A startup blog designed to motivate you and help you scale your company

GDPR Compliance and Startups: 7 principles you MUST master (2020)

Written by Shawn Segundo | 14 October 2020

Since its inception in 2018, the General Data Protection Regulation (GDPR) has thrown many companies, consumers, and individuals into a bit of a confused frenzy.

It’s understandable too - suddenly there was talk of huge fines being imposed, rules of non-EU companies also being effected, what was still allowed regarding data collection, and what no longer was - I can say from my own experience here in the SpinLab, that getting ready for the GDPR was no simple task.

 

Since 2018, talk and general confusion about the GDPR has somewhat settled down, but it’s certainly still a very important topic for startups we host in our accelerator program. After all, it’s important for startups to get a grasp on this early on, as resources, time, and money are always limited.

It’s best to be proactive with anything regarding data security, especially when the longevity and survival of your startup can be directly effected by possible GDPR fines.

So in the Summer of 2020, we invited Stefan Schreiber to the SpinLab to record a short intro video going over what are some of the fundamental principles of the GDPR. Stefan is a Senior Associate at CMS Law & Tax here in Leipzig. He’s a specialist in this field, he is one of our most valued mentors, and CMS is also one of SpinLab’s official partners.

We’re going to do our best to breakdown the information in his video in a way that is easy to understand in the principles below.

DISCLAIMER

For the sake of transparency, we must emphasize that we at the SpinLab are NOT lawyers. The information presented in these guidelines is a summarized version of everything Stefan mentions in this video, and the information is valid as of October 2020. Please refer to your own legal consul (or consider hiring CMS!) for official instruction on how to handle your company’s specific GDPR needs. The information presented here are meant to be used as guidelines to give one an idea of what to expect with the GDPR, not as concrete legal advice.

TL;DR Just give me show me Stefan’s GDPR Video

A quick refresher on the basics of the GDPR

Again, GDPR stands for General Data Protection Regulation. It’s a European Regulation, and at the time of writing this article, it is the toughest privacy law in the world.

From a marketing perspective, the GDPR is a good thing. I am going to say it again, the GDPR is a GOOD THING for marketers!

Why? Because gone are the days of receiving random irrelevant spam email offers. Companies are now forced to target specific buyer personas, obtain permission, and only communicate with people who want to receive that communication.

That sounds harsh, but believe me, in the end this is much more effective for companies and consumers alike.

Who does the GDPR effect?

If you are a company based in the EU, you are automatically bound to the regulations of the GDPR.

Furthermore, even non-EU-based companies are subject to the regulations of the GDPR, if you sell to people in the European Union!

This is something that should not be overlooked by startups! If you have a SaaS company that is, for example, founded in Singapore, by people from Singapore, and sells primarily to people in ASIAPAC, the INSTANT you take on a lead from an EU country, your company is now subject to GDPR regulations!

Startups MUST have this scenario at the forefront of their strategies when rolling out your go-to-market strategies.

What are the fines of the GDPR?

Companies found guilty of being in violation of GDPR laws can be fined one of two things (whichever is greater)

  1. 20 Million Euros
  2. 4% of Global Revenue

Those figures are no joke. I don’t know about your startup, but I can’t think of a single startup in our portfolio that could suddenly afford to take a 20 Million Euro fine. That’s game over man.

Famous words from Aliens

What’s considered personal information in the eyes of the GDPR?

The basis of the GDPR lies rooted in the belief that it is the fundamental right of an individual to own one’s privacy. The official definition for what is considered personal information is - Anything that can directly OR indirectly identify an individual.

Our practical definition to stay safe is - assume every bit of information you want to collect from people is considered personal information in the eyes of the GDPR.

Personal information, according to the GDPR, can be, but is certainly not limited to things such as: Name, Email, cookies, ethnicity, political affiliation, religion, IP address, etc. etc. etc.

What are the GDPR objects of data protection

When you’re reading through various GDPR privacy policies, you’re likely going to run into these terminologies which are the two key bases of data protection:

  1. Data Controller: This is the person that decides how, and for what reason, any personal data is being collected and processed. Simply put, this is your startup.
  2. Data Processor: Is any third party, or third party tool, that processes personal data on behalf of the data controller. Simply put, these are the tools you use such as CRM, Google Forms, Mail Programs, etc etc etc.

7 Principles to help keep your startup GDPR Compliant

Ok, now that the basics are out of the way, let’s dive into some specific principles that you can use to evaluate the current status of your own startup’s GDPR compliancy.

