poster
Privacy (GDPR)

Ultimate Privacy Compliance Guide

Ultimate Privacy Compliance Guide

Privacy, Data Protection, the GDPR - they are one step from becoming buzzwords. So, what is all the fuss about it anyway? Does it concern your organisation at all?

This article is a guide to privacy compliance. It is set to explain its biggest pain points:

  1. who needs privacy compliance;
  2. why would you need it;
  3. what country will have the authority to enforce it; and
  4. how we can put this to good use.

Do I Need Privacy Compliance?

Almost any company now collects personal information to some extent. Privacy laws deal with the protection of personal identifiers, such as a name, email or IP-address (personally identifiable information), as well as with any information about individuals that you collect (personal data).

Personal data includes website traffic, log, or cookie data, as well as all possible website accounts, public profiles, and event registration and contact forms. Details of employees processed in electronic form also count as personal data.

Examples of companies that need privacy compliance are:

  1. SaaS providers that either collect information from its users directly or receive sets of collected data from the clients;
  2. e-Commerce companies that have a website with registration, order or contact form, 
  3. Companies that use analytics or cookies on their sites;
  4. Employers with regard to details, work performance level, and legal information (e.g., sick leave records) about their employees.

If your company collects any of the mentioned types of information, you will need to comply with data protection regulations.

Why Do I Need Privacy Compliance?

Ok. I collect personal information, now what?

To begin with, it is reasonable to protect your assets, and data is one of the most valuable assets in the 21st century. 

More importantly, non-compliance may cost your business 2,5 times more than putting all the relevant measures in place. Here is why:

  1. Winning clients without privacy compliance can prove difficult. B2B clients that want to use SaaS for customer data processing may only involve providers that have necessary data protection safeguards;
  2. Investment attractiveness. Investors, who wish to secure its assets, audit the data protection compliance of the startup before any investments. Revealing non-compliance may cost a deal or its 30% discount;
  3. Listing on Google Play Market or Apple Store. Such marketplaces require its vendors to have Privacy Policy and secure users data;
  4. Fines and regulatory sanctions. While a fine of up to 4% from annual turnover or 20 million euros is scary enough, other sanctions can harm even more: the EU and US authorities are authorised to impose temporary or permanent bans on company's operations on user data, which can result in an ever-increasing loss of profit. 

Finally, respect for privacy is about trust between you and your customers: people are more willing to share their details if they feel secure and trust the provider.  Another side is a breach of trust: a study claims that 78% of respondents do not want to engage with a brand that suffered a major data breach.

Which Privacy Laws Apply To Me?

Factor 1 - Actual location of doing business

Data protection laws apply based on your actual place of doing business. The country of registration does not play a decisive role: the applicability depends on the location of the office, employees, bank account, and decision-makers. If a business is registered in South Asia but has its team and computations in Germany, then German law will apply to its activities.

Factor 2 - Target Market 

Some privacy laws apply to your business even if you are located outside of the country's territory. For example, the European GDPR applies:

  1. When you target end-users of your goods or services in the European Union, say, through targeted advertising, providing an EU-language interface or by mentioning EU customers in client references;
  2. When you monitor the behavior of the individuals in the European Union. The examples are marketing research activities or analysis of publicly available data about the citizens of one of the EU countries.

 Factor 3 - Laws applicable to the business of your client 

Additionally, you may want to comply with the country's data protection requirements if you partner with the companies on that territory. B2B businesses, which process customer data on behalf of their clients, can be involved only if they meet local privacy requirements.

Various examples of such B2B partners include CRM, cloud storage, email notification providers, as well as remote technical support or software development agencies. 

How Do I Comply with Privacy Laws?

Data protection compliance is a gradual, step-by-step process. Starting from drafting Privacy Policy or encrypting data without a clear map of data collected by your company is a bad idea. Better consider the following action plan:

  1. Privacy Audit / AssessmentDiscover all activities within your company and create a comprehensive map of data or, more officially, records of processing activities. To achieve a full picture, involve all departments engaged in data processing: HR, recruiting, marketing, business intelligence, accounting, guys involved in software development and technical support.
    After the mapping, you assess the risks and figure out the measures to address them best.
  2. Internal Policies, Technical and Organisational Protection. Based on the assessment, you can start drafting relevant Data Protection Policies, Security Policy, and set a procedure for answering data requests from your users. 
    From a technical perspective, cover each data operation by protective measures that prevent a data breach: control the access to data, including by two-factor authentications; where applicable, encrypt and mask the data, use antivirus and firewall, and monitor possible threats to data security.
  3. Privacy Kit: User Interface and Privacy Policies. How you interact with users on the website or application is important. For that, we suggest using Privacy Bundle, a standardised solution consisting of the Privacy Policy, Cookie Policy, and guidance on a privacy-friendly user interface. For B2B startups it also includes Data Processing Agreement to protect data of client companies;
  4. Data Protection Trainings. Spread privacy culture within your team, since human error is the #1 cause of personal data breaches. Familiarise your employees with basic privacy concepts and train them to perform their duties in data protection compliance;
  5. Data Processing AgreementManage relationships with your partner companies that receive customer data from you and sign appropriate data protection agreements. Another important point is international transfers: if your partners or suppliers are located in the other country, this will require additional contractual safeguards, such as Standard Contractual Clauses;
  6. Data Protection OfficerLast but not least: consider whether you need a Data Protection Officer, a professional that oversees data protection compliance within the company. This role can be performed both by an internal employee or an external contractor. Learn more about it in our article on DPO.

Privacy compliance is not just about measures - it is about the mindset of you and your company. If you treat it as a company's value, data protection becomes your competitive advantage, and we highly recommend to see it in this way. The network of privacy professionals at Legal Nodes is here to help you with all side difficulties.

 

Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice. 

Legal Nodes Team

 

Legal Nodes Blog

Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills
Privacy (GDPR)
Privacy Policy: Everything you need to know

Privacy Policy (or Privacy Notice) is a public legal statement of the company. It explains how the organisation uses information about its users, customers, or employees....

Legal Nodes Team
Privacy (GDPR)
Initial Privacy Assessment: Everything You Need to Know

A privacy assessment is a methodic review of your state of compliance with personal data protection laws....

Legal Nodes Team
Legal Nodes Updates
Legal Nodes Secures the $50k Grant from the Ukrainian Startup Fund Pitching Competition

We are delighted to announce that Legal Nodes scored the highest during the fifth Ukrainian Startup Fund pitching competition and was awarded a $50k Grant. ...

Legal Nodes Team
Privacy (GDPR)
Privacy Kit: Website and Apps solution

Privacy Kit is a standardised set of documents for a website or an app....

Legal Nodes Team
Privacy (GDPR)
Ultimate Privacy Compliance Guide

Legal Nodes presents a guide to privacy compliance. Privacy laws deal with the protection of personal identifiers, such as a name, email or IP-address (personally identifiable information), as well as with any information about individuals that ...

Legal Nodes Team
FinTech
Not everyone can do everything: Things FinTech businesses should keep their eye on

5 practical recommendations for FinTech businesses from a regulatory and compliance expert....

Lamara von Albertini, PhD