In the modern business world, timing is everything. As a company dealing with innovation, you may have heard these two scenarios:
- Good timing can turn a good product into a breakout success;
- Bad timing can make your company lose the game.
It’s all about being in the right place at the right time.
And this works for compliance as well. Companies often leave room for compliance implementation to be reduced to a tiny afterthought in the product/service lifecycle.
What’s the problem?
Well, let’s go through the three common scenarios presented in the previous blog post:
✅ Do you want to sign a partnership agreement with a pharmaceutical company? You will have to prove to be GDPR compliant.
✅ Do you want to use the data for research purposes? Well, you need to be GDPR-compliant.
✅ Do you want to get your DTx app reimbursed? You need to be GDPR compliant.
GDPR is a permission-to-play requirement. If you are a startup or a structured company, you must get your compliance in place to access the market.
It’s never too late to tackle GDPR and transform it into a unique opportunity to gain trust, build solid relationships with your customers and partners and grow better.
Want to win more customers? Compliance is your best friend.
If you are reading this article, you may be part of an established company with products in the market. Or, again, you are in the startup stage, trying to understand what may come later regarding GDPR compliance.
(Anyway, if you are a startupper, we have released our blog article that may be for you! GDPR: what fast-growing B2B startups got right to close A-deals.)
What the most-growing companies have done before the go-to-market.
Let’s do a quick jump back. A brief recap of the two main steps you should have carried out during the dev stage of your product/service.
Determine your GDPR requirements.
Your GDPR requirements are the foundation on which your innovative products are built. They report the actions you need to take to achieve compliance: it is important to determine these requirements from day 0 of the development stage.
Unfortunately, there is no one-size-fits-all solution here - no standard checklist - no standard workflow. Instead, you must carefully consider how the GDPR applies to your company, team, and work.
Define your project scope in advance.
It is vital for successful project execution and involves understanding all the key elements of your project (criteria, milestones, and deliverables, to name a few).
To begin your GDPR journey, you will need to assess the overall compliance situation of all personal data within your organization. But, it cannot be carried out entirely if you don’t have a clear picture of where this personal data is located. That is why it’s essential to get your scope as close to 100% before you start the project itself.
Although, most of the times, you will never be able to limit this completely, aiming for the fullest scope possible will go a long way toward avoiding risks of non-compliance.
The 6-step journey to build competitive advantage from GDPR compliance.
1) Talk to people.
There are several resources you can use. The best resource is to talk to similar companies in your ecosystem that faced similar challenges.
Try to understand how they faced data privacy requirements, if they went looking for outside help, recruited specialists, or tried to do things in-house. In particular, try to understand whether their approach worked as well as they expected or if they would have done something in a different way.
And if you haven't already, talk to your customers! Understand their expectations and how your product will be assessed within their company. Leverage the expertise of your sponsors within your client’s organisation.
2) Define who will be accountable.
Whether you choose to do things in-house or outsourced, someone will have to own this responsibility in your company. Even with outside help, someone in your team will have to make sure that the proper time, resources, and priorities are assigned to compliance measures.
This will impact several levels of your organisation. Your dev team will have to work on implementing technical requirements, your business teams will need to understand the implications of the compliance measures you implement, and you need to make your company aware of the organisational measures you put in place.
When you work with an external consultant, you leverage a proven process (hopefully). But they cannot solve your compliance problems on their own - they need your company’s commitment to move things forward and achieve the goal.
PS: If you are a healthcare business, you may face even stricter rules, as the information you are storing can be very sensitive (under GDPR, there are 3 different categories, including personal, special, and anonymous data).
3) Define a project focused on your product.
The usual approach to GDPR compliance is looking at your organisation and how you protect your employees' data.
This is important. But it’s not a priority.
If your product handles personal data and you are selling in the B2B space, your product is the place to start. The first questions you will get when you go selling are about the data in your product!
- What type of personal data do you collect?
- How do you manage them?
- How do you organise and store the data collected?
- What are the common mistakes we should avoid?
