Privacy Law Compliance for New Start-Ups
New start-ups must comply with certain privacy laws. Understanding what these compliance requirements are and how they apply to your business can be challenging.
Privacy law compliance is the steps that a company takes to meet its regulatory and legal requirements for processing, handling, capturing, and storing personal data.
We're going to take you through exactly what you need to know to get started.
- 1. Terms You Should Understand
- 1.1. Personal Information
- 1.2. Consent
- 1.3. Data Protection
- 1.4. Data Controller
- 1.5. Data Processor
- 2. The Key Privacy Laws You Should Know About
- 2.1. General Data Protection Regulation (GDPR)
- 2.2. Personal Information Protection and Electronic Documents Act (PIPEDA)
- 2.3. California Consumer Privacy Act (CCPA)
- 2.4. Stop Hacks and Improve Electronic Data Security Act (SHIELD)
- 2.5. Australian Privacy Act (APA)
- 3. Conducting a Data Audit
- 3.1. What Data You Collect
- 3.2. Where it Comes From
- 3.3. Who You Share it With
- 3.4. Who Can Access it
- 3.5. How it Moves Around Your Company
- 4. Determine Your Lawful Basis
- 5. Data Security
- 6. Staff Training
- 7. Responding to Data Breaches
- 7.1. Incident Response Plan
- 10. Your Terms and Conditions Agreement
- 11. Your Return and Refund Policy
- 12. Your End-User License Agreement (EULA)
- 13. GDPR Compliance for Start-Ups
- 13.1. Principles for Processing Data
- 13.2. Individual Rights
- 13.3. Data Identification
- 13.4. Your Lawful Basis
- 13.5. Getting Consent
- 13.7. Example: Moderna
- 13.8. Example: Everlane
- 14. Conclusion
You won't be expected to comply with every privacy law out there (for example, not every start-up will need to comply with the EU's General Data Protection Regulation because it doesn't apply in their territory) but you should still understand the rules that apply just in case your business changes.
Privacy law compliance matters. Mishandling the data entrusted to you by your customers and other individuals can:
- Damage your company's reputation
- Result in lawsuits or fines
- Irreparably damage your business
Understanding your compliance requirements now saves you time, hassle, and resources down the line.
So, now that we're clear on why compliance matters, let's explore privacy law compliance for new start-ups in more detail.
Terms You Should Understand
It's important that you understand what these 5 key privacy terms mean before we go any further, since we'll use these words and phrases throughout the article.
Personal information is any data at all, whether it's a name or email address, that identifies a particular person. Most companies gather some form of personal data from site visitors, even if it's just their IP address.
If you handle any personal data, you must safeguard it and comply with privacy laws.
You need someone's clear, obvious, and informed consent to certain types of personal data processing, such as capturing email addresses for marketing purposes.
Consent, whenever it's necessary, must be freely given. If a consumer feels "bullied" into agreement, it's invalid consent.
Article 4 of the GDPR contains a useful definition:
Data protection is how you safeguard personal information. It's the processes you use to protect data. It's part of your overall privacy law compliance requirements.
The data controller is the company that collects the personal data in the first place. In other words, the start-up is the data controller.
A data processor is a company that processes data for a certain purpose e.g. a payment processor. The controller supplies them with the information they need to process the data.
The Key Privacy Laws You Should Know About
There are 5 privacy laws in particular that you may need to comply with, depending on where in the world you do business.
General Data Protection Regulation (GDPR)
The EU's GDPR is the most detailed privacy law in the world. It confers many rights on EU citizens, and it strictly regulates how companies capture, process, or handle data.
Informed consent underpins the GDPR. Individuals have the right to know why you need their data, what you plan on doing with it, and how long you'll hold it for.
Personal Information Protection and Electronic Documents Act (PIPEDA)
If you're a commercial business and you handle personal data belonging to a Canadian citizen, you're bound by PIPEDA's terms.
In short, you must safeguard personal data even if you're only handling it. You don't need to be storing or recording it to trigger the Act.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act, or CCPA, is one of the world's most comprehensive privacy laws. The CCPA gives Californian citizens the right to:
- Opt out of marketing
- Ask companies to delete their personal information
So, if you want to target Californian citizens, you need to get familiar with the CCPA.
Stop Hacks and Improve Electronic Data Security Act (SHIELD)
New York's SHIELD Act protects private data belonging to New York residents.
If you hold any personal information from a New York resident, whether it's a name or a passport number, you must abide by the SHIELD Act terms. You must also report data breaches to affected individuals.
Australian Privacy Act (APA)
If you're based in Australia, or plan on doing business in Australia, you must comply with the AU Privacy Act.
The Act confers various privacy rights on Australians and gives them control over what companies can do with their personal information.
Regardless of what privacy laws apply, there are a few steps you'll need to work through to ensure your start-up is secure and data protection compliant. Let's work through them.
