GDPR for startups (based in Spain)


All the information regarding the new GDPR las is diffuse, complex, full of formalities and ambiguous. All this together with the 25th May 2018 deadline accompanied with large fines is generating a stir of uncertainty and relative panic in the entrepreneurail and startup ecoystem. While it’s true that we’ve had a lot of time to prepare it, we all put this kinds of things to the last minute. The lack of clarity in the definition of it has generated a situation of “wait & see” until others or larger companies do.

Such situation has led me to investigate on my own and ask several experts in the area. In this article I’ve tried to summarize the most important things that can affect startups by adapting the formal language into practice. I hope it can help you at least to decrease the uncertainty that this law is generating.

Note: I am not an expert on the subject or a lawyer. The law has many nuances and edges, and all the content presented here is based on learning, questions and reading; so please do not take everything at face value and in case of doubt, it is always better to consult a lawyer.

Don’t panic. If you comply with the current LOPD, or data protection law of your country within the EU, you will simply have to take into account certain new nuances. Another fear is the famous sanction that could amount to up to 4% of the business volume of the previous year or 20 million euros, whichever of the two is higher. What is not clear is that the nuance of the “20 million euros; whichever of the two is greater” is only applicable to public institutions since otherwise it would not make sense according to which company.

Geographic scope of the GDPR

The LOPD, or data protection law that you have in your country, is still in force. The new GDPR law only applies to companies that offer products and services within the European Union and / or collect data from European citizens. Here there are certain fringes: for example; If you are a European company you will not have to apply the GDPR law for users that you have outside of the EU.

New rights of the GDPR

In addition to the current rights of the LOPD of information, access, rectification, cancellation and opposition, the following new rights are added for the European citizen:

Forgetfulness – right to, for example, de-index personal data content by the source.

Portability – right to request the export of the user profile and settings in a readable format. For example, ask Spotify to export us a file which includes our playlist structure.

Limitation – the right to choose which treatments can or cannot be applied. For example, I want to be able to use the service but I do not want commercial communications sent to me.

In addition, the response time to the execution of a right is reduced to one month.

New sensitive data of the GDPR

The previously known as high-risk data (race, politics, religion, health, sexual orientation and convictions) will be called sensitive data, and to these the following will be added:

Biometrics – any biometric data that identifies the person (fingerprints, facial recognition, etc.).


Geolocation – understood as GPS data or that allows locating the individual precisely.

New consents of the GDPR

Although this concept has always been controversial, as for example, in the case of the consent of cookies in the navigation of web pages, the new GDPR law specifies the consents in such a way:

They cannot be unspoken or by default. That is, something like “if you do not respond in 30 days, we will assume that you accept the terms” is not allowed.

They must be unequivocal. They must be clear and cannot be misleading.

They must be explicit (the citizen must accept) when:

  • Sensitive data (defined above) will be processed.
  • Automated treatments or profiling will be carried out. This applies to Big Data companies or companies that perform sophisticated segmentation of their users based on behavior. For example, segmentation of a group of users who are from Germany, are between 20 and 25 years old, and have made 5 purchases in our database.
  • Data transfers will be made outside the European Union. For example, have our database in a hosting outside the EU, use cloud services whose servers are outside the EU, or even a contract for a service that we have with a company outside the EU and have personal data from employees, customers or suppliers.

They will be implicit for the rest of the cases as long as it occurs from an unequivocal action. For example, do not accept the cookie policy but continue browsing.. 

New DPO role

The role of the new DPO (Data Privacy Officer) may be similar to that of Compliance and their responsibilities are to inform, advise and supervise everything related to data protection and legislation as well as being the point of contact. It can be someone from the staff or external, but it can never be someone who could pose a possible conflict of interest such as the CEO or Sole Administrator. To be a DPO it is not necessary to be a lawyer or possess any title, but sufficient basic legal and technical knowledge must be demonstrated to exercise the position.

What are the steps and how do I know if I need a DPO?

Step 1. Carry out a risk analysis using Facilita (AGPD tool). If it lets you move on, you’re in luck. Following the steps, the documents you need will be generated, with the measures you must take and how you have to adapt it. Otherwise you will need to carry out an impact evaluation for each treatment and in addition to the figure of the DPO.

Ultimately, you will need a DPO and an impact assessment if:

  1. You process sensitive data.
  2. You perform big data processing, profiling and behavioral-based segmentation.

Step 2. If you need a DPO, you have to carry out an impact assessment (EIPD – Data Protection Impact Assessment). Although the law allows companies to prepare such an assessment at their discretion, the AGPD has proposed a guide for its preparation with the following points:

  1. Analysis of the need. Describe the project and the affected business areas.
  2. Description and definition of the project. Describe the flow of personal data information (input, purpose, results, who / how, technologies, etc.)
  3. Analysis of possible risks. Information leakage, loss of computer or theft, database, email passwords, etc.
  4. Risk minimization. How to mitigate the previously defined risks. Through a security document such as the LOPD; backup copies, who has access, frequency, encryption, lock offices, etc. Monitoring and audit controls.
  5. Analysis of regulatory compliance. Having done the above, make a legal statement about it.
  6. Summary and final report. List of identified risks and recommendations.
  7. Implantation. Define action plan, resources, times, etc.
  8. Review of the plan once implemented.

Step 3. Update the consents and terms and conditions as described above and the impact assessment. For each treatment in force, the person responsible, the purpose, the data retention period, legitimation, transfer to third parties, if any, and information on how to exercise the rights must be identified with clear and concise language. Said consents must be saved, cannot be modifiable and must be demonstrable. That is, if a user accepts data processing, said consent must be explicitly saved on the date..

Some recommendations for the GDPR

  • If you already work with a lawyer in your Startup, see if they can be your DPO representatives if you need one.
  • If you have a registration form, ask for explicit consent and point to clear terms and conditions, which define very well in understandable language the purpose of the data to be processed.
  • For each new record (user; client; etc.) that accepts your conditions, save said consent in the database and that it cannot be modified by anyone from the company.
  • If you work with some type of AWS hosting, see if you can migrate the data to the servers in Ireland or servers they have in Europe. They will save you a headache..
  • If you use Google Docs (or similar), and in them you store personal data of users, clients or employees, you have two options: i) remain the same and inform both the agency and those affected that their data is transferred outside the EU for that purpose; ii) remain the same but make sure that in the documents you have from Google Docs (or similar) there is no personal data and everything is pseudo-anonymized. (I think Dropbox has servers in Europe).
  • Review all the agreements and service providers that you use and that may have personal data (insurance, medical examination, analytical tools, email-marketing tools, etc.) and ask them for an addendum to the contract or verification that they comply with GDPR.
  • I’ll be adding more as they come out. 

I hope that this small guide on GDPR for startups has been of help to you and that now you see more clearly what are the measures to take for each case..

Leave a Reply

Your email address will not be published. Required fields are marked *