GDPR: The Quick and Dirty Guide to Getting Compliant for Startups and Small Business

Disclaimer

Profile you need to fit to use this guide

  1. Your organization is a startup company or a small business. Not a public authority, non-profit, NGO, etc.
  2. You have fewer than 250 employees.
  3. You are not performing regular and systematic monitoring of people on a large scale.
  4. You don’t process personal information for children younger than 13.
  5. You do not process data revealing race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal history, genetic data, biometric data that can uniquely identify a natural person, health data, or data on sex life or sexual orientation.

Definitions

  • Subject: A natural person, i.e. an individual.
  • Data Controller: The entity that collects and processes data on subjects. This will normally be the company that the user feels like they are submitting their personal data to. For example, if you run a B2C SaaS business, you are almost certainly a Data Controller.
  • Data Processor: An entity that processes data on behalf of a data controller. A lot of B2B SaaS companies will be Data Processors, for example anyone who runs an API-based service that accepts personal data. A lot of companies, especially B2B companies, will also find that they are both a Data Controller (to their own registered users), as well as a Data Processor (for the data entered by their users). An example of a company that is definitely both a Data Controller as well as a Data Processor would be a cloud-hosted CRM system; it is a Data Controller for its own registered users’ data, and a Data Processor for all the personal information on their prospects and customers.
  • Personal data: Any data that relates to a Subject (i.e. an individual), that either is identified or can be identified based on that or other data. Essentially, any data you store that relates to a natural person, whether or not you know their identity or just know enough about them that they might be identified.

Step by step

  • Data on your employees (for payroll and other purposes)
  • User account data, settings, etc.
  • Usage records in your database
  • Diagnostic logs and analytics (may e.g. contain IP addresses)
  • Any data files, photos, etc. that you store on behalf of subjects
  • Details related to subscriptions, payments, etc.
  • Lead lists that you have created or purchased (e.g., lists of email addresses, names, titles) for direct sales or marketing purposes, without explicit consent from the subjects
  • Prospect and customer details in your CRM
  • Mailing lists that subjects have opted into
  1. What is our purpose for collecting/processing this data? If there are multiple different types of processing for one set of data, make separate entries in your spreadsheet for each different type.
  2. Where do we store the data? E.g., in a database, files (note the location), or in a 3rd party system such as Google Analytics or MailChimp?
  3. What types of personal data is collected/stored for this processing? Name? Email? Photographs of the person? Write down all the different aspects of data related to an individual that you collect and store for this particular processing.
  4. Where does the information come from? From the subjects themselves, or from 3rd party datasets, from your own online research, or it is entered or otherwise input by your users (e.g. if you run a CRM)?
  5. Do you use a Data Processor to store/process this data? For example, if it’s a flat file stored in Google Drive, then Google is your Data Processor here. List all data processors for each category of personal data.
  6. How long do you store the data? Could you store it for a shorter duration?
  7. What is your policy related to this data?
  8. What is your justification to process the data? The most common ones are that consent was given, or it is required to fulfill a contract with the Subject, or you have a legitimate interest to process the data that is not overridden by the interests or fundamental rights and freedoms of the Subject (yes, this last bit is vague — we’ll discuss this a bit more in step 7). If consent was given for the processing, what form of consent is it, and is it explicit enough? We’ll talk more about getting consent in step 3.

2. Minimize risk and reduce work

3. Get consent

4. Enable subjects to exercise their rights

  1. Right of access: If they ask, you need to tell them whether and how you are processing their data. You can also mostly handle this right by having a public statement about your data protection policies (see next step).
  2. Right to data portability: You can handle these two rights more or less the same. Document a process whereby you gather all data on the person into a single folder, ZIP it up, and send to them. Use your list from step 1 to achieve this, and don’t forget data stored by various subprocessors. The GDPR requires that the data be machine readable but does not specify the exact format. As standards emerge around this, look to them and try to do what others are doing, but for now, who’s to say what the right format is?
  3. Right to rectification: This is essentially a right to make corrections. Just accept the corrected data and update your systems.
  4. Right to erasure: Part of this right requires that you “forget” subjects if you no longer need to process their data. The other part is, they can withdraw their consent or object to your processing of their data (see below) at which point you need to erase them from your data. If you only process data based on consent, then all you need to do is remove their records. If you also process personal data not submitted by the subject in question, see the next right (the right to object).
  5. Right to object: If you fit the profile for this article, then this is bound to have to do with direct marketing, e.g. cold outreach or some other form of processing where they did not consent, but rather you are processing their data because of a business need you have. If they object, you stop processing their data (i.e. you unsubscribe them / add them to an exclusion list) and make sure you do not process their data again without consent. It’s unclear to me whether you are allowed to keep their email address or some other identifier on file as part of an exclusion list, but I would think that as a first step towards an implementation this should be OK; a more advanced implementation would be to keep a list of one-way cryptographic hashes of email addresses or other identifiers that have opted out.

5. Document your policies

6. Sign DPAs and consider territories

  1. For US businesses, you can certify to the U.S. Privacy Shield framework.
  2. For businesses in other jurisdictions, you could apply to the EU privacy regulators to have them certify so-called Binding Corporate Rules. You’ll probably prefer to just ask for explicit consent from the user.

7. Be transparent

  1. Notify the data subject without undue delay. You probably already know their email or phone number, so use that. If you don’t, you need to set up some kind of opt-in mailing list or similar that users can subscribe to for such notifications, or you will need to communicate publicly about data breaches. There are certain situations where you can skip notifying individual subjects.
  2. If you are a Data Processor, you must notify affected Data Controllers without undue delay.
  3. Unless the data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”, you must notify the supervisory authorities of the EU/EEA member state(s) affected, i.e. where the data subjects reside.

8. Consider your cold outreach practices

What’s missing?

Useful resources

  1. This neat indexed version of the full text of the GDPR, with links to relevant additional material for each article. This is what I’ve linked to in several places in the guide.
  2. The UK Information Commisioner’s Office (ICO’s) guide, which is the most concise and easy to understand full commentary on the GDPR. I especially recommend their checklist for data controllers and data processors.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store