These are only a minor part of the questions you should ask yourself. Having a clear map in mind will make the following steps much easier! Now, it’s time to jump and “get your hands dirty”!
4) Get to work!
Start with the data that you process, classify it and define what purposes you are processing it for. You will need to define the legal basis for the processing, and this is where seasoned GDPR experts become handy. You will need to figure out if you are a data controller or a data processor, which has big implications on what compliance will be like for your business.
The next step is to take a look at your architecture.
- Map out all your databases, what data categories you have on each one, and what other services are getting data from your users.
- You will need to define proper data privacy and security measures, like encryption, pseudonymisation, and more. Be very wary of any US cloud provider you use, they can have a significant impact on the risk of your data processing activities.
- You will need to dig really deep, the usual questionnaire you find online will not be detailed enough to get the right answers - usually, they just ask whether you are using “cryptographic methods” to protect data. But that is too generic and not enough to convince the DPOs from your clients’ organisations that users’ data is secure and that your product is compliant.
Here are some articles we published that may be useful for you:
While you are here, pay attention to the front end as well. Check your consent implementation (especially if you rely on consent for your data processing), and your privacy policies and data processing agreements for your clients.
Once this is done, you will need to implement several organisational measures. For this, you can usually follow standards like ISO 27001. However, this can get quite overwhelming as well, so here is also where an expert becomes handy.
Next, you will need to perform a Data Protection Impact Assessment. This is a document that documents all the data processing risks you identified and what mitigation measures you have implemented to make your data processing risk acceptable to EDPB standards. It is very common that companies ask whether or not you carried out one, and when was the last time you did it.
But before getting there, there is something else...
5) Hire a DPO.
Regardless of whether you decide to handle GDPR on your own or with outside help, it is very likely that you will need to appoint a DPO. This is especially true if you are processing sensitive data or you have lots of users. But besides it being a legal requirement in those cases, it is widespread that big companies ask you to have one. And reimbursement schemes, like Germany’s DVG, require you to have one as well.
While someone inside the company can take the DPO role, you have to keep in mind that the DPO should not be part of the management team.
Finding a proper DPO for your company can be a long and winding road. It is very hard to find legal expertise that understands the technical details of how your product works. For this reason, we launched the DPO as a Service - which lifts the DPO responsibility off your shoulders, answering towards authorities, partners, and users for you.
The DPO will come particularly handy for the next step!
6) Perform Data Protection Impact Assessment.
This is the last step and will prove your compliance. DPIAs are required if your data processing is likely to result in a high-risk procedure for your users’ data privacy and security - this is usually the case if you process sensitive data or if you have personal data of several data subjects.
Schedule and conduct periodic data protection impact assessments from a risk perspective, and identify mitigations and remediation activities for non-compliant processes.
Your DPO should check that your DPIA was carried out properly and that the risk mitigation measures you implemented are sufficient. If everything goes well, you are ready to conquer the market and gain your customers, stakeholders, and investors' trust.
We are the one-stop shop for solving all digital privacy and security compliance aspects. As a partner of our clients, we combine regulatory and technical expertise with a modular IT platform that allows startups and companies to eliminate compliance risks and save costs and time.
✅ Do you want to eliminate residual risks for your business?
✅ Do you want to pass Vendor Risk Assessments easily?
✅ Do you want to do due diligence on a company before investing?
During the last 6 years, we have helped several startups and companies deal with data privacy and security compliance issues. To support you in the market phase of your business, we offer remediation and ongoing compliance activities and support:
- Legal-tech gap analysis that verifies all implementation choices and legal policies. We combine a comprehensive knowledge base of all regulations and security and development best practices.
- Ad-hoc remediation plans based on your needs, which include ongoing compliance support (DPO or Compliance Partner).
- Our Compliance Toolkit solves the most complex challenges and gaps.
Chino.io makes compliant-by-design digital innovation happen faster, combining legal know-how and data security technology for innovators.
To learn more, contact us to book a free 30-minute consultation.