GDPR: New EU Online Privacy Rules Explained By FAQs From Startups

Published on:

The GDPR entered into force on May 25, 2016 - after a two year grace period companies as well as startups will be obliged to comply with the new regulations. Here's what you need to know:

Over the past couple of months, we’ve done free informative/consulting sessions for startups about the new EU online privacy and data protection rules. We were hosted by General Assembly and Blooming Founders and held events at cool spaces such as Launch 22, WeWork, Huckletree and Google Campus. We loved getting asked very interesting questions posed by entrepreneurs. The most frequent and relevant ones are below. We hope you find them helpful.

Although, the events were in London – the answers to these questions are relevant to all startups and digital companies in Europe. This is because the new rules – called the General Data Protection Regulations – harmonise all the different privacy rules across the EU into one. The GDPR also applies to all companies that have EU users – whether the company is based in the EU or outside. We talk at length about what is the GDPR and how it applies to startups here.

FAQs On GDPR For Startups

#1 Who is a processor? What do I need to do to make sure I’m compliant?

A processor is an entity that processes personal data on behalf of the controller. The controller is the company or entity that collects information primarily from users. In other words, a processor is a 3rd party and the controller is the one that faces the users directly. Examples of 3rd parties include cloud providers and email marketing and big data solutions…etc.

To be compliant as a processor you need to get to take the same organisational and security steps as ones taken by a controller. Otherwise, companies will not choose 3rd parties that are not compliant.

#2 Does information collected for newsletters qualify as personal data?

Yes. Names and emails and now also IP addresses and online identifiers are considered personal data. You will have to review how you get consent, store and handle data and take security steps to continue.

#3 I’m at idea stage, what do I do?

You’re lucky! You can implement Privacy by Design, select 3rd parties and set up your processes and how you get consent correctly.

#4 What information security steps can I take?

Training staff to identify a breach, scam attempt and how to respond to Subject Access Requests (when a user send a request to access, modify or delete their information). You can also conduct cyber security tests to check your infrastructure for any vulnerabilities and assess any risks.

#5 What are the things that I can do on my own?

Staff trainings, registering with data authorities, review and vet 3rd parties, implement mobile device management for BYOD startup arrangements and notify users of their rights.

#6 Do I need to write a very long privacy policy to let the users know of all of this?

No, the opposite. Privacy policies have to be written in clear and plain language that is easily accessible. You can also use visualisations to do so.

#7 What do I do if my company has been breached?

Notify the authorities. Under the new rules you will have 72 hours to do so.

#8 We’re providing a SaaS platform, what can we do?

Review your sub-processors. Assure your clients that you are data compliant. If you collect information you are a controller and if you don’t then you’re a processor.

#9 We are a 3rd party what can we do?

Only use the information as instructed by the company that is using your services – controllers.

#10 Who else does GDPR apply to besides users?


#11 I’m developing an app for children, what do I need to take into account?

The minimum age of users has been raised to 16. For the processing of information of those under 16 to be lawful it has to be authorised by parental consent.

#12 We’re developing the next awesome thing in data analysis what to watch out for?

Watch out for profiling. There are very strict obligations for profiling users under the new privacy rules.

#13 How to approach online privacy at an app/platform testing stage?

As at this stage you will be having a lot of back and forth with the lucky ones chosen to test the app – getting their consent is extremely important for this communication. Also, keeping their data safe and secured and reporting to them any changes in the purpose of data collection. E.g. using for marketing vs using for analysis. Lastly, let them know of their rights and 3rd parties used.

More questions left? Get in touch!

*This article is not a legal instruction. This information is supplied without liability.*


Sharing is caring!