5 steps to building your startup’s first privacy policy

Are you an early-stage startup wondering how to build your first data privacy policy? Privacy policies are essential when setting up a business that processes the personal data of different users and stakeholders

To get you started, here are some of the first steps to follow:

Appoint a data privacy officer 

The first and foremost step is to appoint a person in your organization to be responsible for data privacy matters. This individual should be knowledgeable on the subject matter, someone with legal and IT expertise (either internal or external to the company). The General Data Privacy Regulation (GDPR) requires the appointment of the so-called data privacy officer (DPO) for some specific types of processing activities, for instance, if your startup processes health data at large scale. The DPO advises the company in data privacy matters, representing and serving as liaison between the company, third parties and data privacy agencies. Although appointing a DPO is not always required by law, following best practices, it is certainly advisable to appoint one.

Analyze the data life cycle 

Secondly, you need to analyze your data life cycle, including how data is collected, stored, processed, and deleted, and understand how the data processing principles apply for the correct processing of data.

To this end, you should create a chart to determine the data life cycle in your company, from the data collection, to data destruction. Defining the above will help you to assess the risks in the processing of data and determine the security measures to prevent and minimize those risks.

Consider information notices 

Under GDPR, controllers are required to provide certain information to data owners regarding the processing of their data, such as purpose and legal basis of processing, assignees to whom data will be transferred, the rights granted to data owner, among others.

An information policy can be made available to data owners in two levels: 1) an information or consent notice provided when data is collected; and 2) a privacy policy made available to data owners. 

Also, GDPR requires companies to have a registry of processing activities, including certain information. With the guidance of your data privacy officer, you decide the level of aggregation or segregation of personal data required for your activity.

Conduct a risk analysis

It’s necessary to complete a prior identification and assessment of the risks involved in the processing of data for the rights and freedoms of natural persons, so you can determine which security measures you will implement.

An example: A startup uses an online application platform where applicants can register and update their application data. However, the authentication method is weak, although the startup would determine a low risk about the loss of confidentiality, as part of its risk assessment it shall also consider that economic damage could occur for the data subjects, as all their application documents are now publicly known.

Once the security measures are defined, such as updating computers, encryption of data, security copies, etc., they need to be implemented internally.

In the case that data processing involves a high risk for the rights and freedoms of natural persons, a further data impact assessment could be required under GDPR. This would apply for instance, when processing personal data at a large scale, or systematic monitoring and processing of special categories of data (health data).

Consider data subject rights

As part of your data privacy policy, you need to implement a protocol to follow in the event that a data owner exercises any of the rights granted under the GDPR. Moreover, since GDPR requires security breaches to be notified to the data privacy agency, in 72 hours, and in some instances to the data owner, controllers need to implement an incident or data breach response internal mechanism, to allow them to react on time and within the legal requirements if this situation arises. Additionally, if your startup has a website, you’ll need to implement a cookies policy.  

We hope you found this brief overview of some of the main contents of a data privacy policy useful. For more complete information, make sure to appoint a data privacy officer as in step one. If you’d like to read about legaltech startups, take a look at our list of featured articles.