Data protection could be expensive as of May 2018 – What startups have to keep in mind!
Much of it is not new at all, but is already applicable law today. Anyone who has not yet focused on this issue should not delay in doing so. Some things cannot be implemented overnight. Violating the stipulations contained in this regulation may not only turn out to be expensive but could even potentially threaten the very existence of start-ups in some circumstances.
Here are the most important regulations and changes in the GDPR at a glance
The processing of personal data is generally forbidden in Austria! This may sound surprising, but in fact the processing of personal data in Austria is only permissible in exceptional cases or with the express consent of the affected person, for example when the data is required to fulfil a contract.
For this reason, you will also have to always take the following points into account when handling personal data:
- Compliance with the principles of lawfulness, fairness and transparency has to be ensured. The data may only be used for specified, explicit and lawful purposes and you are only permitted to collect and store as much data as is absolutely necessary. In practice, this means that the data for which you no longer have an appropriate use has to be deleted again. At the beginning of your business operations, you have certainly gathered a lot of data from interested parties, potential customers or even investors. Which data do you really need for your active business? How many lists still exist on various cloud storage devices which contract these principles?
- Startups focusing on the issues of big data and profiling have to reconcile themselves to the idea of being subject to massive restrictions. In the future, automated decision-making processes are generally forbidden when the consequence is that the affected person, for example, is put at a disadvantage due to his or her ethnic origin or political opinion.
- Affected individuals have the right to request that personal data made available on a voluntary basis is transferred to another company (data portability). For the company, this means that it must be capable of making all data available electronically. For example, this also applies to “shopping baskets“, “wish lists“ or “shopping carts“ in your online shop.
- The “right to be forgotten” pursuant to Article 17 GDPR has been put into more concrete terms. Personal data which cannot be immediately deleted has to be promptly blocked.
- Startups aiming to gain a foothold in social media are required to consider the age of children. This means valid approval has to be granted for data processing of personal data relating to children and youth. By the way, the age for which a person is still considered to be a child with respect to data protection regulations was lowered to 14 years. If you offer your services in other EU countries, you will have to comply with nationally valid regulations pertaining to minimum age. In the meantime, this may strongly differ from country to country.
- Even as a startup, you may have to appoint a data protection officer for your company, if, for example, the company deals with sensitive data. By the way, health care data is considered to be particularly sensitive! If you plan to offer a fitness app, you will have to inform yourself about currently valid regulations. However, if you decide to do without a data protection officer, document your decision!
- Many startups cannot afford their own large IT landscape, but use Web and cloud services. They are considered to be “processors” (outsourced services). As a business person, you have to ensure that your providers comply with the stipulations of the GDPR. Otherwise your company is liable to penalties (“negligent selection“). Before you use the new free CRM software, conclude a corresponding written contractual agreement.
- If your company offers software, Web services or apps, they have to be secure (“privacy by design“) and only collect data which is really necessary. By the way, in the future the affected persons have to indicate which data they want to make available. The previously common practice of pre-setting everything in advance is no longer permissible (“data protection by default“).
- The data protection authority can be called upon to deal with all violations of the rights of the persons involved, for example the “right to information“, the ”right to erasure” and the “right to data portability“ if these affected people file complaints.
- Review your general terms and conditions and the declarations of content that your customers fill out. Is it clear which data you collect and for which purposes, and to whom you may pass on this data?
- If you have not previously dealt with the following: which types of data are you gathering, and how long do you want/may you store this data? What legal regulations apply? If you want to keep this data for a longer period, you will require proper justification?
- Compile a procedure log. This is easy to implement. In this way you can be sure that you are actually dealing with the issue.