The quick start guide to GDPR compliance for startups.
Complying with privacy regulations like the GDPR and CCPA can be a painful experience but follow these simple steps and your business will be privacy-compliant quickly and efficiently.
What’s more, you’ll also make your business more trusted and ready to convert more sales. Let’s get stuck in.
But what are those ‘other things’ and how do you go about doing what you need to do? Is it even worth worrying about this whole privacy compliance thing?
We’ll answer these questions in this article but the short answer is that to get GDPR done, you need to follow a plan. And yes, you should definitely worry about it if you choose to ignore the regulations!
You see, processing personal data without managing privacy compliance is a bit like driving a car without an MOT. If something happens, it’s you who is at fault. And that’s not to mention possibly invalidating your business insurance, contracts or even that exit you’ve been planning.
Privacy compliance doesn’t need to be a headache
Getting your business GDPR or CCPA compliant can be a massive headache. But doing privacy compliance properly doesn’t have to be a pain. In fact, thanks to some helpful new tools you can now do your compliance on one platform and generate all your privacy documentation automatically and dynamically.
It’s easy to follow our simple proven action plan to keep your business safe and it will take minimal effort. So why take the risk?
In this article, we’ll guide you step by step through what you need to do to get your startup privacy compliant with some helpful tips that will save you time along the way.
How to get GDPR done the easy way
You can make your life so much easier by understanding this. Making your business privacy-compliant is a journey, not a destination.
It’s an ongoing process, not a one-off event. That’s to say, you’re better off putting a system in place that will keep you compliant from the off. The alternative is a painful set of disconnected spreadsheets and policies that quickly end up out of data and become a liability that you’ll live to regret.
By introducing a system, you can keep your business legal and safe, with minimal effort and maximum efficiency and leverage the power of end-to-end privacy to keep your business looking tip-top and trustworthy at all times.
How to think about GDPR compliance
The process of compliance is much easier if you think of it in these very high-level stages:
We’ll go into each of these areas so you can understand what you need to do at each stage.
Privacy compliance is, at its essence, all about managing personal information. So, it goes without saying that to manage the personal data in your organisation; first, you need to know what you’ve got and where it is.
What is personal data?
At its simplest level, if you can work out from the data who the information relates to then it’s personal data. In GDPR terminology it’s often referred to as Personally Identifiable Information or PII.
You’ll need to find out what personal data you collect, where and who you are collecting it from, and why you are collecting it. You’ll need to work out where you are saving the data you collect, and the third parties you might be sharing it with. It’s also key to record any third parties who may be sharing data with you.
How to make a data map of your business
The process of discovery may at first seem to be very simple, but the more you think about it, the more personal data you will realise your business has.
Often, when I’m talking to people they tell me they don’t need to be privacy compliant because they don’t have any personal data. When I ask them a few simple questions they soon realise that personal data is everywhere. Including in their business!
Just think about your colleagues, your suppliers and your customers and all the personal information you have about them. Then start to think about your marketing activities and other business operations that bring you into contact with personal data. It’s a lot of information.
Here’s a checklist of ten of the most common areas where you may be using personal data:
- HR – Your employee data contains a lot of personal information
- Marketing – Email campaigns and exhibitions etc
- Suppliers – All the suppliers that enable you to operate
- Customers – The customer records you keep
- Using CCTV – If you use CCTV you are collecting PII
- Public WiFi hotspots – The same applies if you offer a public WiFi hotspot
- Online applications – Video conferencing and cloud applications
- Banking – Paying people involves passing data to your bank
- Third parties – Any suppliers that process your data for you
- Deliveries – Names and addresses to enable your deliveries
I’m sure you’ll start to think of many other areas of your operations where you collect, use, store or share personal information.
It’s a good idea to collaborate with your colleagues early in this stage. Areas like marketing can have complex data flows to map so it’s good to do this with the people who know their operations well.
When you have mapped out all the personal data your organisation manages you’ll probably be surprised at the amount of data you control.
All the information you have discovered now needs to be documented in a way that records the details. This becomes your data map.
