, for any processing, which allows behaviour to be analysed (e.g. consumer behaviour). Moreover, most companies are required to name a data protection officer. Fines can be imposed for failure to comply with these compliance requirements, so that a lack of documentation or the failure to name a data protection officer trigger the risk of fines.
In addition to these general compliance requirements, it is in a company’s own interests to ensure that the rights of the data subjects to information, access, rectification, erasure or data portability can be implemented. The new right to data portability, in particular, is a challenge for some start-ups. This right might make it easier for competitors to offer tailor-made offers as it allows them to access the consumer history of new customers. In this respect, customers can demand that their previous provider provide a copy of all data pertaining to them in a commonly-used, electronic format. This means extra effort for companies, but also chances to develop new products.
GDPR in start-ups
In addition to taking the general provisions of the GDPR into consideration, start-ups should ask themselves these questions in light of the GDPR requirements and those of the sector:
- Do your customer contracts and consent forms for data processing meet the requirements of the GDPR?
- What influence does the GDPR have on your customer regain programmes and other marketing activities?
- Do your contracts with service providers (e.g. call centres) meet the requirements of the GDPR?
- Are your company’s internal IT processes attuned to the new GDPR? In particular: What do you have in place with respect to data protection? Have you established concepts and routines for erasing the data of data subjects?
- Do you have processes in place to enable you to react to personal data breaches (hacker attacks)?
- What special requirements have to be implemented with respect to smart devices?
As far as we can tell, many companies are not 100% compliant with the GDPR even three months after its entry into force on 25 May 2018. While the authorities have been tolerant in this initial stage of the “GDPR readiness” in certain areas, companies are expected to take data protection seriously and ensure that compliance levels are high, particularly in the core areas of data processing and the processing of sensitive personal data (e.g. health-apps) of data subjects. However, in our opinion, this “de facto transitional phase” will soon be over.
GDPR sprint tip:
If you have not yet started to implement the GDPR or are just at the start of this process, we would recommend that you set the following priorities:
- Get an overview of your processes! Take an inventory of your data protection processes and record them in a processing inventory. This inventory will be the first thing that the authorities ask for.
- Deal with your customer related processes and the rights of data subjects! Unhappy customers and customers, who have a bad experience with data protection, will complain to the authorities. Make sure you fulfil the data protection expectations of your customers.
- Deal with customer contracts and information texts! Authorities can easily take a look at these documents. Make sure that the texts you use are based on the latest GDPR developments.
- Look after your employees! Employee data protection is important and unhappy employees can be a significant data protection risk.
- Do the things that are easy to implement! It is easy to select and appoint a data protection officer and does not take much time.
- Address the remaining aspects of the GDPR according to your risk priorities.
Dr Axel von Walter
(Lawyer, Licensed Specialist for Copyright and Media Law, Licensed Specialist for Information Technology Law)
and Paul Wilde
Dr Axel von Walter
Lawyer, Licensed Specialist for Copyright and Media Law, Licensed Specialist for Information Technology Law