The Startup’s guide to securely handling data amidst GDPR and other privacy regulations

Sophie Ross

17 December 2018 at 1:22 am

The Startup’s guide to securely handling data amidst GDPR and other privacy regulations

Even if you do not operate from within the EU, as long as you have customers or clients who are citizens, you need to be compliant

Six months into implementation, the data privacy law set by the European Union has virtually set the cat among the pigeons.

General Data Protection Regulation, or more popularly known by the acronym GDPR, is a comprehensive piece of consumer protection legislation that was passed and finally implemented in May. As a result of the new law, many top companies, which used to take such regulations in their stride historically, have realized they have no room for error.

The two major reasons for this is that as mentioned, the law intends to cover almost every aspect of data privacy—who collects the data, how it is stored and maintained, and other contributing factors. If the rules are not followed, the fines and penalties are really severe.

If you are running any business even remotely connected to E.U. member countries, and if you own online resources that have anything to do with personal data, then you must know GDPR and its implications.

But lest you get concerned by the hype over this law, it should be clarified that once you understand the tenets of the law and follow them, you should stay clear of any penal action.

Here are some tips you may find useful.

Some Basic Factors in GDPR Explained

The moment you have made a decision to start a business in Europe or operate overseas, you may have several questions with regard to GDPR and whether it applies to your business at all.

Some of them are covered here:

Applicability

On the question of applicability, GDPR does not allow any exemptions. Whether it is an individual or an organization, including startups, small, medium and big companies, everyone will fall within the ambit of GDPR. This is as long as you “process” or “control” personal data.

The law protects consumers within the E.U.’s 28 member countries. Companies that are based both in and outside of these countries must follow the law as long as they handle the data of E.U.-based consumers.

What Is Personal Data?

GDPR defines personal data to include names, addresses, identification details such as ID card numbers and even IP addresses if this information is captured within your website. It’s quite simple—if you have a page on your site that asks the visitors to divulge their name and other personal information so that you may establish contact with them later for any purpose, you would be very much covered under GDPR.

There are separate provisions for what is termed “sensitive data.” This can include a person’s profiling details, such as their ethnicity or political leanings or sexual orientation.

Similarly, any data pertaining to children will be classified as sensitive data and there will be a need for a parental consent to be obtained before capturing such personal data of children.

How are ‘Process’ and ‘Control’ Explained?

Processing of data encompasses virtually all such things that are done to data, including collecting information as described above, using it for any purpose and even deleting personal data. All of these actions constitute “processing” of personal data.

Companies holding payroll information of their employees too are a part of this definition, and the very same guidelines will apply with regard to protecting information.

On the aspect of controlling, GDPR introduces the concept of a “data controller.” This is done with the express purpose of fixing accountability for the actions within any organization as far as the use of data is concerned. If you hold the authority within your setup to decide what is to be done with the personal data collected by your organization, then you are a “data controller” and it’s your primary responsibility to comply with GDPR.

There are details spelled out on how exactly the processing of data is done at the end of the organization holding and processing the data. These entail transparent policies, letting the customers know the purpose for which their data is being processed and where legally bound, obtain their clear consent before the process is carried out.

Also read: In a world of GDPR, mass surveillance, and overactive social sharing, businesses need to rethink data strategy

Lawful Processing of Data

GDPR lays down that if you are in possession of personal data of your customers, you can use that data for legitimate ends as long as you follow the procedures laid down for that.

A whole lot of transparency is insisted upon for this exercise. You will have to take into confidence the person or persons whose data you intend to “process.” This will require you to let them know why you wish to use their personal data and with whom you would be sharing it.

You need to not only receive the explicit consent of those whose data intend to process but leave it open to them to withdraw this consent at any point in time. You would have to include the time duration your data will be sent out of your data servers. As expressed in the beginning, the framers of GDPR have spared no effort at making this legislation a thorough one, leaving very few, if any, loose ends.

The Penalty for Non-Compliance

As widely publicized, the fines imposed under GDPR for non-compliance is established through the due process of a data breach. An investigation will ensue to determine the extent of the damage.

The fine for non-compliance is 4 percent of the worldwide turnover of the defaulter organization or €20 million, whichever is higher.

Some General Suggestions

It is generally assumed that no organization would want to misuse personal data in its possession and invite penalty under GDPR. But the nature of electronic data storage is such that your storage systems could come under attack and the data stolen. Under GDPR, you are held responsible for such loss of data as well.

Therefore, companies have taken measures to make sure the data protection and malware detection steps are adequately taken even before any data is collected in the first place. If you have doubts or if you feel safer getting a second opinion, there are experts who can offer a data protection impact assessment (DPIA).

Also read: Is your business illegally hoarding user data? How do you deal with this affliction?

If you’re not based in Europe, your startup may need the help of such outside experts before you embark on expanding your business to E.U. countries.

Data privacy and data security are high priority areas and if your business is in Europe, awareness about GDPR and how to ensure compliance under it is essential.

