Resource created by Fabio Cassanelli, Co-founder & GDPR Consultant at Argo Business Solutions
Privacy by design: how to make your product or service GDPR compliant
As of the 25th of May 2018, the EU Data Protection and Privacy Regulation (679/2016), more commonly known as "GDPR", began to take effect. The Regulation introduced numerous requirements for those who process data of individuals residing within the European Union.
Many startups, since they process personal data in the context of providing their services, have to deal with GDPR compliance at an early stage of their existence.
One of the first things a startup needs to address is compliance with the "privacy by design" principle introduced by the GDPR.
Privacy by design
Privacy by design is nothing more than the incorporation of privacy requirements from the design of an operation and that the protection of the rights and freedoms of data subjects is integrated into all processes.
Simply put, it is absolutely prohibited to launch a product or service on the market before it is made compliant with the principles introduced by the GDPR. In addition, data protection requirements must be maintained over time.
But, how to design a product or service so that it complies with the principle of privacy by design? Let's take a look at some of the principles to be respected.
- Transparency: The data controller must be clear and transparent with the data subject about how it will collect, use and share personal data.
- Lawfulness: The data controller must identify a valid legal basis for processing personal data.
- Fairness: Personal data must not be processed in a way that is unjustifiably harmful, unlawfully discriminatory, unforeseen or misleading to the data subject.
- Purpose limitation: The data controller must collect data for specific, explicit and legitimate purposes and not process it further in a manner incompatible with the purposes for which it was collected.
- Data minimisation: Only personal data that are adequate, relevant and limited to what is necessary for the purpose are processed.
- Retention limitation: Data must be kept for a period not exceeding that which is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality: The principle of integrity and confidentiality requires protection, through appropriate technical and organisational measures, against unauthorised or unlawful processing and against accidental loss, destruction or damage. The security of personal data requires appropriate measures designed to prevent and manage incidents of data breach.
- Accountability: The data controller is responsible for compliance with all the above principles and must be able to demonstrate this.
Privacy is not just a bureaucratic requirement
Non-compliance with the GDPR not only exposes the startup to the risk of high fines, it also may undermine its reputation with customers, potential investors and its stakeholders in general.
In particular, in the due diligence phases, in most cases potential investors check the GDPR compliance of a startup and, in case of detected non-compliance, may decide to consider the business too risky. Consequently, it is essential for any newly established startup to seek the advice of a GDPR consultant and, where required by law, to appoint a Data Protection Officer (DPO).
We will discuss the cases in which it is mandatory to appoint a DPO in another following article.