Skip to main content
04 October 2021

GDPR Essentials for Early-Stage Entrepreneurs

4th October 2021

 

 

Working on the Santander X Global Challenge Helping Businesses Prosper, the Oxentia Foundation and Banco Santander had the pleasure of nominating Privasee as the winner of the startup category of the competition. Driving the automation and digitalisation of GDPR compliance, Privasee has set out to revolutionise business operations, helping entrepreneurs focus on growth without letting compliance hold them back.

 We are delighted to host this article written by Privasee, hoping to offer basic GDPR guidelines for innovators starting off in business, and to inspire more entrepreneurs to see challenges as market opportunities.

 

GDPR Essentials for Early-Stage Entrepreneurs: 7 steps to getting GDPR right

As an early-stage entrepreneur, it is important for you to grasp how the GDPR applies to you. By embedding data protection elements into your business journey from the outset, you can set your compliance on autopilot and make things a lot easier down the road.

This article outlines some of the key factors to consider in becoming self-compliant in the early stages of your business.

1. Identify your roles and responsibilities

From the outset, it is important to determine whether your business is a data controller or a processor as each role has its own requirements.

Data controllers have the most stringent compliance requirements because they are those with control over what data gets collected and what it is used for. After all, with great power comes great responsibility.

Data controllers in the UK are, among other things, also expected to pay a data protection fee to the regulator, with some exceptions for charities and public organisations.

Data processors, on the other hand, have less stringent requirements as they only act on the instructions made by the data controllers and do not themselves have a purpose for processing the data. A good example are applications like Typeform, where they process personal data from responses, but it is the users who decide what to ask and what the data is used for.

As such, they do not have the same obligations as controllers and do not need to pay a data protection fee. However, they are still accountable and have direct obligations to both data subjects and data controllers.

2. Determine your lawful bases for processing

Next, your processing of personal data should comply with a lawful basis for processing under Article 6 of the UK GDPR, without which you cannot process personal data. It essentially means that you need to have one of the following legal grounds to be using someone’s personal data:

  1. Consent
  2. Performance of a contract (such as an employee’s personal data)
  3. Legal obligation
  4. Protection of vital interests
  5. To perform a task in the public interest
  6. Legitimate interests

It is important that you identify the right one from the list as you cannot swap it later, especially if you relied on consent. Your legal basis for processing must also be included in your privacy policy and it is important that you can identify a legal ground from the list for every type of personal data you process.

For example, the collection of email addresses can be grouped under one heading, such as consent, if data subjects have actively consented to your use of their email in a specific way.

Having a legal basis to process data is a legal requirement. But on top of that, having a clear breakdown of the legal grounds you use for the different data your organisation collects can help you better answer queries from your users in a timely manner and make you more trustworthy to customers and regulators.

3. Map your data

Data mapping is when your organisation looks at all the data you hold and connects them to the individuals they belong to. Essentially, it is about creating a web of all the personal data you have, where you have it, what you will use it for, under which legal basis you have collected it and how long you are allowed to have it for.

If your organisation processes sensitive categories of personal data, you may also need to have further safeguards. The following data types are known as special categories of data and are governed by Article 9 of the UK GDPR:

  • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
  • trade-union membership;
  • genetic data, biometric data processed solely to identify a human being;
  • health-related data; or
  • data concerning a person’s sex life or sexual orientation.

The processing of such data would be prohibited unless there is a lawful basis to do so, and if a large amount of processing is conducted, a Data Protection Impact Assessment (DPIA) may be required, and a Data Protection Officer (DPO) appointed.

Data mapping can help you demonstrate your compliance to regulators like the ICO. It can also help you reduce the time and money spent on responding to user requests such as Data Subject Access Requests (DSAR) – more on this below. Ultimately, the data you hold is valuable to both your organisation and to the individuals you hold them on – it is only natural that you know exactly where your most valuable possession is.

“There are known knowns; but there are also unknown unknowns. And it is the latter category that tends to be the difficult one” 

– United States Secretary of Defense Donald Rumsfeld

The benefit of mapping your data cannot be denied and tools such as the Privasee platform can help you produce the required documents such as a record of your processing activities, and reduce the time taken for any data related queries, giving you the reassurance that you have total control over all the personal data you hold.

4. Produce a good Privacy Policy

 A privacy policy is where your company can demonstrate your values to your users and transparency on their personal data. It will not only transmit credibility to stakeholders, but can also embed your brand image, save your user’s time, and save the business from a hefty fine from the ICO.