Data Mapping Tools
Traditionally compliance teams have tended to use spreadsheets to do the data mapping documentation, but I wouldn’t recommend this route as there are now much better ways to do this.
There are so many reasons why spreadsheets are not good for making data maps.
Here are just a few of the challenges they pose:
- Spreadsheets have to be created, are difficult to work on, and tiresome to update.
- They’re not great for collaborating with your colleagues.
- The worst thing is that even when you have done the hard work of completing your data mapping exercise, there’s no way you can use the data map to automatically create your policies and maintain the rest of your privacy compliance requirements.
It’s a much smarter choice to use a data mapping tool like the one built into PORT.im as it will make the mapping and collaboration much easier and then the information you’ve entered forms the core of your privacy centre. When you update your data the whole of your privacy centre is updated. In effect, you only enter the information once, and then use it many times.
Sensitive information, also known as Special Category Data
Keep in mind that some information is more sensitive than others. The GDPR defines special category data as:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life; and
- data concerning a person’s sexual orientation.
If you have data of this nature in your business then flag it for special attention.
When dealing with sensitive information there are many more demands required to stay compliant.
To find out more, the ICO has very clear guidance on the subject. You can see it here.
To be compliant you need to be able to demonstrate you are compliant. This principle is defined in Article 30 of the GDPR.
What is Article 30 of the GDPR?
The records you need to keep to comply with the GDPR are called your “records of processing activities”. They are defined in Article 30 of the GDPR.
Article 30 records of processing activities are what you will need to show the regulators to demonstrate why and how you are processing personal data.
It’s important to maintain your records of processing activities and keep them up-to-date and consistent with your activities and policies.
What must your Article 30 records of processing include?
According to the ICO, your organisation must document these details:
- The name and contact details of your organisation
- The name and contact details of your Data Protection Officer if applicable or a person responsible for your GDPR compliance.
- The name and contact details of any joint data controllers[Link] you work with.
- The name and contact details of your EU representative if you are based outside the EU
- The purposes of your data processing
- The categories of individuals whose data you process
- The categories of personal data you process
- The categories of recipients of the personal data you process
- The name of any third countries or international organisations that you transfer personal data to outside the EU
- The safeguards in place for transfers of personal data to third countries or organisations outside the EU
- The retention schedules for the different categories of personal data, if possible
- A general description of your technical and organisational security measures, if possible
It’s a lot of detail to record and can be challenging to document and maintain for a startup.
Pro tip: You may not want to attempt to do all this in spreadsheets. It’s far easier, more robust and simpler to maintain if it’s done on a specialist platform like PORT.im.
Lawful basis for processing
For every data processing purpose you record you will need to decide on the lawful basis upon which you will rely.
Of the six lawful bases available, the most common ones to use are consent and legitimate interest.
You can learn more about which lawful basis to use in this article[Link].
Pro tip: You don’t need to rely on consent unless you really have no other option. Legitimate interest is a very useful alternative and is much easier to manage. Just remember that you should carry out a Legitimate Interest Assessment (LIA) if you are planning to use legitimate interest as your lawful basis for processing. You can use the legitimate interest assessment in PORT.im.
Are you a data controller, a joint controller, or a data processor?
It’s important to understand your role in relation to the personal data you’re processing. Your responsibilities will vary depending on whether you are a data controller, a joint controller, or a data processor.
The simplest way to know which you are is to ask yourself a simple question. Is it us who decides what this data is used for and how it’s going to be used?
If the answer is yes, then you are a data controller.
If you are working with another business to collect and use data then it’s possible you could be acting as a joint controller.
Here’s an example of a joint controller role;
You run a coffee shop and you offer a free public WiFi hotspot that’s provided by a WiFi operator. Users have to register to have access to the WiFi and both you and the WiFi operator collect their personal information for marketing purposes.
In this case, your business and the WiFi operator are both joint controllers.
If you simply receive data from a data controller and carry out processing on their behalf then it’s likely you are a data processor for this purpose.
Your role will change depending on each purpose of data processing.
You’ll need to record your data processing role against each of your data processing activities.
