If you’re a U.S. startup, you may be confused as to whether the General Data Protection Regulation (GDPR) applies to you.
This article is a comprehensive guide to the GDPR and its implications for businesses that collect personal data from European Union (EU) citizens or offer products to the EU. The GDPR is a regulation that imposes strict requirements on data protection, and organizations must adhere to key principles such as data minimization, accountability and accuracy. Failure to comply with GDPR can result in significant administrative fines and other corrective measures.
Who Does GDPR Affect?
The GDPR affects all businesses that offer products to the EU or collect personal data from the EU citizens. Ask the following questions:
- Does your startup process EU data?Processing means collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting or any other operations of data.
- Is that data considered “personal data”?This includes data that could identify a person and extends to data which while, in isolation, does not identify a person, would do so when combined with another piece of data. Of course, there’s the obvious data such as names, email addresses and phone numbers. But beyond that, online identifiers (e.g., IP addresses, device identifiers, Twitter handles, etc.), location data and a range of sensitive data such as medical data could be considered personal data.
If you answered “yes” to both of those questions, the GDPR applies to you.
So, even if you are a startup in the U.S., this likely impacts you if you touch Europe at all. For instance, if you sell products or services to Europe, the GDPR applies to you. If you collect emails from European citizens, the GDPR affects you. It’s safe to say that if your startup is online at all, you should assume the GDPR affects you.
Key Principles of GDPR
In addition to specifying the scope and territorial applicability of GDPR, the regulation also lays out a set of key principles that organizations must adhere to when processing personal data. These principles are intended to ensure that personal data is processed lawfully, fairly and transparently. Here are some of the most important principles:
- Data Minimization. Organizations must only collect and process personal data that is necessary for a specific purpose. They should not collect excessive amounts of personal data or use it for purposes beyond what was originally intended.
- Under GDPR, organizations are required to ensure that personal data is accurate and updated. This includes regularly reviewing and updating personal data as needed.
- Organizations are responsible for complying with GDPR provisions. They must implement appropriate measures to protect personal data against unauthorized access or disclosure, as well as be able to demonstrate compliance with GDPR upon request.
Other key principles of GDPR include transparency, lawfulness, fairness, purpose limitation, storage limitation and confidentiality. By adhering to these principles, organizations can process personal data in a way that respects individual rights while also meeting their business needs.
Under GDPR, data protection authorities can impose a range of penalties on organizations that fail to comply with the regulation. These penalties can be administrative fines, as well as non-financial corrective measures. Here’s an overview of the penalties:
- Administrative Fines: GDPR has a two-tiered structure for administrative fines.
- Lower Tier (Article 83(4)). For less severe violations, organizations can be fined up to €10 million, or 2% of their global annual turnover of the previous financial year, whichever is higher. Violations that fall into this category typically include administrative breaches, such as failing to report a data breach within the required 72 hours or not conducting a required Data Protection Impact Assessment (DPIA).
- Higher Tier (Article 83(5,6)). For more severe violations, organizations can be fined up to €20 million, or 4% of their global annual turnover of the previous financial year, whichever is higher. This level of fine is for violations that relate directly to the infringement of the privacy rights of individuals, such as processing data without sufficient consent or violating the core principles of data processing like data minimization.
- Non-Financial Corrective Measures. In addition to financial penalties, data protection authorities have a range of corrective powers and sanctions that they can impose on organizations. These include:
- Warnings And Reprimands. Issuing warnings to organizations that they are likely in breach of GDPR, or reprimands for established non-compliance.
- Ordering Compliance. Requiring an organization to take specific actions to bring its data processing activities into compliance with GDPR.
- Imposing a Temporary or Definitive Limitation, Including a Ban, on Processing Data. This can be a significant penalty as it may require an organization to cease data processing activities altogether.
- Ordering the Rectification, Restriction or Erasure of Data. Also known as the “right to be forgotten,” this may require an organization to delete data or correct errors.
- Withdrawing Certifications. If an organization has been certified under a specific GDPR certification mechanism, the authority can withdraw this certification.
- Suspending Data Transfers to Third Countries. If an organization is transferring data outside of the EU, the data protection authority can order it to suspend these transfers.
The actual penalties imposed in any given case will depend on various factors, such as the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, and any action taken by the organization to mitigate the damages suffered by individuals. Additionally, authorities will consider the organization’s history of compliance, cooperation, and any other aggravating or mitigating factors.
What Rights Does an Individual Have?
Startups need to understand the basic rights that the GDPR affords individuals, as it will affect the design of your product or services. These rights are:
- Right to Be Informed. When personal data is collected, the company must provide all of the following information:
- the identity and the contact details of the company collecting the data;
- the purpose of the processing;
- the legitimate interests pursued by the company;
- the recipients or categories of recipients of the personal data, if any;
- the fact that the company intends to transfer personal data outside the EU;
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of and logic behind automated decision-making and its consequences.
- Right of Access. The individual has the right to access their personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed;
- the period for which the personal data will be stored;
- the existence of automated decision-making and its consequences.
- Right of Rectification. The individual has the right to rectify inaccurate personal data concerning him or her.
- Right to Be Forgotten. The individual has the right to require the company to erase personal data concerning him or her without undue delay.
- Right to Restrict Data Processing. The individual has the right to restrict the processing of personal data when the accuracy of the personal data is contested, the processing is unlawful, or the controller no longer needs the personal data to provide the product or service.
- Right to Data Portability. The individual has the right to receive the personal data concerning him or her, which he or she has provided to the company, in a structured, commonly used and machine-readable format. The individual also has the right to transmit those data to another company (even a competitor) without hindrance from the company.
- Right to Object. The individual has the right to object to the processing of their personal data. When the individual objects to processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.