—-

e27 publishes relevant guest contributions from the community. Share your honest opinions and expert knowledge by submitting your content here.

Photo by Florian Pérennès on Unsplash

The post The Startup’s guide to securely handling data amidst GDPR and other privacy regulations appeared first on e27.

The Telegraph
Beauty queen shot dead after octopus ceviche order led killers to restaurant
An Ecuadorian beauty queen was assassinated after her Instagram post of a plate of octopus ceviche led gunmen to the restaurant where she was dining.
INSIDER
A NATO country says it could join Ukraine's war with Russia if 2 conditions are met
French President Emmanuel Macron said France could send troops if requested by Ukraine in response to a Russian breakthrough.
The Independent
Second Boeing whistleblower dies after raising concerns about 737 MAX
Joshua Dean, 45, died on Tuesday after two weeks in critical condition
CNN
China’s Shaolin monks are known for their incredible acrobatics. This photographer captured them in action
The photographer reflects on how he took the memorable shot back in 2004, in one of the martial arts academies that had sprung up near the Shaolin Temple.
The Telegraph
The trickle of companies leaving China is becoming a flood
In the context of a sprawling global leviathan that has just posted profits of $7.7bn (£6.1bn) in the last three months alone, Shell’s decision to close a small power generation unit in China amounts to little more than a rounding error on its books.
The Guardian
‘A disgrace’: Ratcliffe reads riot act after visiting Manchester United facilities
Manchester United’s chief of football operations has railed at a ‘high degree of untidiness’ in the club’s offices and dressing rooms
People
Rumer Willis Praises Mom Demi Moore's 'Bangin'' Bikini Body
"If my genetics are at least half that good, I'm solid," said Willis of her mother's "bangin'" body
People
Heartbreaking Story Behind Dad Who Added Daughter's Necklace to Headstone After His 3 Kids Were Killed (Exclusive)
Ray Simmons dedicates himself to maintaining the resting place of his son Christopher, 16, and daughters Kamryn, 15, and Lindy, 20
Evening Standard
Jurgen Klopp addresses Mohamed Salah's Liverpool future ahead of exit
Forward has been linked with move to Saudi Arabia
SETHLUI.COM
Northern Thai: Delicious ‘creamy’ tom yum by Thai superwoman worth the queue
The post Northern Thai: Delicious ‘creamy’ tom yum by Thai superwoman worth the queue appeared first on SETHLUI.com.
BuzzFeed
Spine-Chilling Stories: Nurses Recall Ghostly Encounters And Supernatural Experiences While On Duty
Hospitals...where the supernatural becomes super natural.
The Independent
Marvel boss warned Hugh Jackman not to return as Wolverine in Deadpool 3
Actor is reprising the role for the 10th time opposite Ryan Reynolds
Cosmo
EmRata's plunging gold gown is best described as melted butter
Emily Ratajkowski attended the 2024 The King's Trust Global Gala wearing a gold satin backless dress with a plunging neckline best described as melted butter.
The Independent
Heartbreaking video shows abandoned puppy chasing owners’ car after being dumped
Bear, a German Shepherd mix puppy is now being looked after at a Fresno rescue awaiting adoption
Twentytwo13
US$1.7b in Indonesia, Azure data centre in Thailand, US$2.2b in Malaysia: All eyes on spillover effect as Microsoft goes big in SEA
Microsoft's series of investments in Indonesia, Thailand, and Malaysia are not surprising, as the tech giant had earlier announced a US$10 billion investment in AI abroad. All eyes are now on the upskilling of the local workforce and the creation of economic opportunities for governments, businesses, and communities in the region. The post US$1.7b in Indonesia, Azure data centre in Thailand, US$2.2b in Malaysia: All eyes on spillover effect as Microsoft goes big in SEA appeared first on Twentytw
INSIDER
China has a lot more missiles — with US warships and bases in its sights
China has transformed its missile stockpiles and capabilities, shaping what war would look like in the Pacific, US military leaders and experts said.
SETHLUI.COM
Char Siew Yoong: Pudu’s legendary buttery, melt-in-the mouth char siew continues to reign supreme
The post Char Siew Yoong: Pudu’s legendary buttery, melt-in-the mouth char siew continues to reign supreme appeared first on SETHLUI.com.
The Telegraph
Apple suffers $91bn hit to sales as Chinese shoppers ditch iPhones
Apple has suffered its biggest drop in iPhone sales for more than three years as Chinese shoppers turn away from the company and embrace domestic rivals such as Huawei.
SETHLUI.COM
Good Gai: Singapore’s first Thai fried chicken specialty store within Aperia Mall with 2 kinds of crispy chicken
The post Good Gai: Singapore’s first Thai fried chicken specialty store within Aperia Mall with 2 kinds of crispy chicken appeared first on SETHLUI.com.
Evening Standard
Liverpool: Jurgen Klopp takes aim at TNT Sports after resolving Mohamed Salah feud
The pair have settled their differences as the manager faces doubts over captain Virgil van Dijk’s fitness