Privacy matters — Vinge Explains the GDPR, and How Your Startup Can Comply
Many startups have questions about the EU’s new General Data Protection Regulations, so we asked some legal experts at one of our partner organisations, the business law firm Vinge, to explain the new regulations and how startups can comply with them.
As the reader may know, the quite famous European Data Protection Regulation (the “GDPR”) enters into force on the 25th of May 2018 and will have an impact on more or less any organisation operating in the European Union. The GDPR has recently become a hot topic that has been given lots of space in the media and many companies worry about how it will affect them and their businesses. This blog post aims at relieving some of that worry by highlighting the main features of the GDPR and what measures startups and other companies need to take in order to be compliant.
In this post, we will give you a short description of the background of the GDPR, some key definitions found in the legal texts, as well as the fundamental requirements and main features of the legislation. Lastly we will give you some important tips on how to ensure compliance.
In Brief
The main purposes behind the GDPR are quite noble — to harmonise the domestic data protection regulations in different European countries in order to promote the freedom of competition and hence simplify for companies to expand and operate in several countries of the European Union. Further, the GDPR aims at increasing the data privacy of the EU citizens by setting stricter conditions on how and when companies, authorities and other organisations may collect and process individuals’ personal data. If you violate the GDPR you run the risk of being imposed considerable administrative fines (and probably also the ire of your customers), so it is important to be familiar with the applicable rules concerning processing of personal data.
Remember, as evidenced by the ever-increasing media coverage (and US Senate hearings), privacy matters more than ever.
Key definitions used in the GDPR
Personal data means any direct or indirect information relating to an identified or identifiable natural person (the data subject).
Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Fundamental requirements
A data controller must comply with a number of general principles relating to processing:
- The personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject;
- The personal data may only be collected for specified, explicit and legitimate purposes;
- The personal data must be adequate, relevant and limited (“data minimisation”);
- The personal data must be accurate and kept up to date;
- The personal data must be kept in a form which permits identification of data for no longer than what is necessary for the purposes for which the personal data are processed;
- The personal data shall be processed in a manner that ensures appropriate security of the personal data.
Main features of the GDPR
- Internal record: As a general rule, all companies have an obligation to keep an internal record describing its processing of personal data.
- Legal grounds for the processing: A data controller must further have at least one legal ground for each of its processing activities. A common misunderstanding is that data controllers always need the individual’s consent before processing its personal data, but this is only the case when no other legal ground is applicable. Such legal ground(s) could be that the processing is necessary for the performance of a contract or that it is necessary for compliance with a legal obligation. In these cases, the processing may be carried out without collecting the data subject’s consent.
- Retention of personal data: Another important rule of the GDPR is that it is not allowed to store personal data in perpetuity. When the personal data is no longer needed in order to fulfill the purpose for which it was collected, the personal data must be erased. This means, for example, that information regarding individuals that are no longer your customers must be erased from the company’s IT systems.
- Rights of the data subjects: The data subjects have several rights under the GDPR, which the data controllers must adhere to. These rights includes that the data subjects automatically must receive information regarding when and how their personal data are being processed and that they must have control over their own personal data. Hence, if so requested, the data subjects have a right of rectification, erasure and restriction of processing. Further, the GDPR introduces data portability as a legal concept, according to which the data subjects have a right of receiving its personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller.
- Information to data subjects: The data subjects also have a right to receive certain information when his or her personal data is being processed. Such information shall be provided both when the personal data is collected and upon request by the data subject. There are also certain other occasions where specific information must be provided to the data subject, for example if the data controller is subject to a security breach where personal data is exposed to risks (a personal data breach). The information shall be provided without cost and in an easily accessible and written form.
- Security measures: Entities that are processing personal data must implement appropriate technical and organizational measures in order to ensure an appropriate level of security for the personal data. The measures needed to be taken in a specific case vary depending on the nature of the business of the company and on what kind of personal data the company are processing.
- Data protection agreements: Under the GDPR, data controllers may only work with data processors that provide sufficient guarantees to implement appropriate technical and organizational measures and ensure the protection of the rights of the data subjects. Data controllers are therefore obliged to enter into a written agreement with each of its data processors, setting out the form in which the data processor may process the data.
How to comply with the GDPR — 5 important steps
- The first thing every company should do to ensure compliance is to make clear what types of personal data your company is actually processing, for what purposes and on what legal ground(s), and then establish the above-mentioned internal record, which shall be kept updated at all times.
- When the internal record is established, you can proceed with drawing up retention periods for the different categories of personal data and in relation to this put in place routines enabling you to continually erase personal data which are no longer necessary to retain.
- To be compliant, you must establish routines in order to handle requests from data subjects who want to claim their rights under the GDPR, such as the right to erasure or data portability. You must also establish routines to provide the data subjects with sufficient information regarding the processing of their personal data. A good way of doing this is to draw up privacy policies; one internal document to provide information to the company’s employees and one external to provide information to third parties such as customers and suppliers. The internal privacy policy should be provided to your employees in connection with the entering into the service contract. The external privacy policy should be provided in connection with the first contact with a customer or other third party, and should at all times be available on your website.
- You must also assess your present level of security in order to see if further security measures are needed. Here, account should be taken into the latest technical developments, the costs of implementation of further security measures and the nature, scope, context and purposes of the processing as well as the risk of natural persons getting their rights and freedoms breached.
- Finally, it is important to ensure that your IT systems can handle the measures mentioned in this section, such as continuing erasure and requests of data portability.
Closing words
While the GDPR for sure means a certain amount of measures that need to be taken, this should not be exaggerated. The above-mentioned anxiety which we see in some places around us is to some extent unjustified. It is important to remember the key aspect of the GDPR — it is about keeping a check on your company’s processing of personal data and to sort out the processing that is not really necessary. Further, remember that the GDPR could be accompanied by commercial benefits, since compliance generally creates goodwill and compliant companies may also see their business becoming more streamlined.
Thoughts or comments? Please let us know!
Emelie Svensäter Jerntorp
Member of the Swedish Bar Association
E-mail: Emelie.Svensater.Jerntorp@vinge.se
Phone: 073–920 55 15
Erik Ax
Associate
E-mail: Erik.Ax@vinge.se
Phone: 073–920 55 47