Law

Starting a New Business in the GDPR Era – What You Need to Know

Data protection is a challenge for every business now that so much of what we do is online. And now, thanks to the far-reaching effects of the EU’s General Data Protection Regulation (GDPR), entrepreneurs have to give appropriate attention to data protection even when starting brand-new ventures. There is no getting around it.

Unfortunately, inexperienced entrepreneurs sometimes do not understand the implications of the GDPR and similar regulations. Compliance can be especially challenging for businesses that are not located within the EU or the European Economic Area (EEA). That notwithstanding, compliance is still required.

If you are an entrepreneur looking to start a new business, here is what you need to know about data protection in the GDPR era:

1. To Whom the Regulations Apply

At the very top of the list is knowing to whom the regulations apply. Beginning with the GDPR, regulations apply to any business that collects and stores data from users inside the EU or EEA. This includes businesses that have no physical location in the EU. Whether a start-up collects customer information for shipping purposes or is a B2B enterprise that deals only with other businesses, any and all collected information must be protected.

How the regulations are enforced against overseas companies remains a matter of debate, but enforcement mechanisms do exist within the regulations. For all intents and purposes, it is just not worth taking the risk anymore. Companies might just as well practice good data security even if the GDPR doesn’t apply to them.

Also note that the GDPR laid the groundwork for similar legislation passed in other places. The US state of California has since passed its own data protection legislation. So have a number of countries around the world.

2. The Types of Data Covered

Perhaps a bigger concern for start-ups is the actual types of data covered by the GDPR and similar regulations. Unfortunately, the term ‘personal data’ is quite broad. Some are even considered ambiguous. The best way to describe it is to consider it as any data that can be used to identify a person. That automatically means names, addresses, telephone numbers, etc. – for starters.

Understand that personal data goes beyond contact information. It includes everything from ethnicity to religious affiliation and sex. Any kind of information that could help identify any aspect of a person’s identity must be protected. This suggests that it is in a business’s best interests to not attempt to create differences between data types. It is far better to simply commit to protecting all data rather than trying to focus on certain types of data to the exclusion of others. Just protect it all.

3. Why Compliance is So Important

Start-ups trying to get by without guaranteeing compliance are taking a substantial risk. The reason is simple: a failure to comply could mean your company faces pretty substantial funds. Though it is hard to imagine the EU would go so high, the most a company could be fined is $20 million. Fines can reach as high as 4% of a company’s annual turnover.

Damage to a company’s reputation also has to be considered. Rest assured that the highest profile cases are not left to quietly disappear in obscurity. If your company is found out of compliance and fined a significant amount, you can expect the media to broadcast it far and wide. Your company could lose all of the trust it has worked so hard to build in short order.

Companies specialising in GDPR audit services are now popping up all over the place. They are especially prevalent in the EU. However, they can be found around the world given that so many companies do business in the EU without actually being located there. It is almost a given that data protection is now mandatory.

4. How to Maintain Compliance

Next up, it is imperative to understand how to maintain compliance. This is where GDPR audits come into play. A qualified consulting firm that knows data protection laws inside and out can run a complete audit on a client’s computer and network systems to find areas of both compliance and non-compliance. With compliance, reports come suggestions explaining how a company could do better.

The benefit of an audit is that it offers a third-party perspective. Such a perspective can reveal things company management cannot see simply because they are too close to the situation. Audits also serve to clarify some of the more ambiguous aspects of data protection law.

As a general rule, maintaining compliance involves the following:

  • Asking for Permission – Companies should always ask permission to collect, store, and utilise customer data. The idea is to force customers to opt in rather than expecting them to opt-out.
  • Creating a Security Protocol – The IT department must develop a strong security protocol that guarantees data security before any information is ever collected.
  • Creating a Response Plan – Companies should have a response plan in place in the event of a security breach. Failing to plan could mean flailing around in hopes of correcting a situation that could quickly get out of control.
  • Employee Education – All employees should be educated on data protection, even if they are not directly involved in collecting and storing data.
  • Making the Necessary Hires – It is important to hire someone capable of handling compliance issues. This is usually a data protection officer. In addition, a company should hire consultants to provide regular audits.

It is often a good idea for start-ups to begin collaborating with a consultant from the ground up. A good consultant can help a start-up develop its security policies, implement its software solutions, educate employees, and so forth. That same consultant can be used to run the regular audits.

It should be obvious that data protection is a genuine issue in this day and age. Even if the EU had not passed the GDPR, it would have only been a matter of time before another jurisdiction did. Today’s online world requires evermore diligence to guarantee that sensitive personal data stays locked away. To say entrepreneurs and business executives need to be diligent is to state the obvious.

If you have any questions, please ask below!