More than ever, tech businesses rely on building and sustaining trust with their users, partners and investors to achieve revenue goals. And today, you need to do it fast to beat the competition. And you have the superpower to do this: speed and versatility are only two of the main pros of being a startup.
How can you stand apart? First, startups need to get GDPR done right to achieve their business goals and start selling. Let’s go through 3 common scenarios:
✅ Do you want to sign a partnership agreement with a pharmaceutical company? You will have to prove to be GDPR compliant.
✅ Do you want to use the data for research purposes? Well, you need to be GDPR-compliant.
✅ Do you want to get your DTx app reimbursed? You need to be GDPR compliant.
It’s of vital importance to comply with both administrative and technical requirements defined by the GDPR in order to start selling, increase revenue and start growing. It is a permission-to-play requirement.
Don’t miss the opportunity to grow your business and build trust while ensuring your customers’ safety. Got your attention? Great, so let’s dive into the topic!
Diving into the GDPR basics: why do I have to be compliant?
Today, most companies dealing with digital apps collect personal data, most of them without even knowing it (we wrote an ebook about GDPR health data categories where you will find a deep dive into data categories). The main issue with this point is that these companies will need to take good care of the collected data if they want to use it for B2B deals or reimbursement schemes (for digital health apps and DTx, for example).
In addition, sectors such as healthcare and finance are characterised by a very complex set of stakeholders. Typically end users are not the customers. The customer can be a hospital, insurance, pharma company, or another public or private authority delivering services to citizens. To each of them, startups need to demonstrate quality, security/compliance, and trust in order to position themselves as trustworthy partner and thus sell faster and better.
Ok, that’s a good point.
You may now wonder: why do I have to fulfil the same requirements as a huge international corporation if I am a small startup?
The main reason is that those big corporations are running a lot of risks working with you. In most cases, they will be data controllers and their ultimate responsibility of data subject rights be respected. Therefore, they will ask many questions about all the measures you have to implement. If measures are not taken, their business will suffer from this.
If you are interested in finding out more about personal data, we wrote about this topic in a previous blog post: What is personal data under GDPR?
Are you a startup? Don’t worry! Here are some must-do for your GDPR compliance
So what exactly does this mean for a startup? There are some requirements you need to pay attention to. Let’s see some of them together:
Get permission through an explicit consent
According to the GDPR, processing sensitive data is prohibited unless you comply with one of the six methods or grounds for processing such data. The most common method for getting permission to process sensitive data is “explicit consent” which is typically implemented via checkboxes on websites or apps during the signup process.
Valid consent is the one that is freely given, specific, informed, a granular, and explicit indication of the data subject's agreement for the processing of personal data. In addition, you must prove that data subjects have lawfully given their consent. This means that you should keep a record of consents, updates, and withdrawals and be able to demonstrate their compliance if required by the supervisory authority.
Getting explicit consent right should be essential to building a good customer relationship. It puts people at the centre of the relationship and can help build confidence and trust. This can enhance your business’ reputation, improve levels of engagement and encourage the usage of new products and services. It’s one crucial step to set yourself apart from the competition.
Concerned about how good explicit consent should be? Don’t worry. There are plenty of good examples around the web. Here is our example:
Implement technical and security measures
Digital applications dealing with personal data, in particular, require the highest possible security due to the sensitivity of managed data and the complexity of the sector. Here you can find some of the principles and tips to start with:
- Privacy and Security by Design mandates companies to implement appropriate technical and organisational activities (e.g., pseudonymization and encryption) effectively “at the time of the determination of the means for processing and at the time of the processing itself”. The final aim is to implement data-protection principles from the very beginning of the design of a project, service, or product.
- Privacy by Default is applied to ensure that only personal data which are necessary for each specific purpose of the processing are processed (also known as data minimization).
Implementing such technical measures from the very beginning allows you to avoid the risk of wasting time, effort, and money on future changes.
Are you building a digital health app? Here you can find more resources that may be useful for you.
Review all your data transfers
You should review all your data transfers to 3rd countries, not just the US. And no, cloud storage is not exempt from GDPR. The cloud provider must comply with the regulations to ensure compliance (and hiring a DPO will help you manage this). In addition, you should keep accurate records of your data processing activities. Reviewing all data transfers regarding your startup allows you to clearly understand the journey data and if they are treated and stored correctly. Furthermore, transparency regarding this topic makes you more solid and reliable when speaking to potential investors and key partners.
Perform a Data Protection Impact Assessment
The DPIA is the document demonstrating that you have completed a risk assessment and identified the necessary measures to comply with GDPR dispositions and demonstrate that your businesses do not represent a high risk for users. By following a risk-based approach and by analyzing the nature, scope, context, and purpose of your processing, you will be able to show how risky your activityis and its potential impacts on data protection. Today, it’s quite commonplace for big companies to ask for your DPIA when closing a deal with you (or at least when was the last time you did one). And don’t worry: the DPIA can be carried out by any person, internal or external, to your startup.
Start thinking about appointing a DPO
The Data Protection Officer can be thought of as the champion of data subject rights. That is the person upholding the privacy rights of the end users of your application. For early-stage startups, this can be hard since the DPO should not be part of the management team. (For this reason, we launched the DPO as a Service - the service that lifts the DPO responsibility off your shoulders, answering towards authorities, partners, and users for you). The GDPR makes it very clear what a DPO must do:
- Inform the company and its staff what their duties are under GDPR and related regulations.
- Monitor compliance with GDPR, including assigning responsibilities and ensuring teams are appropriately trained.
- Providing advice on the data protection impact assessment (DPIA) and ensuring the company complies with it.
- Cooperate with the supervising data protection authority.
Trust is built when compliance is already in place
It is clear that the core and ambitious purpose behind GDPR is to protect users’ data privacy - and creates a great number of challenges for all companies, no matter what their size is. Starting to think about GDPR compliance from the very beginning has significant pros for your business, especially if you are in a startup stage:
- Launch a safe product and gain your customers’ trust.
- Avoid unexpected delays in the development and time to market due to long-approval times, non-compliance, etc.
- Build trust with your customers, partner, and investors, and position yourself as a trustworthy player.
- Grow faster, and sell better.
Don’t forget that having a clear roadmap in mind will help you prioritise the activities and cut the time and costs needed to be successful in the long run. The sooner you think about GDPR, the easier it will be. In case you’ve missed it, here is Embie’s story - a real case study on the importance of starting compliance from day 0 for a startup like yours.
Last but not least: keep in mind… Don't Panic!
You can turn challenges into opportunities. GDPR is a great thing to demonstrate to your users, customers, and partners that you have a great business model that relies on protecting users' privacy.
Want to know more about the technical measures required by the GDPR? Read our previous blog post on 9 key things about GDPR that eHealth App developers should know.
How Chino.io can help you
We are the one-stop shop for solving all digital privacy and security compliance aspects. Successful compliance strategies evolve with you: for this reason, we have kickstart programs for startups developing their digital product. As a partner of our clients, we combine regulatory and technical expertise with a modular IT platform that allows digital applications to eliminate compliance risks and save costs and time.
Chino.io makes compliant-by-design happen faster, combining legal know-how and data security technology for innovators.
To learn more, contact us and book a free 30-minute call with our experts.