If you want to operate in or offer services to individuals within the European Union, you must navigate the complexities of GDPR compliance. GDPR compliance is more than just legal adherence for startups; it demonstrates their commitment to safeguarding user data, enhancing customer trust, and ensuring the sustainability of their businesses.
In this GDPR compliance checklist for startups we will cover the following:
Background about the GDPR
While some view the GDPR as being the only privacy law in the world, that’s not true. There were many previous privacy laws, but few cared about them. Since the GDPR took effect in 2018, everything has changed.
As an EU regulation, it applies to all EU member states without them having to take any action, unlike a directive. The law has an extra-territorial scope, which means that it applies even if your company isn’t an EU company, but offers goods or services to EU citizens, or tracking them.
GDPR Compliance Checklist #1 – Website Compliance
Let’s start with the basics of website compliance.If you have or planning to have a website, you should have these three things in mind:
- Privacy Policy
- Cookie Banner
- Compliant Forms
Privacy Policy
The first thing we should discuss is your Privacy Policy.
The answer is yes – you need one
There’s no need to hire a lawyer for that.
This is the “transparency” principle of the GDPR in action. It should be easy to read for everyone, not just lawyers. As part of your transparency, you need to explain what types of data you are processing, whom, for what, whether or not the data will be shared, your legal basis for processing, which will be discussed later, and how long you intend to keep it.
The first thing you need to do is map out all of the data collection points you have on your site. For example, if you have a contact form on your site and you are capturing payments, you already know you are collecting contact details and financial data for capturing payment and customer support.
Cookie Banner
Next up, cookie banners!
The annoying pop-ups you see on web pages – you need one!
Firstly, let’s look at cookies. Cookies are a type of text file that is stored on your computer when you visit websites.
Second, let’s look at types of cookies.
- Essential/Necessary cookies – cookies that your site or product can’t operate without.
- Analytics/Statistics cookies – cookies that are used to track users or site visitors, they are usually placed on your site by installing an analytics tool like Google Analytics or others.
- Marketing/Third-party cookies – cookies which are usually used for marketing and measuring conversion rates. They usually report back to a third-party (such as LinkedIn, Facebook, Google.)
Your cookie banner must be double-layered and give users the option to consent to each type of cookie (other than essential cookies). If you have an option to accept all cookies, you must give users the choice to deny all of them.
Make sure you present all your options, rather than just accepting one.
Examples of how your cookie banner should look like and how it shouldn’t:
GDPR Compliance Checklist #2 – Compliant Forms
There are probably a lot of forms on your site, including contact us, newsletter signup, and account creation. You need to ensure that you are collecting the right type of consent in order to have the right legal basis for processing and be compliant with the GDPR.
To use users’ data for marketing purposes, for example, you need their consent. The type of consent required varies depending on the country in which your users live.
Let’s review different types of consent:
Opt in
Generally, opt-in means a user takes an affirmative action such as ticking a box or clicking I agree. This does not include unticking a pre-ticked box.
Double Opt in
A more strict method, called double-opt in, requires a user to opt in and then click on a confirmation link, for example via email. This is the required consent type in Germany.
Implied Consent
We also have implied consent, which applies to situations where you have gotten the contact information of someone directly from them, who has shown interest in your service in the past. Marketing materials can be sent to them, but you must let them unsubscribe.
Make sure you collect the right type of consent by using our free tool – Marketing Risk Radar.
If you want to read more about how to create GDPR compliant forms, make sure to read this guides:
How To Create Privacy Compliant Forms + Examples
Email Marketing: Opt-In, Soft Opt-In, and Double Opt-in
The General Principles of The GDPR
There are seven principles included in GDPR:
Data minimization. Collect only what you need. With data comes great responsibility, so it’s best to minimize risks and not collect gender or race on a newsletter sign up form.
Purpose limitation. Having a specific, explicit and legitimate reason for collecting data is essential. Don’t collect data just for the sake of collecting data.
Lawfulness, fairness and transparency. The third step is to ensure that the processing is lawful, fair, and transparent, which means that you have a proper legal basis, that nothing is hidden, and that the data subject is informed about how, why, and when their data is being processed.
Storage limitation. Personal data should be kept for no longer than necessary.
Accuracy. You must ensure that your data subjects’ personal data is accurate and up-to-date. Data subjects should also be allowed to correct their data if they wish.
Integrity and confidentiality. There is an intersection between privacy and security with this GDPR’s security requirements, which basically state that you must take necessary steps to protect personal data.
Last but not least, accountability. Companies should have the relevant documents in place to prove that they are in compliance with the GDPR. This includes (but not limited to) policies, consents from users, and records of processing activities.
Legal Basis
The legal basis has been mentioned a lot, so let’s unravel it.
Startups must ensure that their data handling practices comply with one of the specified bases before processing personal data. This is a closed list, so if you cannot find a legal basis for processing it, you cannot do so. Every type of data you process needs a legal basis.
- Consent
- Contractual necessity. In cases where you have to process data in order to meet the contract requirements.
- Legitimate interest. This is very vague and often used. You can only use this legal basis when there’s a minimal impact on the individual, or else a compelling justification for the processing.
- Legal obligation – when you are required by law to process this data. for example for tax purposes, etc.
- Public interest. Less common. It applies where there’s a public interest to the processing.
- Vital interest. Less common. It applies in cases where the processing is needed to save someone’s life.