Conducting a Data Audit
First, perform a data audit. The lists provided are non-exhaustive, but you should identify the following:
What Data You Collect
- Telephone Numbers
- Payment Details
Where it Comes From
- Server logs
- Email correspondence
- Telephone enquiries
- Web forms
Who You Share it With
- Third parties e.g. marketing companies
- Data processors
Who Can Access it
How it Moves Around Your Company
- Laptops and PCs
- Filing cabinets
- Mail room
Once you've completed your audit, you can move on to the next step.
Determine Your Lawful Basis
You should only ever capture as much sensitive data as you need to complete a specific task.
So, ask yourself:
- Why am I collecting this information?
- How long do I need it for?
- What will I do with it once it's no longer necessary?
- If the customer asks me why I've got this data, do I have an answer?
Having a "lawful basis" for collecting personal data is mandatory for GDPR compliance. We'll look at this in more detail further down.
It's your responsibility to keep personal data safe from the moment it's received to the moment it's deleted. So, you must understand what data you're handling and what happens to it once it's in your possession.
To get started, you might want to consider:
- Investing in antivirus and antispyware software for your devices
- Setting up password-protected WiFi
- Network monitoring
- File encryption
- CCTV and other onsite security
- Secure filing cabinets and door access codes
You need a process for ensuring that staff:
- Understand their data protection and compliance responsibilities
- Know who to contact if they have any questions or concerns
Cyber threats and hacking attempts evolve constantly. Ensure that your staff know how to recognise the latest threats and that they:
- Use strong passwords
- Change passwords regularly
- Lock their computer and personal devices if they're away from their desk or workspace
If you plan on allowing staff to work remotely, ensure that they know how to protect business and customer data. Files should be encrypted where possible.
Responding to Data Breaches
No matter which privacy laws apply, every company must have basic procedures in place for:
- Identifying data breaches
- Reporting these breaches to relevant parties
- Mitigating the damage
- Reducing the risk of data breaches occurring
So, how do you deal with data breaches effectively? You need an incident response plan.
Incident Response Plan
The incident response plan is a roadmap for handling data breaches and major data loss. Every plan should include:
- A summary of the main threats facing the business
- Details for a designated point of contact (this can be a single person or an incident response team, depending on the size or complexity of your business)
- Guidance for communicating with affected individuals
- Guidelines for preventing data breaches
The steps you take need only be proportionate to:
- The size of your company
- The financial consequences of a breach
- The risk posed to affected individuals
No one expects a commercial start-up to have the same incident response plan as a multinational financial corporation. But you must have something in place.
Include clauses outlining:
- Your company name and contact details
- The data you collect
- Reason for data collection
- How you use the data
- Who you share the data with e.g. third parties
- How users can revoke consent to data collection or storage
- How users can access the information you store on them and amend it if it's incorrect
When you're drafting your Policy, explain things clearly and ensure that visitors understand what they're agreeing to.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- Define what cookies are
- Explain what cookies you use, and why
- Set out how visitors can reject cookies, particularly advertising or analytics cookies
Assume that your customers don't know what cookies are. Explain how cookies work, and why you use them, in simple, jargon-free language.
Your Terms and Conditions Agreement
Terms and Conditions agreements set out the rules for how people must use your website, app or platform. It's basically your user guidelines document.
Briefly, your Terms and Conditions should set out:
- What services you provide
- Your IP rights
- Acceptable and prohibited behavior
- Limitation of liability disclaimer
- Which laws govern the agreement e.g. Canadian law, U.S. state law
Your Return and Refund Policy
If you're running an ecommerce store, or you plan on selling goods as part of your business, you should have a Return and Refund Policy.
This Policy sets out:
- When customers can return items
- The returns and exchange process
- Shipping terms for returned items
- Who is responsible if goods are damaged or lost in transit
- Who pays the shipping cost of returning items
- When you won't offer a refund or exchange
- How long a customer has to cancel their order
Every start-up needs to build a loyal customer base and establish a good reputation.
Some Returns Policies are extremely short, like this one from Black Butterfly Clothing:
Others, like FLEO's Return Policy, specify occasions when all sales are final and other conditions of returns:
You must always consider the privacy implications of:
- Emailing and contacting customers
- Handling parcels (parcel labels have names and addresses on them)
Privacy law compliance, then, affects every area of your business.
Your End-User License Agreement (EULA)
If you plan on letting users download programs for their own use, you need an End User License Agreement (EULA). You need to collect some personal data to let people download software, so the EULA is relevant for privacy law compliance.
Your EULA should specify that:
- You retain all ownership and IP rights over the software
- You can revoke the license at any time
- You're not liable for what happens to a user's machine when they download your software
- You don't warrant that the user will enjoy the product or find it useful
There's no need for every business to have an EULA. You only need it if you're giving people a license to use software.
