When the General Data Protection Regulation (GDPR) went into effect last year, Google and Facebook were fined a collective $8.8 billion for not being compliant.1 Other companies, including newspapers, chose to opt out and were blocked in Europe. Your startup likely cannot afford the hefty fines or the lost business opportunity of not being in compliance. And you just may find that the regulations, meant to protect users, increase trust and loyalty among your customers.
The GDPR’s purpose is to protect the personal data and privacy of European Union (EU) citizens. That means if you have, or plan to have, users or customers in any of the 28 EU countries, then you must be in compliance with this EU-wide regulation. The GDPR replaces the 1995 Data Protection Directive. A directive can be molded by each individual country in the EU, whereas a regulation such as GDPR is applied identically across all EU members.
Technically, the regulation only applies to companies with 250+ employees. However, there is a clause that states if the data-processing impacts the rights and freedoms of its data subjects (users and customers), it doesn’t matter how many employees the company has. In short, every company needs to be GDPR compliant just in case.
Types of Data Protected
The GDPR requires that companies be clear on their use of data and the justification(s) for using said data. The following types of personal data2 are protected:
- Personally identifiable information like names, addresses, birth dates, social security numbers, etc.
- Online data such as locations, IP addresses, cookies, and RFID tags
- Health and genetic data
- Biometric data
- Racial and ethnic data
- Political affiliations and opinions
- Sexual orientation
Key Components of the GDPR
With many companies deploying massive resources to meet the GDPR requirements and the fact that it’s nearly 100 pages long, you may think it’s an overly complicated regulation. For established entities, the true challenge comes from the major changes to existing processes and practices. As an early–stage founder, you have an advantage because you can start out on the right foot – which turns out is the only way to do it (see bullet six below). The key components of the GDPR3 include:
- Consent – Individuals must give you permission to possess and use their personal data. It must be as easy to withdraw that consent as it is to give it.
- Right to access – An electronic copy of an individual’s personal data (and how it’s being used) must be provided upon request and free of charge.
- Right to erasure (aka right to be forgotten) – Failure to justify the continued processing of personal data gives individuals the right to have it deleted.
- Data portability – Upon an individual’s request, you must transmit their personal data to another company on their behalf.
- Breach notification – Within 72 hours of a data breach any affected individuals must be notified.
- Privacy by design – Companies must adhere to data minimalization (any personal data requested must be absolutely necessary), as well as limit access to that data. Protections must be built into the design of systems, not added later. (Hence, the high cost to become compliant for many large corporations.)
- Data Protection Officers – Certain large-scale data processing companies must hire an independent Data Protection Officer. This likely won’t affect your startup yet and it may never.
New in 2019
The biggest changes implemented for 2019 center around enforcement. The EU has expanded the territorial scope of the regulation and will become more uniform in how it is applied. As more precedents are set, standards will naturally fall in place. Companies who may have only received a warning in 2018 (or did receive one) can expect to face actual fines in 2019.
GDPR enforcement and penalties use a tiered approach based on company size and severity of the infraction. The maximum fine is, “4% of annual global turnover or €20 million (whichever is greater).” Note that “turnover” means revenue, not profit – so this can affect every dollar earned anywhere in the world, not just those earned in Europe and not just those that flow through to the bottom line. Penalties can be applied to both data controllers and processors. This is another reason why it makes good business sense to ensure you are GDPR compliant, even if you don’t have users or customers in Europe yet.
Looking to the future, we can expect more regulation. The U.S. still seems to be behind Europe in valuing data privacy, however California and Vermont both have state-level legislation pending that would help protect their citizens’ personal data. Compliance may at first feel complicated and demanding of a lot of resources. On the bright side, if your users and customers feel like their information is safe, they will be more likely to trust and try new products like the one you’re building.
The EU General Data Protection Regulation (GDPR) Website
Cyber Security and Data Privacy 101 for Early Stage Founders