If your startup handles personal data, you need to be aware of data protection laws. The most well-known such law is the EU’s General Data Protection Regulation (GDPR). It applies to all businesses operating in the EU (your headquarter might be somewhere else) and limits how companies collect and use personal data.
🔖 Contents on this page:
Since its full implementation in 2018, the GDPR is widely seen as the gold standard for privacy protection worldwide. Since then, dozens of other countries have enacted copycat legislation (a notable one was the California Consumer Privacy Act, modelled after the GDPR). While Switzerland has its own data protection laws, its economy is to entangled with the EU that you are well advised to comply with the EU’s laws right from the start. If you have operations in multiple countries, monitor the varying requirements, because they can have a big impact on operations.
Some initial thoughts:
- Use data protection to your advantage. Large incumbents usually struggle implementing data protection simply because their processes were not built to reflect today’s requirements. By making sure you offer “privacy by design” or “privacy by default” you might be able to create a competitive advantage early on. Example: Make sure your customers can manage their data and their privacy settings themselves. That way you are not only compliant and user-friendly, you also save support costs.
- Privacy is key to establishing your brand and trust in your company. Today, customers expect careful and transparent handling of their data.
- Ignoring data privacy will harm your fundraising, too. Many VCs expect a privacy strategy and prefer to shy away if they don’t get comfortable with your handling of personal data.
💽 What is “personal data”?
“Personal data” is, roughly speaking, any information that relates to an (1) identified individual or (2) an identifiable individual. Number (1) is easy: Typically, you will collect your customer’s name, email address and a credit card number, for example. The credit card number on its own is not personal data, but since it relates to an individual in the context of being a customer, it is seen as “personal data” too.
Identifiable individuals under (2) can be trickier. An address alone cannot be used to identify an individual if there are hundreds of people with the same address. But if the address refers to a house with only one person living in it, it’s a different story. Or imagine you sell asset tracking devices and one of your customers uses them to track his employees’ cars. All of a sudden, the location data you process becomes personal data because there is only one person on the planet in this particular truck taking this particular route and therefore, this person is identifiable.
🔓 So what do I need to do?
- Get to know your business’ data flow - what data comes in and what goes out, including all channels, and from supplier to vendors and customers. You should have some sort of documentation about the data your process. Don’t forget to ask yourselves why each particular data is necessary and how long you need to hold that data (you must not hold it forever).
- Ensure you have a privacy policy that explains your approach to personal data – remember transparency is key. Consider actually drafting it yourself! The EU explicitly encourages clear and plain language that is easily accessible.
- Get consent. Consent is a key player in GDPR and is something that should always be at the forefront of your mind. You must explicitly ask for and gain the consent of individuals if you want to collect, store, and use their data.
- Educate your team. Make sure everyone in your team is aware what data protection means and how to comply with it. Ideally, you inform new team members during onboarding and conduct regular trainings going forward.
- Think of technical measures you use to protect data. While you might think about protecting your firm from cyber security threats at some point in time, start with the simple things first. Make sure you use strong passwords and two-factor authentication, encrypt the data, make sure only those employees can access data that really need to work with it etc.
- Create a data breach response plan. You must react without undue delay to an incident so prepare a strong plan about what to do and who to inform before a data breach happens.
If you are unsure about any of these topics, get a service provider to help you. The GDPR and other data protection laws are here to stay – embrace them!
📚 Resources
https://gdpr.eu/checklist/ - GDPR checklist
https://gdpr.eu/privacy-notice/ - sample privacy notice template
https://usercentrics.com/ - a leading consent management platform
https://simpliant.eu/ - services around data protection (German only)