A small GDPR guide for startups
Because of growing data privacy and security concerns, European Union enacted the General Data Protection Regulation (GDPR) on the 25th of May, 2018. Organizations that collect or target information that is related to people must comply with the strict rules and regulations or face penalties reaching up to 20 million Euros. GDPR applies to big and small businesses alike if they process client (or other natural persons) information, such as financial details or emails. Despite it being in effect for almost 2 years now, not every fresh startup owner knows about the various requirements of this law. But with the help of specialists from a corporate law firm in Lithuania and a handy checklist, they can learn their responsibilities.
Review and define your data protection policy
If your business is planning to acquire and store (or otherwise process) personal data, it must first indicate appropriate legal ground (e. g., gain permission to do so from the client/individual). If you rely on consent, you must clearly and in advance explain what data you’re collecting and why.
When a person refuses to provide a consent, you are (in most cases) prohibited from storing it in any way, no matter what the circumstances are. It can be such a simple thing as an incentive to sign-up for a newsletter.
For a business to fully comply with GDPR, it must show that it has a legal basis to store or otherwise process personal data (e. g., has the user’s consent to hold their data). If you don’t, you will face monetary consequences. If you need to acquire a consent, creating a pre-ticked checkbox is not enough. That’s why it’s strongly advised to contact a trusted corporate law firm in Lithuania to draft a proper consent form and fully discuss your policy.
Ensure data security
Personal information can be found and stored in various places, from such simple things as email inboxes to services like Microsoft Office 365 and Dropbox. GDPR even covers data here. Therefore, creating a data processing and storage policy is important.
It should establish a clear guideline where data is stored, how this is done, and who has access to it. Data processors usually need access to some parts of the stored information and this process also needs to be defined. Under some circumstances, info needs to be transferred between departments, delivery services and such. These also must have a specific procedure and emergency plan in case of a data breach. A lawyer from a reputable corporate law firm in Lithuania or a neighboring region may also strongly advise encrypting all incoming and outgoing data to reduce the risk of sensitive data loss.
Appoint a Data Protection Officer
This is mostly applied to larger businesses and not smaller ones. Though if they process special categories of data at high volumes or the purpose of the company is to conduct large-scale data processing, then these also must appoint a Data Protection Officer.
One person should be responsible for GDPR compliance and making sure that everything meets the regulations. Because most startups don’t have a proper member trained in law and legalities, it’s recommended to hire a proper lawyer from a corporate law firm in Lithuania that could give proper advice on how to meet the requirements.
Create data processing notices
Also known as Fair Processing Notices (FPN), these documents detail how your business deals with the data that it acquires: how you gather it, where it is stored, how a person can request access to it. An FPN should be prominently displayed on a company’s website and should include details about or links to it so that a person can better understand what is happening with his/her data.
There are many more requirements that startups and small businesses must meet, the ones mentioned above are just a starting guideline. To be fully compliant with GDPR, it’s strongly advised to hire an appropriate lawyer from a corporate law firm in Lithuania. Even the smallest breach of these regulations results in an enormous financial fine.
