GDPR Essentials for Early-Stage Entrepreneurs
4th October 2021
Working on the Santander X Global Challenge Helping Businesses Prosper, the Oxentia Foundation and Banco Santander had the pleasure of nominating Privasee as the winner of the startup category of the competition. Driving the automation and digitalisation of GDPR compliance, Privasee has set out to revolutionise business operations, helping entrepreneurs focus on growth without letting compliance hold them back.
We are delighted to host this article written by Privasee, hoping to offer basic GDPR guidelines for innovators starting off in business, and to inspire more entrepreneurs to see challenges as market opportunities.
GDPR Essentials for Early-Stage Entrepreneurs
As an early-stage entrepreneur, it is important for you to grasp how the GDPR applies to you and to take advantage of starting your enterprise journey after the GDPR has come into force. By embedding data protection elements into your business journey from the outset, you can set your compliance on autopilot and make things a lot less painful down the road.
This article outlines some of the key factors to consider to become self-compliant in the early stages of business creation and administration.
1. Identify your roles and responsibilities
From the outset, it is important to determine whether your business is a data controller or processor as each role has its own requirements.
Data controllers have the most stringent compliance requirements because they are those with control over the purposes and means of the personal data that is collected and stored. After all, with great power comes great responsibility.
Data controllers in the UK are, among other things, expected to pay a data protection fee to the regulator, with some exceptions like charities and public organisations.
Data processors have less stringent requirements as they only act on the instructions made by the data controllers and do not themselves have a purpose for processing the data. A good example are applications like Typeform where personal data and responses are collated on their platform but they are only collecting it on the user’s behalf.
As such, they do not have the same obligations as controllers and do not need to pay a data protection fee. However, they are still accountable and have direct obligations to both data subjects and data controllers.
2. Determine your lawful bases for processing
Your processing of personal data should comply with a lawful basis for processing under Article 6 of the UK GDPR, without which you cannot process personal data. It essentially means that you need to have one of the following legal grounds to be using someone’s personal data:
- Performance of a contract (such as an employee’s personal data)
- Legal obligation
- Protection of vital interests
- Necessary for the performance of a task
- Legitimate interests
For example, the collection of email addresses can be grouped under one heading, such as consent, if data subjects have actively consented to your use of their email in a specific way.
Having a legal basis to process data is a legal requirement. But on top of that, having a clear breakdown of the legal grounds you use for different data types can help you answer queries from your users in a timely manner and make you seem more trustworthy to customers and regulators.
3. Map your data
Data mapping is when your organisation looks at all the data you hold and connects them to the individuals they belong to. Essentially, it is about creating a list of all the data you have on them, where you have it, how long you aim to have it for in order for you to fulfil your purposes, under which legal basis you have collected it and how long you are allowed to have it for.
If you’re processing sensitive categories of personal data, you may also need to have further safeguards. The following data is known as special category data and is governed by Article 9 of the UK GDPR:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
- trade-union membership;
- genetic data, biometric data processed solely to identify a human being;
- health-related data;
- data concerning a person’s sex life or sexual orientation.
The processing of such data would be prohibited unless there is a lawful basis to do so and if a large amount of processing is required, a Data Protection Impact Assessment (DPIA) may be required, and a Data Protection Officer (DPO) appointed.
Data mapping can help you demonstrate your compliance to the ICO. It can also help you reduce the time and money spent on responding to user requests such as Data Subject Access Requests (DSAR) – more on this below. Ultimately, the data you hold is valuable to both your organisation and to the individuals you hold them on – it is only natural you know exactly where your most valuable possession is.
“There are known knowns; but there are also unknown unknowns. And it is the latter category that tends to be the difficult one” – United States Secretary of Defense Donald Rumsfeld
The benefit of mapping your data cannot be denied and the Privasee tool can help you produce required documents such as a record of your processing activities, reduce the time taken for any queries, and give you the reassurance that you have total control over all the personal data you hold.
– Business contact details
– Type of personal information collected
– How personal information is collected and why (refer to the lawful bases for processing personal information)
– How personal information is stored (for example, via cloud computing or third-party data processors)
– Data subject’s rights
- Right of access – right to ask for copies of personal information
- Right to rectification – right to ask the business to rectify inaccurate or incomplete personal information
- Right to erasure – right to ask the business to erase their personal information, in certain circumstances
- Right to restriction of processing – right to have the business restrict their processing of their personal data, in certain circumstances.
- Right to object to processing – right to object to the processing of their personal information, in certain circumstances.
- Right to data portability – right to have the personal data held by the business transferred to another organisation or to the data subject, in certain circumstances
– How to complain
- Information on the business contact for data queries
- ICO’s contact details
Finally, make sure to keep the above information (contact details etc.) up to date to remain compliant with the law. If your contact details change and you forget to update it, you may miss a user access request and get in trouble with regulators.
5. Answer Data Subject Access Requests promptly
Data subjects have the right to ask whether your business is storing their data and whether they can receive copies of it or have it erased or amended. This is known as Data Subject Access Requests (DSAR). An individual can make a DSAR verbally or in writing, including on social media and it can be done when individuals ask about their personal data, no special phrases required.
Your organisation must comply with any DSARs without undue delay and within one month. If the query is complex, you can extend this time to two months, but you must give a good reason. That’s why it is crucial that you have conducted thorough data mapping as you must be able to give users all the information they ask for and remember, no two DSARs are the same. For more information on this, visit the ICO guidelines.
6. Follow the Data Minimisation rule
If your organisation is looking to conduct market research, data minimisation can be implemented via the online forms and surveys that you send to data subjects. For example, by only asking for details about personal data when it is relevant to your business purposes would not only help your business better engage with potential leads, but also reduce the storage of vast amounts of data. What’s more, collecting less data can decrease the time needed to map your data and can save you on resources.
7. Choosing a third-party application (if you are a data controller)
If your organisation is looking for third party tools, which tend to act as data processors, it may be beneficial to pick those that have privacy by design elements embedded. For example, using mailing lists or online forms that have a double opt-in function for email marketing may help your business demonstrate consent.
There are also GDPR specific challenges when businesses choose to move their processing activities on to cloud computing. A Netskope report highlighted that COVID-19 has accelerated migration to the cloud by 20% in 2020 and even the smallest organisations now have on average 258 cloud apps. One challenge this poses is to the retention period and international transfer of personal data as information should not be stored for longer than necessary and should not be transferred to certain countries without the relevant safeguards in place.
What this means in practice is that data that is no longer necessary must be deleted and that you have to be aware of where data is being stored. But this gets tricky when platforms store data (and their backups) across multiple locations. Therefore, by choosing data processors that give you oversight of where your data is located, you will be able to better manage data compliance in the long term.
Getting it right
By getting data protection right, your business benefits from increased credibility with your stakeholders, improved brand image and have the reassurance that all the personal data you process is lawful. At Privasee, we know that as an early-stage entrepreneur, this can be challenging and that you already have too much on your plate. That is why we have built a platform that automates GDPR compliance and tells you what to do at every step of the way so you can focus on what matters – your business.
More information for small businesses can be found on the ICO website here.
This article does not constitute legal advice and only seeks to provide general guidance on the topics discussed.