- Right to Human Decisions. The individual has the right not to be subject to a decision based solely on automated processing, when such automated decision making will significantly affect him or her.
Know Your Data
One of the biggest barriers to compliance is the fact that most startups don’t even know what data they hold, where they hold it, or what application servers are accessing it. They know they have a bunch of data, but they don’t know what exactly it is.
The GDPR covers two categories of protected information: “personal” and “sensitive personal.”
Personal Data: Personal data under the GDPR law refers to anything that can be used to identify a person, directly or indirectly, including but not limited to the following:
- Email addresses
- First/last names
- Phone number
- ID number
- Location data
- Mailing addresses
- Financial information
- Online identifiers (IP address, cookie strings, etc.)
Sensitive Personal Data: Sensitive personal data under GDPR law is considered much more sensitive and thus comes with greater protections and more stringent regulations. Sensitive personal data includes but isn’t limited to the following:
- Health data
- Sexual orientation
- Religious/philosophical beliefs
- Political views
- Genetic data
The GDPR requires higher standards for processing sensitive personal data. If your startup is processing sensitive personal data, make sure you meet the heightened requirements.
Kids: What about the kids? The GDPR includes additional rules for kids. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. It’s the responsibility of the company to make a reasonable effort to verify such consent.
Know Your Role
The GDPR splits data collectors, in this case your startup, into two categories, data controllers and data processors. The data controllers determine the purposes and means of the processing of personal data. The data processor actually processes that data. Though it’s possible for a startup to play both the data controller and data processor roles, these days with the rise of the no-stack startup, it’s much more likely that your startup only plays one role.
For instance, if you rely on Stripe, Plaid or Braintree to process your payments, you are the data controller, they are the data processor. If you rely on Mailchimp or SendGrid to collect email addresses and send emails, you are the data controller, they are the data processor. If you use Salesforce or Hubspot for your customer relationship management (CRM), you are the data controller, they are the data processor.
The old regulations used to only apply to data controllers, but the new GDPR applies to both parties. Regardless of your role, it is now your responsibility to ensure that the other company is compliant to the new GDPR standards.
Legal Bases for Processing Personal Data under GDPR
The GDPR allows organizations to process personal data only if they have a legal basis for doing so. The regulation provides six legal bases that organizations can rely on when processing personal data. These are:
- Consent is a common legal basis for processing personal data under GDPR. It requires individuals to provide explicit and informed consent before their personal data is processed. Organizations must ensure that consent is freely given, specific, informed and unambiguous.
- Contractual Necessity. Organizations can also rely on contractual necessity as a legal basis for processing personal data. This means that the processing of personal data is necessary to fulfill a contract or take steps at the request of an individual prior to entering into a contract.
- Legal Obligation. Another legal basis for processing personal data under GDPR is legal obligation. This means that organizations are required by law to process personal data in order to comply with a legal obligation.
- Vital Interests. Organizations can also rely on vital interests as a legal basis for processing personal data. This applies in situations where the processing of personal data is necessary to protect someone’s life.
- Public Interest. Public interest can be used as a legal basis for processing personal data when it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- Legitimate Interests. Finally, organizations can rely on legitimate interests as a legal basis for processing personal data under certain circumstances. This means that there must be a legitimate reason for processing the personal data and that this reason cannot be overridden by an individual’s rights or interests.
Organizations must choose an appropriate legal basis for each type of processing activity and document their decision-making process. They must also ensure that they process only the necessary personal data and retain it for only as long as necessary. By understanding the legal bases for processing personal data under GDPR, organizations can ensure that they are compliant with the regulation while also meeting their business needs.
Getting consent for collecting data from individuals is a cornerstone of GDPR. Consent is one of the lawful bases for processing personal data and one of the permitted means by which personal data may be transferred to a third country outside of the European Union. The GDPR defines consent as any freely given, specific, informed and unambiguous indication that he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
When your startup is gathering information, implement the following:
- Check Boxes. Consent requires a positive opt-in action so no pre-checked boxes allowed to show the user taking action.
- No Precondition of Service. Consent cannot be a precondition of signing up to receive a service (unless it is absolutely necessary for that service), and it can’t be bundled together with consent for other terms and conditions.
- Specific. Consent must specifically relate to what you are using the data for. Strictly speaking, this means getting separate consents for each type of processing.
- Informative. Individuals need to know who the “controller” of their personal data is and that they have a right to (easily) withdraw consent at any time.
In some cases, such as processing sensitive personal data, explicit consent is required.
Keep it Clean
If your startup’s data storage is a mess, the GDPR is a good excuse to clean it up. Compliance with the new rights granted to your users requires the ability for you to clearly understand what information you are collecting, keep it secure and to be able to retrieve, delete it and share it quickly. Take this opportunity to clean up your databases and servers.
Data Protection Officer
It’s a good idea for a startup to create a Data Protection Officer to oversee data security strategy and compliance with GDPR. However, it’s not required unless you either process Sensitive Personal Data; or, regularly monitor/process data from EU citizens on a large scale. Large scale, unfortunately is not defined. Apparently, an earlier draft defined large scale as employing 250 or more people or processing data pertaining to 5,000 or more individuals in any consecutive 12-month period. But that definition was dropped before the final draft. Most startups probably don’t meet the large-scale requirement.
The GDPR mandates that both data controllers and data processors that are based outside the EU nominate a representative inside the EU. This is similar to the registered agent requirement for incorporating in most U.S. states. However, if you are not processing data on a large scale or are not processing sensitive personal data, your startup is exempt.
The goal is to cut out the legalese, and simplify technical information. Startups should draft with the average user in mind and use short and clear sentences. To understand more about Privacy Policies and what clauses should be included, click here.