GDPR for Start-ups: Practical Steps To Compliance
It is a very common misconception that the General Data Protection Regulation (‘GDPR’) applies to only large, multinational organisations. Contrary to popular belief, GDPR does not depend on the number of people employed within your organisation, it considers the data you are processing, the reason you are processing and what risk does this processing ascertain to the data subjects. Start-ups around the world often do not realise that they fall under the scope of GDPR compliance which can put them at high risk of a breach. Working in the cybersecurity space, we often see start-ups at the centre of the storm thinking they are unlikely to be breached and being hit hard.
In this article, I detail the easiest way for start-ups to begin their journey to compliance without breaking the bank for costs. These steps are cost effective and won’t affect the way your organisation works!
Personal Data Inventory – Identify and monitor
The easiest way to determine what organisational and technical measures your organisation needs to implement is to create a personal data inventory – a spreadsheet containing each type of data that the company collects. This step includes identifying the personal data you collect and continuously monitoring its collection, processing and access. Not only does doing a PDI give you a very good overview of what data your organisation collects but can make it easier to determine the risk level when you are able to easily see the context in which the data is being processed. We often recommend for this to be created in an Excel sheet, assigned to one individual to update and maintain and updated whenever there is a change to the data you collect, how it is collected and why it is collected!
The information detailed in a PDI should include information from
- Your corporate website
- Your current and past employees
- Your clients
- Your suppliers
- Any information from a purchased list or mailing list
Determine the legal basis for processing each category of data – do I need consent?
It is often assumed that you need to gain consent for processing any type of data – that’s untrue; and that misconception often leads to a huge burden of work when it is just not necessary. There are 6 types of data processing which are set out in Article 6 of the regulation!
- Legal Obligation
- Vital Interests
- Public Task
- Legitimate Interest
It is important to get your lawful basis for processing correct. If your processing doesn’t fall under one of the above 6 categories, your processing is in breach of the regulation! The rights of the data subject entitle individuals to know the legal basis you are acting upon to processing their data and each legal basis may have a different impact on how organisations collect and process their data!
Find your data
When processing the personal data of individuals that are covered under the EU GDPR, you need to know the geographical location of this data. This is because the GDPR imposes restrictions on the transfer of personal data outside of the EU as countries to which the data is being transferred to may not have sufficient data protection legislation in place to protect the personal data of your data subjects. If you have the data of your employees, clients, or suppliers stored on systems outside of the EU, you need to assess whether or not this needs to be the case. If you need to transfer the data outside of the EU, special safeguards need to be put in place to ensure that sufficient level of protection travels with the data to ensure the data subjects retain the same level of protection as if their data was being processed within the EU
Policies and Procedures
The GDPR requires organisations to ensure they process data securely for instance in Article 32, the security of processing. When deciding on what technical measures you need, take into account the nature of the data, the scope, content and purposes. Start basic – change your passwords on a regular basis and make sure they are complex. Turn on multi-factor authentication. Watch for strange activity on your emails and corporate applications. Get an antivirus software installed and remain up to date on your operating system software. Depending on the type of business you are in, you may need more sophisticated security measures, especially if you are developing software in house (making ‘Privacy by Design’ an obligatory compliance item). How can you know exactly what type of security you need in place? Conduct an IT risk assessment and do a gap analysis.
Data Breach Notification Procedure
72 hours – that’s all the time you have to report a breach to the Data Protection Commission after you become aware of it. Not having a data breach notification procedure in place means that it can get very messy very fast and next thing you know, you’ve wasted a lot of time trying to figure out who’s responsibility it is to do what. Writing a data breach notification procedure and deciding on roles and responsibilities early on can save you a whole lot of time (and money!). It does not have to be a long document, once it is clear and known by all involved then it’ll suffice!
Want more information? Request a free consultation today!