The following article is the first in a series designed to explore the most critical aspects of GDPR for startups. The series shall cover the most important points of this regulation in an easy to understand language.
You have been hearing about the General Data Protection Regulation for the last few years. You might know it has something to do with data privacy and cookie policies, and for most of us, that is the extent of information at hand. Refusing to acknowledge GDPR can have unpleasant consequences.
Here in ARDOXSO, we have decided to address this issue and illustrate the importance of GDPR for startups.
- What exactly is this GDPR?
- What is the meaning of GDPR for startups?
- Which startups should follow GDPR and exactly how?
- Where should I begin with GDPR?
If you find yourself lost in the bewildering legal lingo and seek to find an answer to these questions and more, this GDPR series is specifically designed for you.
Through the series, we have included some relevant parts of the GDPR for ease of access. You could choose to skip these legal texts. However, if you need clarification of some of the words and phrases, it would be a good idea to have Article 4 of GDPR: Definitions, ready on the side. In any case, feel free to leave a comment if you have any questions.
Let us begin the ARDOXSO GDPR Series by answering some of the most important and frequently asked questions on GDPR for startups.
What is GDPR?
Let us begin at the very beginning and get the obvious stuff out of the way. GDPR, short for General Data Protection Regulation, is a set of rules for businesses in Europe. The general concerns regarding EU citizens’ personal data are the main drive behind the creation of GDPR. GDPR wants to give people more control over their personal data and protect their privacy.
“This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.” -Art. 1 GDPR
This regulation creates a unified regulatory framework for businesses operating all over the EU, making compliance easier for businesses operating in multiple countries. The advent of GDPR for startups has the benefit of clarity and inclusivity thus eliminating the guesswork from compliance procedure.
Is GDPR A Law?
GDPR is an EU regulation titled “Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”. This regulation is made by the European Parliament and the Council of the European Union.
But what is a “regulation”? Is it the same thing as a national law? Is GDPR a law? What Is The Nature of GDPR?
Regulations are passed by the Council or delegated to commissions of the European Union. These regulations are abiding just like any EU countries’ laws and override all existing national laws on the same subject matter. Furthermore, all subsequent national legislation must observe the regulation.
The GDPR is now recognized as law in the EU. So do not let the “regulation” title fool you. Following GDPR for startups in the EU (and operating there) is a must and it should be regarded as a mandatory law.
When Did GDPR Start?
GDPR replaced the1995 Data Protection Directive after years of heated debates and deliberation. The regulation was made on 14 April 2016, and the GDPR has been implemented since 25 May 2018. What this means is that as of 25 May 2018 the GDPR is in effect and businesses must be compliant with GDPR.
If you are interested to learn more about the history of GDRP, visit this link.
Does GDPR Apply To My Business?
The GDPR regulation must be followed in the European Union (EU) and the European Economic Area (EEA). This means that any business with a base of operations in the EU or even one dealing with the people in the EU is subject to this regulation.
If your startup is located in an EU country, or if you are for instance an online business based outside of EU yet you are providing services that are used by any EU residents as well, the GDPR concerns you.
If you are still unsure if the GDPR applies to you, read Article 3 of GDPR below, if not proceed to the next section.
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behavior as far as their behavior takes place within the Union.
This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
What Is The Impact of Brexit on GDPR?
UK and EU have agreed on a Withdrawal Agreement and a transition period has been set until the end of this year (2020). So, for now, every GDPR guidance applies in/for the UK and should thoroughly be followed.
What future holds for startups regarding the GDPR depends on the outcome of the ongoing negotiations. There is the possibility of the existing GDPR guidelines being turned into a UK law (UK-GDPR).
The good news is that there is no need for any immediate action and you would be alright to just follow GDPR for now. In case of any changes there most likely be enough time to adjust procedures and reach compliance with possible new rules.
The details regarding the aforementioned matter are beyond this article’s scope and I suggest you follow this link for more information on Brexit and GDPR for startups.
Why Should I Have A GDPR Policy?
Well, the short answer is legal consequences. Just take a look at the following passage from Article 83 of GDPR:
“…Infringements of the following provisions shall (…) be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher…”
You would be right if you are a bit scared now. If a business fails to follow GDPR regulations, they are essentially opening themselves to gigantic fines and lawsuits.
The 4% mentioned is enforced in reality and taking a look at some of the biggest GDPR fines, we see numbers in millions of euros.
- British Airway was fined for £183 million because of the “inadequate security arrangements that resulted in a 2018 web skimming attack affecting 500,000 consumers”.
- Google LLC was fined for €50 million because of the “inadequate transparency, control, and consent over the processing of personal data for behavioral advertising”.
What Are The 7 Principles of The GDPR?
The GDPR establishes 7 principles in its 5th Article.
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
These key rules should be at the center of your GDPR policy. We will discuss in-depth each principle in the next piece of the ARDOXSO GDPR Series.
What Rights Do Data Subjects Have Under GDPR?
What GDPR means by Data Subject is an “identified or identifiable natural person”; i.e. an individual. A set of 8 rights is recognized for the individuals regarding the use of their personal data.
Through Articles 12 to 23, GDPR grants the following 8 rights for data subjects:
- The right to be informed
- The right to have access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights concerning automated decision-making
We will discuss in-depth each right in another piece of the ARDOXSO GDPR Series.
We strongly recommend that you start educating yourself on GDPR and take the first step towards compliance. As complicated as it might seem, GDPR has an easy central philosophy behind the legal mumbo jumbo. In this series, we have tried to shed light on GDPR and prepare you for the journey ahead. Do not miss the second part of our GDPR guide.