Generally, a good privacy policy should contain:

–     Business contact details

–     Type of personal information collected

–     How personal information is collected and why (refer to the lawful bases for processing personal information)

–     How personal information is stored (for example, via cloud computing or third-party data processors)

–     Data subject’s rights

  • Right of access – right to ask for copies of personal information
  • Right to rectification – right to ask the business to rectify inaccurate or incomplete personal information
  • Right to erasure – right to ask the business to erase their personal information, in certain circumstances
  • Right to restriction of processing – right to have the business restrict their processing of their personal data, in certain circumstances.
  • Right to object to processing – right to object to the processing of their personal information, in certain circumstances.
  • Right to data portability – right to have the personal data held by the business transferred to another organisation or to the data subject, in certain circumstances

–     How to complain

o   Information on the business contact for data queries

o   ICO’s contact details

It is also your responsibility to ensure that the above information (contact details etc.) are kept up to date to remain compliant with the law. If your contact details change for example, and you forget to update it, you may miss a user access request and get in trouble with the regulators.

Tools like Privasee’s integrated privacy policy creator can automate this process. It connects to your data maps stored on the platform and creates a privacy policy out of all the data you hold. What’s more, each time something is updated within your data maps, the privacy policy itself automatically evolves, preventing an ICO fine and saving organisations like yours the cost and time spent on constantly monitoring your privacy policy.

5. Answer Data Subject Access Requests promptly 

It is well known that data subjects have the right to ask your business how you are storing their data and whether they can receive copies of it or have it erased or amended. This is known as Data Subject Access Requests (DSARs). An individual can make a DSAR verbally or in writing, including on social media and it can be done when individuals simply ask about their personal data, no special phrases required.

Your organisation must comply with any DSARs without undue delay and within one month. If the query is complex, you can extend this time to two months, but you must give a good reason. That is why it is crucial that you have conducted thorough data mapping beforehand as you must be able to give users all the information they ask for within the time frame. And remember, no two DSARs are the same and as such, each must be treated individually.

6. Follow the Data Minimisation rule 

Data minimisation is the rule that your organisation only collects and stores personal data that is necessary to fulfil your purposes: no more, no less. For example, if your organisation is looking to conduct market research, you can implement data minimisation when you only collect the necessary types of data by asking specific questions in the online forms and surveys you use. This will prevent data subjects from giving out more personal information than you need which would not only help your business better engage with potential leads but can also reduce your storage of vast amounts of personal data. What’s more, collecting less personal data can decrease the time needed to map your data and reduce the impact of potential data breaches.

7. Choosing a third-party application (if you are a data controller)

If your organisation is looking for third party tools, it may be beneficial to pick those that have privacy by design elements embedded. What this means in practice is using mailing lists or online forms, for example, that have a double opt-in function for email marketing which can help your business demonstrate consent. Whilst this is not compulsory, it is a way for your business to build trust with your customers and to avoid any data breaches in the future.

There are also GDPR specific challenges when businesses choose to move their processing activities on to cloud computing. A Netskope report highlighted that COVID-19 has accelerated migration to the cloud by 20% in 2020 and even the smallest organisations now have on average 258 cloud apps. One challenge this poses is to the retention period and international transfer of personal data as information should not be stored for longer than is necessary and should not be transferred to certain countries without the relevant safeguards in place.

This gets tricky when platforms like the cloud store data (and their backups) across multiple locations and for an unknown period of time. Therefore, by choosing third party tools that gives you oversight of where your data is located and the period it is stored for will better allow you to manage data compliance in the long term.

 Getting data protection right

By getting data protection right, your business benefits from increased credibility with your stakeholders, improved brand image and the reassurance that all the personal data you collect and process is lawful. At Privasee, we know that as an early-stage entrepreneur, this can be challenging and that you already have too much on your plate. That is why we have built a platform that automates GDPR compliance and tells you what to do at every step of the way so you can focus on what truly matters – your business.

Disclaimer 

This article does not constitute legal advice in any way and only seeks to provide general guidance on the topics discussed.

Sources and Further Resources

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/controllers-and-processors/

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/data-minimisation/

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-by-design-and-default/

https://www.netskope.com/blog/cloud-and-threat-report-shadow-it-in-the-cloud

Privacy Policy help

https://ico.org.uk/for-organisations/make-your-own-privacy-notice/

https://gdpr.eu/privacy-notice/