If you understand these principles, you can actually deal with every single data problem you could encounter, or at the very least, you’ll be able to identify that you have a data issue.

1. Lawfulness of transparency of data processing

All data that is being processed must be on a legal basis. Simply put, that means you need to have a valid reason to collect the data in the first place. Furthermore, the people you’re collecting data from need to be informed of everything that is being collected and why.

This is why it is imperative to have a privacy policy on your website that informs the individuals about what you are collecting and why.

An example of lawfulness and transparency in practice

For examples moving forward in this article, we’re going to use the name of the made up company - Techno Heaters

Let’s say I am the CEO of Techno Heaters and I decide that I need a full time marketing manager. Naturally, in 2020, it’s common practice to be able to promote open job positions online, so I create a job application form for the marketing manager position on my website.

That is our legal basis - the application process for a job offer. As a company, I now have the legal basis to execute related tasks such as preparing employment contracts and job applications.

Transparency here should be satisfied by having a privacy policy link on the job application page, that clearly states why we are collecting the information, how we are collecting it, and why.

Never underestimate the importance of privacy

2. Purpose limitation

This simply means you have a legitimate reason for collecting data.

An example of purpose limitation in practice

For Techno Heaters, the fact that I need a new marketing manager and am seeking job applications online is my legitimate purpose for collecting data.

In many cases, your legal basis and your purpose limitation should correspond.

3. Data Minimization

This principle means you should only be collecting data that is relevant for the current purpose.

An example of data minimization in practice

I'm still on the hunt for my marketing manager for Techno Heaters. As this is a job offer, it makes sense that I need to collect information such as:

  • First & Last Name
  • Email and Phone Number
  • Job Experience
  • University Records
  • Geographic Location

It absolutely makes no sense, to collect data such as:

  • Gender
  • Political affiliation
  • Weight
  • Hair color
  • Religion

The information in the second list is completely irrelevant to the candidate’s capacity to perform in the role of a marketing manager for a startup, therefore they do not satisfy the principle of data minimization.

Use data privacy practices people love

4. Accuracy

The personal data from individuals you collect must always be kept accurate and up to date. This applies for as long as you have the information stored.

An example of accuracy in practice

I've finally made a decision to hire Nancy Johnson as my marketing manager for Techno Heaters.

Within her first six months of working at Techno Heaters, she gets married and decides to take the last name of her new husband, which is Samuels.

It is now my responsibility to update all of her records that I have on file to now be Nancy Samuels, as she is no longer Nancy Johnson.

5. Storage Limitation

Data should only be stored for as long as it has served its purpose. Once that purpose is served, you, as the data controller, no longer have a legal right to keep that information stored.

An example of storage limitation in practice

Nancy Johnson is now the happy marketing manager at Techno Heaters. But she wasn’t the only application, I received in total 100 applications for the position, but only Nancy was hired for the job.

That means I have to notify the other 99 applicants, so I can thank them for their time and their applications, and to let them know that the position has been filled and is no longer available.

Once that email is sent to the other 99 applications, I no longer have a valid reason for keeping their data in any of my records. The data has served its purpose, and It’s now my responsibility to delete all of that information.

6. Integrity and confidentiality

Simply put, it’s your responsibility to make sure the data you’re collecting stays secure.

This means implementing technical measures in your systems like end to end encryption on your site, two-factor authentication for user logins, firewalls, etc.

Furthermore this involves developing an internal structure that delegates who can have access to what within your own internal organization. It’s very unlikely that everyone in your company is going to need access to all the data you collect.

7. Accountability

As a the data controller, it is your responsibility to be able to demonstrate that the company is operating in accordance with all of these principles. Simply put, that means you need to have everything documented.

Have evidence for EVERYTHING.

Should misfortune befall you, and should you find yourself before a European Court facing charges of being in violation of the GDPR, evidence of proper documentation records may be the only thing that stand between you and a 20 Million Euro fine.

An example of a GDPR compliant form with proper data collection documentation

Conclusion

As I mentioned earlier on, GDPR is a good thing. It’s making companies more accountable, and it’s making marketing better for consumers in all industries.

If you follow the steps in this guide, and hire a reputable legal expert to help you on your startup’s GDPR journey, the GDPR should pose no problems to your operations.

If you liked this article, be sure to subscribe to our blog to keep up to date with the latest tips, tricks, and strategies from the European Startup Scene.