What The EU’s Privacy Rules Imply For Startups

Published on:

The boom in the digital economy is being driven by startups and it is they who are offering new products, services, and innovations to the market. At the heart of many of these developments is data, which is the economic bedrock on which many of these startups are built.

This data can be hugely valuable and also extremely powerful; but with great power comes great responsibility. All businesses, including startups, which handle data have to comply with data protection and privacy rules, to ensure that this data is kept securely and not misused, shared, or stolen, without the permission of users.

Why is Data Privacy so important to startups?

Well, firstly, data protection is not an optional thing. Within the EU there are many stringent rules designed to ensure that data protection and privacy standards are maintained across the block. The new Data Protection Regulations has imposed new obligations on businesses and given even greater rights to individuals. Failure to comply with these rules will mean big fines and possible criminal convictions. Bad PR is also guaranteed.

What are the EU Privacy Rules?

As with all EU legislation, EU Privacy and Data Protection laws are long and complicated, with far too many nuances to squeeze into an article of this length.

But of course, there are a number of key aspects of the new rules worth highlighting:

  • Personal Data is defined in the new rules as being anything that can identify a user, either directly or indirectly. This means that things like IP Addresses and Cookies are now classified as Personal Data.
  • There are now separate regulations for data controllers and data processors. Controllers are required to only work with Processors who comply with the new EU rules, while Processors must undertake a ‘Risk-based Approach’.
  • This Risk-Based Approach requires processors to develop controls based on the degree of risk their activity entails. This means undertaking privacy impact assessments, building privacy safeguards into software and processes, and using techniques like pseudonymisation to enable the use of big data whilst also protecting privacy.
  • Obtaining the consent of users for their data to be processed is also a requirement, although how this consent can be obtained does including quite a bit of leeway. According to the new rules, “a statement or by a clear affirmative action, signifies agreement”.
  • Businesses are required to make various bits of information available to users such as
    • the purposes of the processing for which the personal data are intended
    • the period for which the personal data will be stored
    • the existence of the right to access, rectify or erase the personal data
    • the right to withdraw consent at any time
    • the right to lodge a complaint to a supervisory authority

How do I prepare my startup to comply with new Privacy Rules?

If you are coming to this afresh, the first step you will need to do is undertake a Privacy Assessment. This is intended to help you:

  • Identify core details such as whose data will be collected, what data will be collected, how it wil be handled, shared, transferred, etc.
  • Assess the possible impact of processing this data on the privacy of users, and also identify any potential risks.
  • Identify whether or not there are any legal restrictions that may apply to your business and the data it will be handling.
  • Identify key compliance measures you will need to implement in your business in order to comply with the new EU privacy laws.
  • Build into your business model processes for dealing with non-compliance.

With all of this in place at an early stage, your startup will be much better placed to comply with EU law, and this in turn will make it a much more attractive option for both investors and customers.

Any tips for those coming at this for the first time?

It can seem pretty daunting to startups looking to address compliance with EU privacy rules and data protection laws for the first time; particularly with the more stringent new regulations which have been put in place this year.

Firstly, don’t panic. A lot of what is required of you is pretty straightforward and common-sense stuff that any right-thinking business would want to have in place anyway.

Do your research properly. You will need to do some reading to be sure you are in full compliance with the rules. There is also something to be said for getting external advice from experts. In the UK, for example, the Information Commissioners Office, is a pretty good place to start.

Also, there are plenty of useful bits of software and existing services that can help you to ensure the privacy and security of the data you are handling.

I always strongly recommend using a VPN, which encrypts all online activity guaranteeing data security from hackers and other snoopers. It also offers various other benefits, including hiding your IP Address to allow you to use the web anonymously, and bypassing geo-restrictions and national censorship efforts, which allows users to access restricted content no matter where in the world they are.

A VPN costs only a few dollars a month and offers a lot for the price. It’s a great place to begin your startups data privacy revolution.

 

__________

Sharing is caring!