Tech Tips | Privacy and Data Protection
Why Should I Care?
For start-ups, there are three key reasons why data protection is a going concern:
- Legal Obligation: The law (UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018) requires you to comply. Failure to comply can result in fines of up to £17.5 million or 4% of annual global turnover – whichever is greater;
- Funding/Investment/Acquisition: Investors typically require a start-up to demonstrate compliance with data protection laws as a prerequisite for funding. Corporations and public entities (such as health care service providers) have the same requirement for partnership ventures; and
- Reputation: In the unfortunate event of a data breach, a start-up must be able to show that it has in place the appropriate infrastructure and assets to protect personal data so that damage is mitigated and its reputation as a responsible corporate citizen is preserved.
Privacy v. Data Protection
Though very much intertwined, “privacy” and “data protection” have separate and distinct meanings – understanding the distinction is foundational:
Privacy relates to data subject (individual) rights which include access to and erasure of personal data.
Data Protection relates to an organization’s policies, procedures, and technical safety measures which protect data subject personal data.
Personal Data and Sensitive (Special Categories) Personal Data
Personal Data is information related to an identified or identifiable natural person (data subject) and includes name, address, email, address, telephone number, IP address, and geolocation.
Sensitive (Special Categories) Personal Data includes information related to race, ethnic origin, political opinions, religious beliefs, physical or mental health, biometric data, trade union membership, and criminal offences.
A start-up must consider and regulate how it processes external (client data subject) personal data and internal (employee data subject) personal data in accordance with data protection laws.
Start-Up Cornerstone Data Protection Assets
To build a foundational data protection infrastructure, a start-up must develop the following assets:
- Data Protection Foundational Assessment (DPFA): (Internal) review existing data protection program and assess risk profile;
- Privacy Policy (+ Cookies Policy): (External) confirm types of personal data collected, provide reasons for processing, and explain data subject rights;
- Data Protection Policy + Data Retention Policy: (Internal) processes and procedures for personal data handling, use, transfer, storage, et al.
- Data Incident Response Plan: (Internal) data breach management and containment; and
- Data Protection Impact Assessment (DPIA): (Internal) review and test data protection infrastructure, map data flow, and assess high-risk processing (if applicable).
Additional Data Protection Assets
- IT Security and Communications Systems Policy: (Internal) technical and organizational measures employed to protect personal data;
- Employee Privacy Notice: (Internal) confirm types of personal data collected, provide reasons for processing, and explain employee data subject rights;
- Data Subject Request Procedures + Responses: (Internal) response protocols and precedent responses for data subject requests;
- Social Media Policy: (Internal) Appropriate use of social media platforms; and
- Data Processing Agreement: (External) contract with third party service provider.
This article was written by Graham MacLeod, Partner TMT – [email protected]