Data protection and cyber security is a vital part of ESG-compliance. Data is extremely valuable to every business and therefore must be handled and protected properly. The European GDPR (General Data Protection Regulation), which manages the sustainable and responsible handling of private data, has been conveyed in national data protection laws, for example, the DSGVO (Datenschutz-Grundverordnung) in Germany.
1.1. GDPR Compliance
What is the GDPR and what scope does it have?
For an overview of the GDPR, its scope, and general guidance refer to
How to handle GDPR compliance?
Depending on the size of your company and industry, or what kind of data you process, there are three different approaches founders can take to handle GDPR compliance.
The simplest way is to deal with data protection in-house. This might be the best approach for your company as long as your data flow has a manageable extend.
Generally, startups can follow available checklists to determine their data protection needs. The To-Do’s can be divided into four sections:
- What information do you have and who handles it?
- Is your data processing legally justified?
- Anonymize data whenever possible.
- Raise awareness within your team.
- Create a data protection impact assessment.
- Know how to notify the authorities in the case of a data breach.
- Make someone responsible / assign a Data Protection Officer.
- Make third parties undersign a data processing agreement.
- Third parties have a right to see what information about them you have and how you are using it. Make it easy for third parties to review this information, update it or delete it.
- Be prepared to offer copies of these data sets.
- If you make use of automatic data handling, be sure that your processes do not conflict with legitimate interests (e.g. equality).
The official checklist is available here:
GDPR compliance checklist - GDPR.eu
Use this GDPR compliance checklist to plan your organization's data privacy and security measures. Document your steps to show compliance.
Another checklist can be found here:
Best Practices for an early adoption
- Appoint a data protection officer
- Classify all data
- Implement an Application Tracking System (ATS) as soon as possible
- Train employees in GDPR
- Document, maintain and enforce privacy policies, procedures and processes
- Complete a privacy impact assessment
- Test data breach response procedures