Doing business with corporate Europe: First steps to not fuck up data protection

The B2B market outperforms the B2C one often by a significant factor, when taking startups’ revenues as measure. Especially the Mittelstand offers a remunerative monetization potential for young B2B software companies.

Despite great opportunity, the size of entry hurdles is often underestimated — leading to frustration on both sides, where instead excitement should reign!

Among Gründerszene’s recent 5 clues to building lucrative business with B2B customers, data protection has made it on top of their list.

Getting data protection issues right upfront not only polishes a startup’s professional aura, but rather is a basic “hygienic” factor that may make or break a corporate-startup-deal.

Data protection will become a KPI in the future

With the ever growing appetite of software eating the world we observe that corporates more and more harness startups to drive their own digital innovation in the most economic and effective way.

Typically, startup-corporate collaboration brings a data protection officer (DPO) into the equation — at least on the corporate side. This is needed whenever a third party requests any sort of personal data processing and data exchange (central IT to cloud, cloud to cloud, FTP exchange, etc) with the corporate.

Daniel Hernstein-von Glahn is DPO at the globally acting Viessmann Group. In his view, the upcoming EU General Data Protection Regulation (GDPR) will have effects on all digital strategies, which at first sight seem to imply additional costs, but long term represent an investment into the future. The implications of the GDPR lead him to the conclusion that

any startup that does not take data protection legals serious will fail to have business success in Europe.

He further thinks that legal, trust and eventually customer needs and requirements will ensure that

data protection becomes a KPI for businesses.

In the following we share D. Hernstein-von Glahn’s professional view as European DPO on how to get the first steps of data protection right.

Data protection done right in Europe: First steps

In order to be able to process personal data as third party some minimal contractual issues should be taken care of. Besides that, one should expect a DPO to use common sense checks on the credibility of the startup that wants to engage in a B2B “data relationship”.

Contractual issues
Consider the following items as first necessary “data protection steps”:

1. You need to deliver a complete Data Processing Agreement (DPA) without special request. The DPA should include the topics specified in the GDPR Article 28ff.
2. You need to make your company’s state of data protection and IT security visible to a DPO. That can be done by documenting relevant technical and organizational measures, or giving guarantees as specified under the ISO 27001 standard.
3. If your startup is based outside the European Union, it is necessary to implement mechanisms that comply with the data protection regulations active inside the EU. This can be documented with signed EU Standard Model Clauses, or using other adequate instruments, e.g., Privacy-Shield for US companies.
4. It is important to keep in mind a DPO has an audit right. This means he may ask to make possible a personal visit and can request all data protection related documents which you should ideally have signed with your providers, employees and other third parties.

Background checks related to data protection
You should expect a DPO to do some “smart checks”, in order to confirm that you stick to the various data protection requirements documented in the various contracts.

1. A DPO may check privacy policies on your website or App in detail. Make sure they exist, are complete and legally correct.
2. DPOs typically check your App or website regarding the hosting (provider and country), sub-domains, trackers, etc.
3. He may check for IT security measures such as memberships in official security organizations, bug bounty programs and dig for critical events made public in the past (vulnerabilities, breaches).

Talk to a lawyer — it may pay off :)

For some it may today seem hard to embrace with data protection regulations and see its value. However, note that the GDPR harmonization across the EU comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover or 20,000,000 EUR, whichever is greater.

Ideally you invest at least once in a lawyer, in order to ensure you get the legal data protection documents and measures right. If you have not yet done so — do it.