Ultimate Privacy Compliance Guide
Legal Nodes Team
Ultimate Privacy Compliance Guide
Privacy, Data Protection, the GDPR - they are one step from becoming buzzwords. So, what is all the fuss about it anyway? Does it concern your organisation at all?
This article is a guide to privacy compliance. It is set to explain its biggest pain points:
- who needs privacy compliance;
- why would you need it;
- what country will have the authority to enforce it; and
- how we can put this to good use.
Do I Need Privacy Compliance?
Almost any company now collects personal information to some extent. Privacy laws deal with the protection of personal identifiers, such as a name, email or IP-address (personally identifiable information), as well as with any information about individuals that you collect (personal data).
Personal data includes website traffic, log, or cookie data, as well as all possible website accounts, public profiles, and event registration and contact forms. Details of employees processed in electronic form also count as personal data.
Examples of companies that need privacy compliance are:
- SaaS providers that either collect information from its users directly or receive sets of collected data from the clients;
- e-Commerce companies that have a website with registration, order or contact form,
- Companies that use analytics or cookies on their sites;
- Employers with regard to details, work performance level, and legal information (e.g., sick leave records) about their employees.
If your company collects any of the mentioned types of information, you will need to comply with data protection regulations.
Why Do I Need Privacy Compliance?
Ok. I collect personal information, now what?
To begin with, it is reasonable to protect your assets, and data is one of the most valuable assets in the 21st century.
More importantly, non-compliance may cost your business 2,5 times more than putting all the relevant measures in place. Here is why:
- Winning clients without privacy compliance can prove difficult. B2B clients that want to use SaaS for customer data processing may only involve providers that have necessary data protection safeguards;
- Investment attractiveness. Investors, who wish to secure its assets, audit the data protection compliance of the startup before any investments. Revealing non-compliance may cost a deal or its 30% discount;
- Fines and regulatory sanctions. While a fine of up to 4% from annual turnover or 20 million euros is scary enough, other sanctions can harm even more: the EU and US authorities are authorised to impose temporary or permanent bans on company's operations on user data, which can result in an ever-increasing loss of profit.
Finally, respect for privacy is about trust between you and your customers: people are more willing to share their details if they feel secure and trust the provider. Another side is a breach of trust: a study claims that 78% of respondents do not want to engage with a brand that suffered a major data breach.
Which Privacy Laws Apply To Me?
Factor 1 - Actual location of doing business
Data protection laws apply based on your actual place of doing business. The country of registration does not play a decisive role: the applicability depends on the location of the office, employees, bank account, and decision-makers. If a business is registered in South Asia but has its team and computations in Germany, then German law will apply to its activities.
Factor 2 - Target Market
Some privacy laws apply to your business even if you are located outside of the country's territory. For example, the European GDPR applies:
- When you target end-users of your goods or services in the European Union, say, through targeted advertising, providing an EU-language interface or by mentioning EU customers in client references;
- When you monitor the behavior of the individuals in the European Union. The examples are marketing research activities or analysis of publicly available data about the citizens of one of the EU countries.
Factor 3 - Laws applicable to the business of your client
Additionally, you may want to comply with the country's data protection requirements if you partner with the companies on that territory. B2B businesses, which process customer data on behalf of their clients, can be involved only if they meet local privacy requirements.
Various examples of such B2B partners include CRM, cloud storage, email notification providers, as well as remote technical support or software development agencies.
How Do I Comply with Privacy Laws?
- Privacy Audit / Assessment. Discover all activities within your company and create a comprehensive map of data or, more officially, records of processing activities. To achieve a full picture, involve all departments engaged in data processing: HR, recruiting, marketing, business intelligence, accounting, guys involved in software development and technical support.
After the mapping, you assess the risks and figure out the measures to address them best.
- Internal Policies, Technical and Organisational Protection. Based on the assessment, you can start drafting relevant Data Protection Policies, Security Policy, and set a procedure for answering data requests from your users.
From a technical perspective, cover each data operation by protective measures that prevent a data breach: control the access to data, including by two-factor authentications; where applicable, encrypt and mask the data, use antivirus and firewall, and monitor possible threats to data security.
- Data Protection Trainings. Spread privacy culture within your team, since human error is the #1 cause of personal data breaches. Familiarise your employees with basic privacy concepts and train them to perform their duties in data protection compliance;
- Data Processing Agreement. Manage relationships with your partner companies that receive customer data from you and sign appropriate data protection agreements. Another important point is international transfers: if your partners or suppliers are located in the other country, this will require additional contractual safeguards, such as Standard Contractual Clauses;
- Data Protection Officer. Last but not least: consider whether you need a Data Protection Officer, a professional that oversees data protection compliance within the company. This role can be performed both by an internal employee or an external contractor. Learn more about it in our article on DPO.
Privacy compliance is not just about measures - it is about the mindset of you and your company. If you treat it as a company's value, data protection becomes your competitive advantage, and we highly recommend to see it in this way. The network of privacy professionals at Legal Nodes is here to help you with all side difficulties.
Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.
Legal Nodes Team