How this New EU Data Law Affects your Startup
On May 25, 2018, a new regulation, titled the “General Data Protection Regulation” (GDPR) is set to take effect across the European Union. This regulation fundamentally changes the way in which companies around the world can use and store the personal data of EU citizens.
Though the GDPR has significant impacts on companies like Facebook and Google which have been spending millions to ensure that they are in compliance, it also impacts any company with users in the EU, including startups of all sizes. Companies which do not adhere to the new regulations can face a hefty fine of up to €20,000,000 euros, or four percent of annual revenue, whichever is higher (Article 83).
Most start-ups, however, cannot afford expensive compliance lawyers and are left with the challenge of navigating the new policies on their own. We’ve broken down some of the key points that any bootstrapped entrepreneur who has or plans to have users in the EU needs to know.
- GDPR affects your company even if you are based outside of the EU
As long as your company in any way interacts with the personal information of EU citizens, it is subject to the violation penalties outlined in the regulation. This includes both free and paid services.
2. You have to simplify your terms of service
The GDPR emphasizes that users must actively consent to the use of their data by companies, and it must be explained to them what the data will be used for (Article 13). While this was also the case before the GDPR, the change is that the consent must now be given in “an intelligible and easily accessible form, using clear and plain language” (Article 12), meaning that companies which present users with a confusing wall of text full of legal jargon in their terms of service agreement may be subject to a fine under GDPR. You must also enable users to easily withdraw consent at any time.
3. If your data is breached, you have to report it within 72 hours
This is a mandatory measure intended to protect the personal information of users when a breach is likely to “result in a risk for the rights and freedoms” of individuals (Article 33).
4. Users have a “Right to Access” their data at any time
This means that you must provide a user, on request, information regarding whether your company is processing their legal information, and for what purpose. You must also provide a copy of all of the personal data you have on that user in an electronic format, if it is requested (Article 15). Users can also request you to transfer their data to a different company, chosen by the user (Article 20).
5. Users can have their data erased at any time
Users can request to have their data erased from your databases, known as the “Right to Erasure”. While this policy has been present in the EU for several years, also known as the “Right to be Forgotten”, it now has new teeth because GDPR requires companies to allow users to easily withdraw consent to the use of their information, which makes requesting their data to be deleted easier, and requires companies to do so “without undue delay” (Article 17).
6. If you handle large amounts of user data, you may be required to appoint a “Data Protection Officer”
This section of the GDPR is somewhat ambiguous, as what is meant by “large amounts” is not defined, nor is it defined whether the Data Protection Officer can have other responsibilities within the company (a concern for startups trying to maintain low overhead) (Article 37).
Although this list does not by any means cover every aspect of the GDPR, it highlights some of the key considerations needed for a startup to be compliant by May 25. With over half of US multinational companies surveyed by PWC claiming that GDPR is their “top data-protection priority”, startups not already in compliance need to move quickly to adapt.
