Even before scaling a startup, collecting user/customer data is often a critical success factor. Data, data, data – Big Data is already part of our everyday life, and some companies make huge proﬁts from selling data, while customers are starting to become more and more worried about what’s going on. Where does our data really go? How much is too much? And what can we do to minimise our data getting spread? And why do so many startups rely on data as such a great asset?
After following the scandal of Facebook and Mark Zuckerberg, who decided to share around 87 million users’ data with Cambridge Analytica, a ﬁrm that used data for the benefit of the Trump election campaign in 2016, the internet generation has started being more aware of what is actually happening.
Every company collects data, yet startups, even though they are the companies of the future and should learn from the leaders, tend to continue to be irresponsible on how they are actually handling all this input. According to a recent research by Mailjet study, only 29% of startups actually encrypt their collected data while a sad 34% have a data breach notiﬁcation plan. Despite the low level of consent, around 91% of startups have reported that they collect the data from their clients. Breaking the startups into categories, the percentage does not ﬂuctuate dramatically between the sectors. Banking still takes the podium and shows that 93% of this category’s startups who take advantage of data collection, where the sector of hospitality and tourism takes last place, yet is only 8% lower than the leader — that leaves them with a solid 85% of startups collecting and using the data of their users.
Attention, attention! You may have read about the General Data Protection Regulation (GDPR) and wondered if it applies to you? This new piece of legislation comes into effect on May 25, 2018, replacing the EU Data Protection Directive and to become the European Union’s new data protection law. In fact, it is considered as one of the most signiﬁcant changes in data privacy law in 20 years. Let’s break down the new regulation quickly to see what will change:
Increased Territorial Scope (extra-territorial applicability) : One of the biggest changes to what has been until now, is the extended jurisdiction of the GDPR, because it now applies to all companies processing data of citizens of the union, no matter where the companies are located. Regardless if the processing takes part in the EU or not, if the data belongs to european citizens, it fall under this law.
Penalties : The ﬁne is high, meaning companies can be ﬁned up to 4% of the annual global turnover or $20 million, whichever one is greater. This is the maximum ﬁne that can be imposed for the most serious infringements, for instance: not possessing sufﬁcient customer consent to process their data or disobeying the Privacy by Design concepts.
Consent: Conditions have been strengthened and companies are no longer able to use terms and conditions that are full of legalese and difﬁcult to read. The request for consent must be written or given in an easily understandable form and the purpose of wanting to process data shall be attached to the consent.
The Data Subject Rights:
Breach Notiﬁcation: The Breach Notiﬁcation will become mandatory in all states where a data breach is threatening to “result in a risk for the rights and freedoms of individuals”. This must happen within 72 hours. Data processors will also be required to notify their customers, “without an undue delay” after ﬁrst becoming aware of a data breach.
Right to Access: The Right to Access is part of the rights of data subjects that are outlined by the GDPR. It is the right for data subjects to obtain from the data controller conﬁrmation as to whether or not personal data is being processed and where and for what purposes.
Right to be Forgotten : The Right to be Forgotten gives the data subject the right to erase his/her personal data, cease further dissemination and also halting third parties of processing it.
Data Portability : The right for the data subject to receive the personal data that concerns them, which they have provided or transmitted.
Privacy by Design : The concept has existed for years now, but only now is it becoming part of the legal requirements. It calls for the inclusion of data protection, instead of an addition. But more speciﬁcally the controller needs to implement appropriate technical and organisational measures in a quite effective way. Controllers shall only hold and process data which is absolutely necessary for the completion of its duties.
Data Protection Ofﬁcers: Now, controllers are required to notify their data processing activities with local DPAs, which is usually and bureaucratic nightmare with most Member States having different essentials. It will not be necessary to submit notiﬁcations and/or registrations to each local DPA, as well it will not be a requirement to obtain approval.
To sum things up: In order to comply with GDPR, your startup needs to at least be able to show, on demand (a) where you are storing the personal data, (b) where you (or your servers) are processing that data; (c) what 3rd-parties also have access to that data; and (d) what personal data you are actually collecting and using.
As a startup, as a data subject, as an established company, it is more than important to read up and inform yourselves about these changes in concerning the digital business world. Standard growth hacking might become a “thing” of the past. With the new GDPR regulation, the EU has definitely strengthened data privacy rules and therefore increased the protection its citizens’ data.