Taxes for Startups Taxes. Not the most fun topic to discuss, but it is important…
GDPR Compliance for Startups
When the General Data Protection Regulation (GDPR) went into effect last year, Google and Facebook were fined a collective $8.8 billion for not being compliant. (1 ) Other companies, including newspapers, chose to opt out and were blocked in Europe. But what about GDPR for startups? Is it relevant?
The quick answer is yes.
Without GDPR compliance for startups, you likely cannot afford the hefty fines or the lost business opportunity. And you just may find that complying with GDPR startup regulations, meant to protect users, actually increases trust and loyalty among your customers.
GDPR compliance is meant to protect the personal data and privacy of European Union (EU) citizens. That means if you have, or plan to have, users or customers in any of the 28 EU countries, then you must comply with this EU-wide regulation. The GDPR replaces the 1995 Data Protection Directive. A directive can be molded by each individual country in the EU, whereas a regulation such as GDPR is applied identically across all EU members.
Technically, the regulation only applies to companies with 250+ employees. As a small company, you might think that working towards GDPR compliance for startups is not worth your time. However, there is a clause that states if the data-processing impacts the rights and freedoms of its data subjects (users and customers), it doesn’t matter how many employees the company has. In short, every company needs to follow GDPR (startups included) just in case.
Types of Data Protected
GDPR compliance for startups requires that companies be clear on their use of customer data and the justification(s) for using said data. The following types of personal data (2) are protected:
- Personally identifiable information like names, addresses, birth dates, social security numbers, etc.
- Online data such as locations, IP addresses, cookies, and RFID tags
- Health and genetic data
- Biometric data
- Racial and ethnic data
- Political affiliations and opinions
- Sexual orientation
Key Components of the GDPR
With many companies deploying massive resources to meet the GDPR requirements and the fact that it’s nearly 100 pages long, you may think it’s an overly complicated regulation. For established entities, the true challenge comes from the major changes to existing processes and practices. But when it comes to GDPR compliance for startups, smaller companies have an advantage because they can institute a compliant process right from the start – which turns out is the only way to do it (see bullet six below). Here’s a brief GDPR guide for startups who want to be compliant:
- Consent – Individuals must give you permission to possess and use their personal data. It must be as easy to withdraw that consent as it is to give it.
- Right to access – An electronic copy of an individual’s personal data (and how it’s being used) must be provided upon request and free of charge.
- Right to erasure (aka right to be forgotten) – Failure to justify the continued processing of personal data gives individuals the legal right to have it deleted.
- Data portability – Upon an individual’s request, you must transmit their personal data to another company on their behalf.
- Breach notification – Within 72 hours of a data breach, any affected individuals must be notified.
- Privacy by design – Companies must adhere to data minimalization (any personal data requested must be absolutely necessary and relevant to the product or service delivered), as well as limit access to that data. Protections must be built into the design of systems, not added later. (Hence, the high cost to become compliant for many large corporations.)
- Data Protection Officers – Certain large-scale data processing companies must hire an independent Data Protection Officer. This likely won’t affect your startup yet, and it may never be necessary for your business.
New in 2019
The biggest changes implemented for 2019 center around enforcement. The EU has expanded the territorial scope of the regulation and will become more uniform in how it is applied. As more precedents are set, standards will naturally fall in place. Companies who may have only received a warning in 2018 (or did receive one) can be subject to actual fines in 2019.
GDPR enforcement and penalties use a tiered approach based on company size and severity of the infraction. The maximum fine is, “4% of annual global turnover or €20 million (whichever is greater).” Note that “turnover” means revenue, not profit – so this can affect every dollar earned anywhere in the world, not just those earned in Europe and not just those that flow through to the bottom line. Penalties can be applied to both data controllers and processors. This is another reason why it makes good business sense for startups to ensure they are GDPR compliant, even if they don’t have users or customers in Europe yet.
Looking to the future, we can expect more regulation. The U.S. still seems to be behind Europe in valuing data privacy. However, California and Vermont both have state-level legislation pending that would help protect their citizens’ personal data. Compliance may at first feel complicated and demanding of a lot of time and resources. On the bright side, if your users and customers feel like their information is safe, they will be more likely to trust and try new products like the one you’re building.
Cyber Security and Data Privacy 101 for Early Stage Founders