So far we've covered how start-ups can comply with general privacy laws. If you need to comply with the GDPR, there are some more specific rules and regulations you must understand.
GDPR Compliance for Start-Ups
Remember that if you're drawing visitors from the EU, or you're based in the EU, you must comply with the General Data Protection Regulation.
The GDPR establishes 6 basic principles for processing personal data, and it confers 8 specific rights on EU citizens.
Principles for Processing Data
You should only ever process personal data:
- Lawfully and transparently
- For a legitimate, specified purpose
- To the extent necessary (i.e. don't go beyond the specific purpose you set out)
- That you actually need (e.g. you don't need a home address to send out an email newsletter)
- In a way that you can store it securely
- With confidentiality in mind at all times
What this all basically means is that you should:
- Understand why you need personal data
- Communicate this reason to individuals
- Process it safely and securely, and in line with the purpose you set out
EU citizens have the right to:
- Access whatever data you hold on them
- Know what data you're collecting, and why
- Amend the data
- Receive a copy of the data in an accessible format
- Ask you to delete the data (i.e. "the right to be forgotten")
- Refuse being subject to a decision made on an automated basis
- Object to marketing
- Request that you stop processing their data (i.e. you can still store it but you can't use it)
So, the basic premise is that every EU citizen has full control over what happens to their personal information. But how do you comply with these rights and fulfill your obligations?
Here are the steps you should work through.
First, set out exactly what data you're handling, collecting, storing, and processing. Then, confirm whether you're a data processor or a data controller.
- If you're determining why data is collected and you have a direct relationship with customers, you're a data controller. An example is an ecommerce store.
- If you process data on behalf of another company, you're a data processor. An example is a cloud service provider.
If you're a controller, Article 24 of the GDPR applies. You're responsible for implementing adequate safeguards to protect the personal data you capture, and you should be able to demonstrate this compliance if requested.
If you're a processor, under Article 28 you can only process data for specified purposes set out by the controller. You still have a duty to safeguard data in your possession and keep it confidential.
Your Lawful Basis
Next, you need to identify your lawful basis for capturing or storing the data in the first place. Establishing the lawful basis and communicating this basis to the customer is critical to GDPR compliance for new start-ups.
So, what is a "lawful basis?" It's defined in Article 6 of the GDPR, but basically processing is lawful if:
- The individual gives their consent to you using their data in a particular way
- The processing is necessary to fulfill a contract between you and the customer
- It's in the public interest, or it's necessary to protect the individual in some significant way
For example, Waterstones specifically states that it collects personal information to complete its contract with the customer:
Gymshark sets out the data it collects and its lawful basis in a handy table form:
It doesn't matter how you set out the lawful basis, so long as it's clear and easily understood by the customer.
If you're collecting data for marketing, tracking, or analytics purposes, you will need the individual's consent.
Consent under the GDPR must be:
- Freely given
In other words, the user should take a positive step to consent to data processing. Implied consent isn't sufficient under the GDPR.
So, how do you get express consent? You can use checkboxes or buttons at points where you collect data, including:
- Account registration
- Checkout screens
- Newsletter signups
In other words, use clickwrap agreements. Here are some examples.
Retailer Everlane uses a checkbox to get consent for marketing communications at account registration:
And fashion startup Balance Athletica uses a "Got It" button to get consent to cookie use:
Levi's sets these rights out in clear bullet points:
Just below this clause, they explain how to exercise these rights:
Let's look at two case studies to see GDPR compliance in action.
Moderna is a medical startup. When you first land on the homepage, there's a popup banner with an "I accept" button for cookie consent:
- Processes it fairly
- Collects it legally, and with a lawful basis
- Keeps data up-to-date
- Stores it for only as long as it's needed
Moderna states that it shares personal information with third parties if users consent to marketing communications:
Then, what cookies are used and why is set out, and how users can amend their cookie settings or revoke consent:
Let's look at some different clauses from another startup, Everlane.
Once Everlane sets out what personal data it collects, it explains how it uses it, thus establishing its lawful basis:
There's a lengthy section dedicated to empowering users and giving them information on their various data protection rights.
Within this section, Everlane specifies, for example, that EU citizens have a right to complain to their local authority about how Everlane handles their data:
Every startup that collects any personal data at all must comply with various privacy laws. Essentially, you must:
- Establish your lawful basis for collecting and using data
- Devise a strategy for processing this data safely and storing it securely
- Get consent before capturing personal information for marketing or other unnecessary purposes
- Have a process for reporting data breaches and mitigating the associated risks
If you plan on doing business with EU citizens, you must comply with the EU's General Data Protection Regulation. This means you need:
- "Unchecked" checkboxes or clear "I Agree" buttons to get consent to handling personal data. Implied consent or a "checked" checkbox isn't acceptable.
- Clear consent before sending out marketing emails or other communications forms
- Processes for deleting personal information if someone requests it