TLDR; Update your Privacy Policy, Document Users Control over their data and ensure Third-Party Compliance. Remember, since there is no GDPR certification document, it’s up to you to convince your customers that you are compliant.
Most Hong Kong (HK) startups spend relatively little time thinking about regulations unless you’re FinTech. Worrying about the product, team, customers and money is typically a much better use of energy. But now that the EU’s sweeping suite of data privacy regulations known as GDPR is going live, I think it’s about time to notice. Even if you don’t think you are servicing EU citizens directly.
Bottom line: Hong Kong startups are very likely to be affected by GDPR!
We live in a country with a diverse population and global influence. While it’s unlikely you’ll be pursued by the EU if you’re small, demonstrating GDPR compliance can provide a critical competitive advantage from a marketing and customer relationship perspective.
What is GDPR?
General Data Protection Regulations (GDPR) is focused on data that can be used to directly or indirectly identify an EU individual. It imposes a series of requirements on companies involved with the control or processing of EU citizen data.
Which Startups Should Care about GDPR?
All of you! Many people who talk to me have the same questions. Do I really need to be GDPR compliant here in Hong Kong? Don’t people know they are signing up for EDMs and Marketing in order for businesses to succeed? Do I only need to care about people who say they are from the EU?
“Would you want to order food from a restaurant if they only cleaned the plates for people who asked them to?”
There are a few sections of the GDPR that will apply to most HK startups.
“extra-territorial”, meaning they apply to companies involved with EU citizen data processing regardless of where they’re based.
“pass-through”, meaning that any company which processes EU data must have a fully GDPR-compliant tech stack.
Why Should Startups Care about GDPR?
I don’t know about you, but I don’t want to pay the penalties! The GDPR sets out penalties of up to 20 million euros or 4% of global revenue (whichever is higher) for relevant infringements.
It will take sometime for the GDPR to enforce penalties and I know a lot of us are waiting to see this and it will likely be the larger tech companies, but I am sure FinTech startups amongst others will be high on the list of targets.
We believe the most compelling reason for startups to spend time with being GDPR compliant is to be competitive in the borderless market, especially in places like Hong Kong.
The other major point is Investors! Right now our focus is only on the customer and how we want to ensure we do not get penalized, but what about that next round we try and raise? How many investors do you think will start asking, “Are you GDPR Compliant?”! I suspect most investors don’t want to invest in a company whose going to get a 20 million euros fine as that will not help them get that return they’re hoping for.
How Should Startups Go about Becoming Compliant?
All startups should aim at getting enough of the bare minimum to keep operating while moving forward providing enhanced versions down the line. The GDPR is not a simple certificate so it’s not likely you’ll be getting nice GDPR stamps of approval on your footers or user sign-ups. Most of you have already probably started seeing this since May 25, 2018, during the sign-up pages.
For existing users, you should release a guide to how they can control:
- Email Adverts (Marketing and Sales)
- Email Notifications (alerts that are related to activity on the website)
- Deleting of Account
For new users, you should ensure the following:
- Positive Opt-in to the Services, Email Marketing, etc (cannot be checked by default)
Update to your Privacy Policies is also something very important. Companies require to explain what third-parties are accessing the data and ensuring that when data is removed it is also removed from those companies.
Internally, you need to assign a lead to be in charge of following and ensuring GDPR compliance. A lot of people have asked, does this need to be a Data Protection Officer (DPO), Lawyer, or General Counsel? No, it does not as there is no certificate or course to take. Although there is a trend of compliance officers joining startups much earlier than before, this is not a requirement. The main point for that person is to ensure they have a new KPI that will ensure the company maintains GDPR compliance.
This individual (or group) should be conducting an assessment of current compliance. A great guide from the UK’s Information Commissioner’s Office is the best assessment overview is a perfect place to start.
Conclusion
All Startups not only in Hong Kong should be taking in account of what the GDPR will represent from a Global Compliance point of view and how we see the use of data and interactions. This is only the first to many regulations that is aimed at helping ensure protection of data and privacy.
We as an ever growing ecosystem should be embracing change and ensuring the best for our customers because we would expect the best for ourselves.
Our goals of startups, should not be to fear regulators or penalties, but to instil trust with our customers.
Later this month, on June 26th, 2018 WHub with 55 Agency, will be putting on a panel on GDPR to share more information, insights and provide useful tips. More details can be found out at https://whub.io/events/gdpr-is-here-what-you-need-to-know-as-a-startup-in-hong-kong-1528604533
