GDPR for startups (based in Spain)

All the information regarding the new GDPR law is diffuse and complex. Furthermore, it is full of formalities and ambiguous. All this, together with the 25th May 2018 deadline, generates concern. The large fines also create uncertainty and relative panic in the startup ecosystem. While it’s true that we’ve had a lot of time to prepare, we all put these kinds of things off until the last minute. The lack of clarity in the definition created a “wait & see” situation. Many waited until others or larger companies acted first.

As a result, this situation led me to investigate on my own. I also asked several experts in the area. In this article, I summarize the most important things that can affect startups. I also adapt the formal language into practical terms. I hope it can help you at least to decrease the uncertainty that this law is generating.

Note: I am not an expert on the subject or a lawyer. The law has many nuances and edges. All content here comes from my own learning, questions, and reading. Therefore, please take the information as guidelines only.

Don’t panic. If you comply with the current LOPD, or data protection law of your country within the EU, you will simply have to consider certain new nuances. Another fear involves the famous sanction. It could amount to up to 4% of the previous year’s business volume. Alternatively, the fine could reach 20 million euros, whichever is higher. However, the nuance of the “20 million euros; whichever of the two is greater” is only applicable to public institutions since otherwise it would not make sense according to which company.

Geographic scope of the GDPR

The LOPD, or data protection law that you have in your country, is still in force. The new GDPR law only applies to companies that offer products and services within the European Union and / or collect data from European citizens. Here there are certain fringes. For example, if you are a European company, you will not have to apply the GDPR for users outside of the EU.

New rights of the GDPR

In addition to the current rights of the LOPD of information, access, rectification, cancellation and opposition, the following new rights are added for the European citizen:

Forgetfulness – right to, for example, de-index personal data content by the source.

Portability – right to request the export of the user profile and settings in a readable format. For example, ask Spotify to export us a file which includes our playlist structure.

Limitation – the right to choose which treatments the company can or cannot apply. For example, a user might want to use the service but not receive commercial communications.

In addition, the GDPR reduces the response time for executing a right to one month.

New sensitive data of the GDPR

The previously known as high-risk data (race, politics, religion, health, sexual orientation and convictions) will be called sensitive data, and to these the following will be added:

Biometrics – any biometric data that identifies the person (fingerprints, facial recognition, etc.).

Genetic

Geolocation – understood as GPS data or that allows locating the individual precisely.

New consents of the GDPR

Although this concept has always been controversial, as for example, in the case of the consent of cookies in the navigation of web pages, the new GDPR law specifies the consents in such a way:

They cannot be unspoken or by default. That is, something like “if you do not respond in 30 days, we will assume that you accept the terms” is not allowed.

First, they must be unequivocal. Additionally, consents must be clear and cannot be misleading.

They must be explicit (the citizen must accept) when:

• Sensitive data (defined above) will be processed.
• Automated treatments or profiling will be carried out. This applies to Big Data companies or companies that perform sophisticated segmentation of their users based on behavior. For example, you might segment users from Germany between 20 and 25 years old. These users have also made 5 purchases in your database.
• The company will transfer data outside the European Union. For example, you might host your database outside the EU. Similarly, you might use cloud services with servers outside the EU. Even a service contract with a non-EU company counts if it involves personal data from employees, customers, or suppliers.

They will be implicit for the rest of the cases as long as it occurs from an unequivocal action. For example, do not accept the cookie policy but continue browsing.. 

New DPO role

The role of the new DPO (Data Privacy Officer) may be similar to that of Compliance and their responsibilities are to inform, advise and supervise everything related to data protection and legislation as well as being the point of contact. It can be someone from the staff or an external hire. However, it can never be someone who could pose a conflict of interest, such as the CEO or Sole Administrator. To be a DPO you do not need to be a lawyer or possess any title, but sufficient basic legal and technical knowledge must be demonstrated to exercise the position.

What are the steps and how do I know if I need a DPO?

Step 1. Carry out a risk analysis using Facilita (AGPD tool). If it lets you move on, you’re in luck. Following the steps, the tool will generate the documents you need, with the measures you must take and how you have to adapt it. Otherwise you will need to carry out an impact evaluation for each treatment and in addition to the figure of the DPO.

Ultimately, you will need a DPO and an impact assessment if:

1. You process sensitive data.
2. You perform big data processing, profiling and behavioral-based segmentation.

Impact Assessment and Documentation

Step 2. If you need a DPO, you have to carry out an impact assessment (EIPD – Data Protection Impact Assessment). Although the law allows companies to prepare such an assessment at their discretion, the AGPD has proposed a guide for its preparation with the following points:

1. Analysis of the need. Describe the project and the affected business areas.
2. Description and definition of the project. Describe the flow of personal data information (input, purpose, results, who / how, technologies, etc.)
3. Analysis of possible risks. Information leakage, loss of computer or theft, database, email passwords, etc.
4. Risk minimization. How to mitigate the previously defined risks. Through a security document such as the LOPD; backup copies, who has access, frequency, encryption, lock offices, etc. Monitoring and audit controls.
5. Analysis of regulatory compliance. Having done the above, make a legal statement about it.
6. Summary and final report. List of identified risks and recommendations.
7. Implantation. Define action plan, resources, times, etc.
8. Review of the plan once implemented.

Step 3. Update the consents and terms and conditions as described above and the impact assessment. For each treatment in force, the person responsible the purpose, the data retention period, legitimation, transfer to third parties, if any, and information on how to exercise the rights must be identified with clear and concise language. Said consents must be saved, cannot be modifiable and must be demonstrable. That is, if a user accepts data processing, said consent must be explicitly saved on the date..

Some recommendations for the GDPR

• If you already work with a lawyer in your Startup, see if they can be your DPO representatives if you need one.
• If you have a registration form, ask for explicit consent and point to clear terms and conditions, which define very well in understandable language the purpose of the data to be processed.
• For each new record (user; client; etc.) that accepts your conditions, save said consent in the database so that nobody can modify it from the company.
• If you work with some type of AWS hosting, see if you can migrate the data to the servers in Ireland or servers they have in Europe. They will save you a headache..
• If you use Google Docs (or similar), and in them you store personal data of users, clients or employees, you have two options: i) remain the same and inform both the agency and those affected that their data is transferred outside the EU for that purpose; ii) remain the same but make sure that in the documents you have from Google Docs (or similar) there is no personal data and everything is pseudo-anonymized. (I think Dropbox has servers in Europe).
• Review all the agreements and service providers that you use and that may have personal data (insurance, medical examination, analytical tools, email-marketing tools, etc.) and ask them for an addendum to the contract or verification that they comply with GDPR.
• I’ll be adding more as they come out. 

I hope that this small guide on GDPR for startups has been of help to you and that now you see more clearly what are the measures to take for each case..