The May 25th roll-out date of the EU's GDPR is barreling towards us. As with the majority of EU regulations, it can seem overwhelming at first, especially for startups who don’t usually have a budget for expert legal advice.
We consulted Remie Bolte, TQ member and co-founder of Project Privacy, a company dedicated to helping organizations deal with privacy regulations, to find out how startups with a limited budget can prepare themselves for such a big shift in data protection regulation.
First off, Remie offered a comforting nugget for startups who are overwhelmed at the thought of totally changing the way they operate. “Existing large companies will have to make a complete migration to comply with the General Data Protection Regulation (GDPR), but startups have a competitive edge - they can be very quick and agile about it,” explained Remie.
As a startup, you’re already a step ahead from those big multinationals with full legal teams.
So there you go: as a startup, you’re already a step ahead from those big multinationals with full legal teams. “You can say to your customers, ‘hey, we value your privacy, and already implemented GDPR,’ and you can do that way faster than existing corporations,” he pointed out.
So how to actually go about implementing the GDPR yourself?
Read it yourself!
Unlike many of the EU’s laws, Remie explained the GDPR is actually pretty user-friendly and readable, “so you can actually just sit down and read and understand it yourself.”
You need explicit consent - if you look at LinkedIn and then guess their email because of the naming convention and send them a bulk email, then that’s not compliant with the GDPR.
If you’re tight on time, the key part to pay attention to is Article 9, which is all about the information you are, and aren’t, allowed to use.
Check if your current strategy is GDPR-proof
Brace yourselves: many of the tactics used by fast-growing startups to get revenue are not very GDPR-friendly. “Examples would be growth hacking and trying to guess email addresses and then contacting those people,” explained Remie. “You need explicit consent - if you look at LinkedIn and then guess their email because of the naming convention and send them a bulk email, then that’s not compliant with the GDPR,” he continued.
Another issue that may arise is when you’re creating new features for an app or website. “You might decide to implement something like Gravatar, and then you might think ‘I’m going to implement some social features,’ like where you allow people to search for friends. You can’t do that unless you have explicit consent,” said Remie.
But, it’s equally as important to remember that you’re able to do what you like with your customers’ data once you do have this consent. Analyzing the GDPR information available, and working out exactly how it will affect your business is a good place to start, and then it’s time to look at how you can make the necessary changes.
For startups who are pushed for time, Remie said the key is to be smart about the order in which your company implements the GDPR. He advises starting with the basics: “it’s really easy to make sure you have a privacy statement and a cookie statement on your website where your customer will actually see it.” Once you’ve covered that base, “you get into the more tricky parts like advertising, growth hacking, and making sure that you’ve implemented security.”
Remie said that things like this can be sorted along the way, “just make sure that on your customer-facing applications and websites, you have everything you need to comply, and then you can start looking at what you need to do in terms of your business.”
Focus on relevant contacts
Remie explained it’s important to remember the point of the GDPR: “in its essence, it’s all about customer expectations.”
Imagine someone you want to talk to has a booth at a conference. You go over to them and chat, and then the person gives you their business card. If you go home and email that person, they’re expecting that communication because they physically handed over their business card to you with that intention. If you guessed that person’s email, however, and sent them a business proposal, that’s not in line with the GDPR.
“With the new regulation in mind, you need to start focussing on relevant contacts,” said Remie. “So instead of taking a shotgun approach and trying to reel in as many people as possible, you need to turn them into qualified leads and make sure they’re actually interested in what you’re trying to sell.”
Since meeting everyone you want to connect with one-on-one is impossible, Remie advised “it’s really up to you as an entrepreneur to know your market, and know which people you can contact without a chance of getting a complaint.”
GDPR's hidden opportunities
Given the many complex adjustments businesses need to make to comply with the upcoming GDPR, employment opportunities related to data protection are rising fast. For large companies especially, complying with the GDPR will be complicated, so there’s already a high demand for these skills and knowledge in preparation.
Most companies will either outsource this new set of responsibilities to a data expert or alternatively (and more likely), look after their data management in-house by hiring a Data Protection Officer (DPO). As revealed in a recent study by the International Association of Privacy Professionals, as many as 75,000 DPOs will be required globally by May.
It’s really important the DPO is someone that’s actually qualified for the position.
So what exactly does a DPO do? “They’re responsible for ensuring GDPR compliance within a company and are the go-to person in case of data breaches or questions from either national Data Protection Agencies or customers,” explained Remie.
“It’s also important the DPO is an independent actor within the company, as they might be required to ask tough questions, or even prevent new features or products to be shipped if they compromise the privacy of data subjects,” he continued. “It’s really important the DPO is someone that’s actually qualified for the position - it cannot be an additional role for a CTO or CFO,” Remie reiterated.
Besides the rise in DPO positions, there are also many less obvious business opportunities emerging. For example, developing useful tools to easily categorize data. Elements.cloud is already capitalizing off the GDPR, customizing solutions for companies to help them comply with the new laws. Faktor is on a similar path, using the blockchain to create what they call an 'Identity Management Platform.'
Is blockchain the answer?
While the blockchain is an exciting technology, especially when it comes to storing data, Remie urges companies to be cautious when it comes to storing personally identifiable information. “The decentralized nature of the blockchain means that the data within the transaction is shared with the entire pool. Also, the data is immutable and will remain part of the blockchain. This contradicts the right to be forgotten,” Remie explained.
“In addition, although the data is currently well encrypted, there’s no certainty the encryption will not be compromised in the near future. Five years from now your data might suddenly be available to all who have access to the blockchain. When dealing with sensitive information, fragmentation is usually preferred over-centralization," he continued.
So, while the blockchain might not be the best solution for data protection, it's exciting to see the creative ways companies are capitalizing off the GDPR. Are you good with data or development? Perhaps the GDPR will be the push you need to launch your next startup.
Enjoy the read? Sign up to our weekly newsletter for a curated selection of meaningful stories delivered straight to your inbox. And don't worry... we hate spam too.