After exploring what obligations your startup has under the GDPR, this next article aims to let you know what changes can be made to your startup. Below you will find some simple steps you can take to ensure you meet the GDPR obligations today.
WHAT CAN I DO TO COMPLY?
Think before collecting! When someone enters your website, what are you asking them to share? Perhaps their email address or their name to create their profile. Once you know whether your start-up is dealing with personal or/and sensitive data, you can ensure that the obligations indicated the previous section are met.
#1 – List down all the information being collected and identify what you need that particular information for. Having the information gathered will allow the startup to ‘develop an inventory’. This inventory can help determine the types of information held and the risks associated with that information.
Next, you could deliberate whether that information is actually necessary for the particular purpose in question. Remove all information that you think is unnecessary for the completion of the task at hand, keeping only the minimum information. As data minimisation is one of the obligations under the GDPR, removing unnecessary information is a crucial step to take.
- Including the identity of the controller.
- The contact details of the data protection officer (if the company has more than 250 employees.
- The purposes and legal basis of the processing personal date.
- The length of storage of data.
- The method to employ the right to request from the controller access to and rectification or erasure of personal data.
- The fact that the user of your services has the right to lodge a complaint with a supervisory authority.
- How decisions are made about processing data.
#4 – Make sure you provide users the possibility to manage their personal data. Some examples include:
- Opt-in options to sign-up or receive newsletters.
- Allowing a user to access, delete or to modify all their information.
- Prevent automated profiling.
- Have the possibility to object to the processing of information.
#5 – Appoint an individual within the organisation to manage data protection requests. Ultimately, this individual will be the person that the users can contact in case they want to exercise their rights under the GDPR.
#6 – Keep records on consent in order to prove GDPR compliance. Listing down the information collected, indicated in the first section of this article, will allow you to comply with the seventh principle, accountability. Having the information organised will allow you to more readily identify the data and compliance with the GDPR.
Currently, only about one in every three European companies are compliant with the GDPR. Despite this, that does not mean you have to be one of them! Non-compliance may result in hefty fines up to €20 million or 4% of global revenue, which companies should definitely avoid.
So, let’s update those policies to avoid any unnecessary fines.