To get you started, here are some of the first steps to follow:
Appoint a data privacy officer
The first and foremost step is to appoint a person in your organization to be responsible for data privacy matters. This individual should be knowledgeable on the subject matter, someone with legal and IT expertise (either internal or external to the company). The General Data Privacy Regulation (GDPR) requires the appointment of the so-called data privacy officer (DPO) for some specific types of processing activities, for instance, if your startup processes health data at large scale. The DPO advises the company in data privacy matters, representing and serving as liaison between the company, third parties and data privacy agencies. Although appointing a DPO is not always required by law, following best practices, it is certainly advisable to appoint one.
Analyze the data life cycle
Secondly, you need to analyze your data life cycle, including how data is collected, stored, processed, and deleted, and understand how the data processing principles apply for the correct processing of data.
To this end, you should create a chart to determine the data life cycle in your company, from the data collection, to data destruction. Defining the above will help you to assess the risks in the processing of data and determine the security measures to prevent and minimize those risks.
Consider information notices
Under GDPR, controllers are required to provide certain information to data owners regarding the processing of their data, such as purpose and legal basis of processing, assignees to whom data will be transferred, the rights granted to data owner, among others.
Also, GDPR requires companies to have a registry of processing activities, including certain information. With the guidance of your data privacy officer, you decide the level of aggregation or segregation of personal data required for your activity.
Conduct a risk analysis
It’s necessary to complete a prior identification and assessment of the risks involved in the processing of data for the rights and freedoms of natural persons, so you can determine which security measures you will implement.
An example: A startup uses an online application platform where applicants can register and update their application data. However, the authentication method is weak, although the startup would determine a low risk about the loss of confidentiality, as part of its risk assessment it shall also consider that economic damage could occur for the data subjects, as all their application documents are now publicly known.
Once the security measures are defined, such as updating computers, encryption of data, security copies, etc., they need to be implemented internally.
In the case that data processing involves a high risk for the rights and freedoms of natural persons, a further data impact assessment could be required under GDPR. This would apply for instance, when processing personal data at a large scale, or systematic monitoring and processing of special categories of data (health data).
Consider data subject rights