Privacy (GDPR)

Ultimate Privacy Compliance Guide

Ultimate Privacy Compliance Guide

Privacy, Data Protection, the GDPR - they are one step from becoming buzzwords. So, what is all the fuss about it anyway? Does it concern your organisation at all?

This article is a guide to privacy compliance. It is set to explain its biggest pain points:

  1. who needs privacy compliance;
  2. why would you need it;
  3. what country will have the authority to enforce it; and
  4. how we can put this to good use.

Do I Need Privacy Compliance?

Almost any company now collects personal information to some extent. Privacy laws deal with the protection of personal identifiers, such as a name, email or IP-address (personally identifiable information), as well as with any information about individuals that you collect (personal data).

Personal data includes website traffic, log, or cookie data, as well as all possible website accounts, public profiles, and event registration and contact forms. Details of employees processed in electronic form also count as personal data.

Examples of companies that need privacy compliance are:

  1. SaaS providers that either collect information from its users directly or receive sets of collected data from the clients;
  2. e-Commerce companies that have a website with registration, order or contact form, 
  3. Companies that use analytics or cookies on their sites;
  4. Employers with regard to details, work performance level, and legal information (e.g., sick leave records) about their employees.

If your company collects any of the mentioned types of information, you will need to comply with data protection regulations.

Why Do I Need Privacy Compliance?

Ok. I collect personal information, now what?

To begin with, it is reasonable to protect your assets, and data is one of the most valuable assets in the 21st century. 

More importantly, non-compliance may cost your business 2,5 times more than putting all the relevant measures in place. Here is why:

  1. Winning clients without privacy compliance can prove difficult. B2B clients that want to use SaaS for customer data processing may only involve providers that have necessary data protection safeguards;
  2. Investment attractiveness. Investors, who wish to secure its assets, audit the data protection compliance of the startup before any investments. Revealing non-compliance may cost a deal or its 30% discount;
  3. Listing on Google Play Market or Apple Store. Such marketplaces require its vendors to have Privacy Policy and secure users data;
  4. Fines and regulatory sanctions. While a fine of up to 4% from annual turnover or 20 million euros is scary enough, other sanctions can harm even more: the EU and US authorities are authorised to impose temporary or permanent bans on company's operations on user data, which can result in an ever-increasing loss of profit. 

Finally, respect for privacy is about trust between you and your customers: people are more willing to share their details if they feel secure and trust the provider.  Another side is a breach of trust: a study claims that 78% of respondents do not want to engage with a brand that suffered a major data breach.

Which Privacy Laws Apply To Me?

Factor 1 - Actual location of doing business

Data protection laws apply based on your actual place of doing business. The country of registration does not play a decisive role: the applicability depends on the location of the office, employees, bank account, and decision-makers. If a business is registered in South Asia but has its team and computations in Germany, then German law will apply to its activities.

Factor 2 - Target Market 

Some privacy laws apply to your business even if you are located outside of the country's territory. For example, the European GDPR applies:

  1. When you target end-users of your goods or services in the European Union, say, through targeted advertising, providing an EU-language interface or by mentioning EU customers in client references;
  2. When you monitor the behavior of the individuals in the European Union. The examples are marketing research activities or analysis of publicly available data about the citizens of one of the EU countries.

 Factor 3 - Laws applicable to the business of your client 

Additionally, you may want to comply with the country's data protection requirements if you partner with the companies on that territory. B2B businesses, which process customer data on behalf of their clients, can be involved only if they meet local privacy requirements.

Various examples of such B2B partners include CRM, cloud storage, email notification providers, as well as remote technical support or software development agencies. 

How Do I Comply with Privacy Laws?

Data protection compliance is a gradual, step-by-step process. Starting from drafting Privacy Policy or encrypting data without a clear map of data collected by your company is a bad idea. Better consider the following action plan:

  1. Privacy Audit / AssessmentDiscover all activities within your company and create a comprehensive map of data or, more officially, records of processing activities. To achieve a full picture, involve all departments engaged in data processing: HR, recruiting, marketing, business intelligence, accounting, guys involved in software development and technical support.
    After the mapping, you assess the risks and figure out the measures to address them best.
  2. Internal Policies, Technical and Organisational Protection. Based on the assessment, you can start drafting relevant Data Protection Policies, Security Policy, and set a procedure for answering data requests from your users. 
    From a technical perspective, cover each data operation by protective measures that prevent a data breach: control the access to data, including by two-factor authentications; where applicable, encrypt and mask the data, use antivirus and firewall, and monitor possible threats to data security.
  3. Privacy Kit: User Interface and Privacy Policies. How you interact with users on the website or application is important. For that, we suggest using Privacy Bundle, a standardised solution consisting of the Privacy Policy, Cookie Policy, and guidance on a privacy-friendly user interface. For B2B startups it also includes Data Processing Agreement to protect data of client companies;
  4. Data Protection Trainings. Spread privacy culture within your team, since human error is the #1 cause of personal data breaches. Familiarise your employees with basic privacy concepts and train them to perform their duties in data protection compliance;
  5. Data Processing AgreementManage relationships with your partner companies that receive customer data from you and sign appropriate data protection agreements. Another important point is international transfers: if your partners or suppliers are located in the other country, this will require additional contractual safeguards, such as Standard Contractual Clauses;
  6. Data Protection OfficerLast but not least: consider whether you need a Data Protection Officer, a professional that oversees data protection compliance within the company. This role can be performed both by an internal employee or an external contractor. Learn more about it in our article on DPO.

Privacy compliance is not just about measures - it is about the mindset of you and your company. If you treat it as a company's value, data protection becomes your competitive advantage, and we highly recommend to see it in this way. The network of privacy professionals at Legal Nodes is here to help you with all side difficulties.


Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice. 

Legal Nodes Team


Legal Nodes Blog

For Startups
Ultimate guide to connecting Virtual Data Protection Officer

Connecting Virtual DPO can greatly reduce start-up’s data protection costs. This article explains who the Data Protection Officer is, why you should consider outsourcing DPO services, and how to pick one that matches the needs of your business....

Legal Nodes Team
Privacy (GDPR)
Cookie Policy: How to Track Website Users Lawfully

The recent study of the Nederlandse Omroep Stichting (the ‘NOS’), a Dutch news media, showed that more than 1,300 Dutch websites violate the privacy of their users. The violation found by the NOS is simple - the users cannot use the websites wit...

Legal Nodes Team
For Startups
Why Your Startup Needs a Founders' Agreement + Template 2021

Founders Agreement – the key step to set clear intentions for you and your partners and to avoid misunderstandings in the future. In a new post on the Legal Nodes blog, we explain what a Founders Agreement is, reasons for your startup to prepare...

Legal Nodes Team
For Startups
Terms of Use that your users will actually read

In this article Legal Nodes Team talks about Terms of Use, how to write them effectively and why you need them in the first place. You could find a FREE template at the end of this article....

Legal Nodes Team
Privacy (GDPR)
How Can You Leverage a Privacy Kit More Effectively?

In this article, Punit Bhatia, a leading privacy expert, shares how small businesses can become privacy compliant by using Privacy Kits in an effective and why just branding the documents and templates in name of your company is not a good idea....

Punit Bhatia
Legal Nodes Updates
Legal Nodes in 2020: A Year in Review

Despite the fact that for many 2020 will be strongly associated with the coronavirus pandemic and lockdown measures, it would be a mistake to forget all the good things that happened this year. Especially when the festive season approaches, and ...

Legal Nodes Team
Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills