Compliance is not just about the product
In the previous article, we analyzed the importance for a startup of the principle of privacy by design. This principle is embodied in the obligation, introduced by the EU Regulation 679/2016 GDPR, to make all products and services compliant "by design" before they are launched on the market.
However, bringing a GDPR-compliant product or service to market should not be a startup's only concern when it comes to GDPR compliance. In fact, the GDPR presents several additional requirements to consider. Furthermore, it's not just the product or service that needs to be compliant but the entire organization.
With this guide, we will try to provide a sample list of these requirements so that the reader can become more aware of the topic.
Register of treatment activities
The Register of Processing Activities is a document containing the main information relating to the operations carried out by a data controller or processor. The Register must be exhibited upon request to the Guarantor for the Protection of Personal Data. The startup must adopt it for all treatments considered "at risk", i.e. treatments that are not occasional.
Appointment of the RDP or DPO (if applicable)
The Responsible for Data Protection (RDP) or Data Protection Officer (DPO) must be appointed by those entities whose main activities consist of processing that requires regular and systematic monitoring of data subjects on a large scale or large-scale processing of special categories of personal data. The DPO must perform functions of support and control, advisory, training and information relating to the application of the GDPR. We will discuss the figure of the DPO in the next article.
Employees and collaborators: appointments and training
All persons authorized by the startup to process personal data under its authority (by way of example: employees, trainees, contractors) must be properly appointed and trained. . The appointment must contain a confidentiality obligation signed by the authorized person.
Appointment of system administrators
The startup must also identify and appoint its system administrators in compliance with the Provision of the Guarantor for the Protection of Personal Data of 2008 (which is still in effect, despite predating the GDPR).
External controllers and sub-controllers
All external parties that process data on behalf of the startup must not only be GDPR-compliant but must also be appointed as external data controllers (Article 28 of the GDPR) via an appointment or contractual addendum. This also extends to IT and cloud service providers. The latter, in many cases, already incorporate sub-addendums in their contracts that comply with Article 28 of the Regulation.
Risk analysis and DPIA
The GDPR requires data controllers to mitigate the risks of negative impacts on the freedoms and rights of data subjects through appropriate assessment processes. If the startup has therefore correctly conducted the risk analysis and, if required, the data protection impact assessment (DPIA) when defining the security measures to be applied to its product/service, it must not forget to also consider the areas of processing not directly related to that product or service. For example, security measures aimed at minimizing the risk of data breaches must be carefully considered when managing any special data processed for the purpose of managing employment relationships with employees.
The obligations mentioned above, as indicated in the introduction, cannot be considered exhaustive with respect to all the provisions of the GDPR. However, they can represent a first starting point that can allow startup management to become aware of the many dictates introduced by the Regulation.