How Startups Can Easily Comply With The GDPR

Published on:

Are you late to the GDPR party? Don’t worry, we’ve got you covered. Startups in the process of building their processes, services, and products can incorporate data protection principles into them already.

While the transition is a bit of a hassle, the future are companies that are natively General Data Protection Regulation (GDPR) compliant. So, if you are a startup that has not thought about complying with the GDPR just yet or you have just started out, this checklist is for you!

In general, these are the principles you should always keep in mind when designing or building your organizational structures that relate to your clients, customers, users or employees:

  • The right to erasure (the right to be forgotten/deleted from the system),
  • The right to restriction of processing (you have to restrict the access to the data and cannot do anything with it without further consent of the user)
  • The right to data portability (provide the possibility to your users to download a machine-readable, exportable file of their data you have collected and processed)
  • The right to rectify data (have an edit button for data fields)
  • The right to be informed which means you need to get rid of those long terms and conditions and provide this information in a way that is clear and concise

#1 Create And Agree With Data Protection Goals

This essentially means that you need to conceptualize, write down and declare your data protection goals. They should incorporate principles of responsible data processing and recording. Once you have them written down, make sure your whole team is aware of them.

#2 Appoint An Internal Data Protection Officer (DPO) With No Conflict Of Interest

This can be anyone in the company who is aware and informed about the GDPR. The person should sign a document accepting the responsibilities and should remain impartial when it comes to questions of GDPR implementation. If you’re too small in numbers, you might not need a DPO officially. But someone should still take care of it.

#3 Create A Compliant Cookie Policy

It has been enough till now to display that common “we use cookies” warning, however, the GDPR changes that. From the GDPR perspective, cookies essentially means you are collecting user data and need to make sure that you have legal grounds for it. So, if you are building your website from scratch make sure your website’s use of cookies and online tracking is compliant with the GDPR.

#4 Create Your Privacy Policy

Your privacy policy should aim to include the data you collect, what the legal basis of it is and how exactly you are ensuring that it is protected through all the processes it goes through. Example of short form of Privacy Policy

#5 Add The Following Features

  • Consent box and record with it the Privacy Policy version (Article 7)
  • Have double opt-in on your newsletter, lead magnets & sign up (Article 7)
  • Right of access feature (I want to access all my data i.e. export & import feature) (Article 15)
  • Right to edit or modify user data feature (Article 16)
  • Automatic deletion or provide a timeline for deletion of the data feature to your users (Article 17)
  • Right to delete or forget user feature (Article 17)
  • Right to object the processing & profiling feature (Article 21 & 22)
  • Right to stop automated profiling (Articles 18 & 23)

#6 Create Records Of Processing Activities (RPA) & Maintain Them

If you have your RPA, you can follow through with steps of collection and processing of data as well as dealing with Data Subject Requests (customers) quite effectively.

#7 Ask Your Third-Party Vendors To Be Compliant

This includes basically every software, service or tool that you are using. You need to ensure that you have Data Protection Agreements (DPAs) with all your vendors. As a Controller, you should only work with Vendors who ensure compliance in terms of expert knowledge, reliability and resources, to implement technical and organizational measures that will meet the requirements of the GDPR.

#8 Organizational Initiatives

  • Educate your team about the privacy and data protection
  • Physical access to your office should always be protected with keys
  • Laptop and other devices of the staff should be sufficiently protected to avoid data leaks of customers

#9 Sales & Marketing

  • Get consent in all your marketing activities including contact forms and record it
  • Inform customers about all the tools you are using and that impacts them. These tools would include Customer Relationship Management Systems (CRM), analytics tools and any others that come into contact with your customers’ data
  • Always have an opt-out button

#10 Human Resources (HR)

Have different level controls for each staff. Not everybody should have access to all the systems and data you have on your employees. Make sure this restriction is embedded in the legal requirements.

Keep this checklist handy while you are building your startup and you can be a company of the future that is inherently careful with the data of their users, customers, and employees.

 

__________

Sharing is caring!