Now is the time to implement GDPR compliance in your business. This is where all the detail you collected into your data map forms the basis for your actions.
Do you need a Data Protection Officer?
Generally, unless your business is particularly large or handling sensitive data, you will not need to appoint a formal Data Protection Officer (DPO).
Pro tip: Here’s an easy way to find out if you need a Data Protection Officer; The ICO offers a simple online checker. You’ll find it here.
Staff Privacy Notice
Pro tip: PORT.im automatically generates all these policies for you, and keeps them up-to-date, helping you to convert more sales more safely.
Manage Data Subject Access Rights
Privacy regulations give people personal data rights that they can exercise with your business. These are sometimes referred to as DSAR or SARs (Subject Access Requests).
Rights requests are an important aspect of GDPR so you should set up systems and processes for managing and logging incoming requests and responding to them appropriately.
If the purpose of your data processing is based on relying on gaining consent from the data subject, i.e. the person to whom the data relates, then you need to ensure you are collecting explicit consent for the purpose and that you record that consent.
If you are using online services for your business then many SaaS platforms already have consent mechanisms built-in. But remember that many don’t.
For example, MailChimp has the ability to create forms that incorporate consent statements and consent capture mechanisms. That generally means tick boxes to be ticked.
Pro tip: If you are gaining consent from people, don’t use any pre-ticked opt-ins. This is an area that many regulators are getting hot on and might get you into unnecessary trouble.
A key aspect of privacy compliance is that you are responsible for the security of the personal data in your control. You must use appropriate technical and organisational measures to ensure the personal data is protected securely.
Information security policy
As part of your organisational security, you should produce an information security policy for your staff.
Implementing a security policy and adhering to sensible procedures will help to ensure personal data remains secure and no one sends personal data in unencrypted files by email.
Data breach recording and procedures
It’s so easy to leave a laptop on a train or accidentally send a spreadsheet of personal data to the wrong person. These are typical data breach scenarios that can happen but that can also be easily mitigated by a little planning.
Personal data should always be encrypted when stored. This helps to protect it if it falls into the wrong hands. On your laptops or your company systems, personal data must never be left exposed to possible abuse.
Privacy compliance is one of the very few aspects of operating a business that affects everybody in your company. It’s important that you provide training for everyone who comes into contact with personal information as part of their role.
Training is particularly important for those of your team who are customer-facing. They must be aware of the risks and competent if they receive complaints or subject access requests.
Data Protection Impact Assessments (DPIAs)
If you are planning on processing large amounts of personal information or special category data you will need to complete a Data Protection Impact Assessment (DPIA).
By undertaking a DPIA you will be able to identify any significant risks and take measures to mitigate them.
Legitimate Interest Assessments (LIA’s)
If you decide to rely on legitimate interest as your lawful basis for processing data you will need to carry out a Legitimate Interest Assessment (LIA).
By undertaking an LIA you are demonstrating that you have carefully considered the case for relying on legitimate interest and you are confident that your interests are balanced with those of the people whose data you are processing.
Data Processing Agreements (DPAs)
Whenever a controller uses a data processor there must be a written contract in place. This arrangement ensures that both parties understand their responsibilities and liabilities.
It’s likely that your business is a data controller. So if you use a service like MailChimp, they will be a data processor. A large organisation like MailChimp will provide you with a DPA for your records.
When you use a data processor you must ensure, for your own safety, that a DPA is in place. It’s equally important if you are acting as the data processor.
To stay on top of your responsibilities it’s useful to receive regular status reports to keep you informed and on track.
Schedule regular reviews of your data map and all related activities. We suggest quarterly at the very least. If your business is changing quickly then you may even want to review your GDPR more frequently.
Your review will cover a number of areas:
- Data Map
Your review will include questions like have you added any new third parties? Are they data controllers, joint controllers, or data processors? Do you have a Data Processing Agreement in place with them?
Having reviewed all aspects of your GDPR compliance you will need to update your records, policies, and notices and any other areas that have changed.
To stay safe you should repeat the review process to ensure that your organisation is not exposed to unnecessary risks that could be very damaging to your business.