GDPR Compliance Checklist #3 – Roles Under The GDPR
Controllers, Processors and Sub-processors
Defining a data controller, a processor, and a sub-processor will help us understand their functions and responsibilities.
To understand your GDPR obligations, you must understand your company’s position in this chain. It is possible for you to be a controller of certain data types, such as data you collect on your site, and a processor of client data.
Data Controller
GDPR Art. 4(7): ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
Which basically means that the data controller decides how the data is collected and for what purposes.
Data Processor
GDPR Art. 4(8): ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
This means that the data processor only acts under the instructions of the controller and has no say on collection and purposes.
Sub-Processor
Third parties engaged by Data Processors have access to or will process personal data from Data Controllers. The sub-processor acts under the instructions of the processor.
The chain can continue, but the entity that decides is the data controller and has most of the responsibility and accountability.
As an example, if you provide email marketing services to other companies, your clients may provide you with a list of prospects to which you can send marketing materials. The client is the controller and you are acting in accordance with his or her instructions. If you use Google analytics and Amazon Web Services to provide your client with your services, they act as sub processors under your direction.
GDPR Compliance Checklist #4 – Data Subject Requests
Your prospects, users, customers, and partners do have rights.
Those rights include –
- The right to be forgotten – meaning to request you to delete their data.
- The right to correct their data.
- The right to access the data you hold on them.
- The right to data portability – meaning to have a copy they can transfer to someone else.
- The right to be informed, the right to object processing and the right to restrict processing.
In a nutshell.
In some cases, those rights are not absolute, and you might be able to refuse a request if you have a good reason to (for example, legal obligation).
What to do?
Before getting a request
Your Privacy Policy should include those rights and how to exercise them. You should have a mechanism in place and train your employees on how to recognize and handle these rights.
After getting a request
- Verify – In order to avoid future problems, make sure you verify that the request is being made by the correct user. Otherwise, you might be providing access or a copy to someone else.
- Answer within the timeframe – You have 30 days to answer. It can be extended by another 30 days in certain conditions. Read here more about DSR timeframes.
Data Brokers – Risks and Mitigation
Those companies that enable you to enrich your data or get the email of that guy you really want to contact are known as data brokers. Startups love them because they help them get leads.
Here are some risks you should be aware of –
- The data cannot be verified as having been obtained legally. If you reach out to someone who has had their data obtained without a legal basis, they may complain.
- Because data brokers include this in their terms, if anything goes wrong, you’ll be held responsible. If they’re sued, you’ll be paying the bill.
Even if you aren’t convinced, at least mitigate risks – provide unsubscribe and limit your usage.
GDPR Compliance Checklist #5 – Data Processing Addendum (DPA)
What is it?
In a DPA, your business outlines how it manages, processes, and secures data. A DPA outlines many of your legal responsibilities towards your customers regarding personal data.
When do you need it?
- When you share personal data with a third party (such as a processor or service provider)
- When a third party shares personal data with you (such as your customers)
Why is it important?
- It is required under a number of laws (yes, under the GDPR as well).
- It outlines your (or your vendors) responsibilities regarding personal data.
- It defines the scope of personal data involved, the limitations on processing activities and other obligations such as timeframes to report a data breach, obligations to assist your client with their compliance efforts (and more).
It’s important to understand that you are binded by this agreement and it includes your obligations in cases of a data breach or audit request. Make sure to understand it and have it documented and accessible.
GDPR Compliance Checklist #6 – Privacy by Design (PbD)
Companies tend to treat privacy as an extra burden they should address when they have the money to do so, but embedding privacy later is very complex and expensive. Moreover, today, privacy has become a competitive advantage – users and customers are seeking solutions that guarantee their privacy.
Privacy by Design is compromised by these seven principles:
- Proactive not reactive; preventative not remedial
Instead of reacting to privacy risks or invasions, actively build processes and procedures to prevent them from occurring in the first place. - Privacy as the default setting
Users shouldn’t have to worry about their privacy settings when browsing a website, opening an app, or logging into software. - Privacy embedded into design
Protecting users’ data and privacy should be a part of the conversation when building a website, a mobile app, or a software application. - Full functionality — positive-sum, not zero-sum
Those who work to integrate privacy into every design element seamlessly take a positive-sum approach. - End-to-end security
Privacy by Design ensures the security of this data through the processing lifecycle. - Visibility and transparency
Openness with users about your privacy policies and procedures. - Have respect for user privacy
Keep it user-centric.
- Proactive not reactive; preventative not remedial
Quick Recap
As we’ve journeyed through the essential pillars of GDPR compliance, from understanding the roles of data controllers and processors to mastering data subject rights (DSR) and ensuring your website meets GDPR standards, it’s clear that navigating the GDPR landscape is a multifaceted challenge for startups. Implementing these principles not only aligns your startup with regulatory requirements but significantly enhances your credibility and trustworthiness in the eyes of your customers.
In closing, remember that GDPR compliance is an ongoing process, not a one-time achievement. It requires continuous vigilance, regular updates to your data protection practices, and a proactive approach to data privacy. To further elevate your startup’s GDPR compliance and showcase your commitment to data protection, consider leveraging tools like hoggo.
hoggo can help streamline your compliance efforts, making it easier to manage your obligations while building trust with your customers and partners.
Noa Kahalon
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, which builds transparency around data privacy practices.