By UpCounsel Privacy Attorney Michael Witt

In their rush to market their products or services, many startups inadvertently overlook potential legal obligations. For startups, overlooking privacy and data protection could be extremely costly. These costs could arise from system redesign and development activities and fines, particularly from the European Union’s new General Data Protection Regulation (GDPR) that goes into effect May 25, 2018. Fines under the GDPR may reach as high as 4% of global revenue or $20 million dollars in situations in which the breached entity has ignored its privacy obligations.

To avoid such penalties, startups should seek to implement “privacy by default” (or design) from the outset. This is a specific requirement of the GDPR, but should be combined with all other legal, contractual and voluntary obligations like ISO and other frameworks.

1. Compliance Risk Assessment

The first step is essentially a compliance risk assessment to determine criticality and prioritizations to drive future action.

2. Privacy Impact Assessment

The compliance risk assessment is focused on the information security of the organization. A Data Protection Impact Assessment (DPIA) is required to assess the potential risks to the “rights and freedoms” of the covered data subjects as their data is processed by the startup. The DPIA’s requirements and nuances are addressed in Article 35 of the GDPR and Working Paper 29.

3. Privacy by Default Architecture

After understanding the potential privacy risks inherent in the data processing, the system should be designed to minimize the data collected, delete data when no longer required for its original purpose, give access to the data subject, and give individuals control over how much data is shared with other organizations. The design principle in each of these areas should be construed to maximize the data subject’s privacy, not the processor’s anticipated benefit. Decisions, rationale, and resulting actions should be documented and maintained for each system to be revisited as part of the required DPIA process.

4. Assignment of Responsibilities

Data privacy programs typically fail for two reasons: 1) Lack of executive support, or 2) Risk ownership is missing. The policies should be structured to clearly assign responsibilities and communicate that data subject privacy is everyone’s responsibility. This begins at the Board and executive level and this “tone at the top” should permeate down to all levels of the organization. The privacy risks identified in the DPIA should have owners clearly assigned to mitigate and monitor those risks. Accountability should be distributed across the organization where it makes the most sense. It cannot lie with IT, Legal, or HR alone.

5. Privacy Safeguards

To support the “privacy by design” architecture, controllers and processor must identify the appropriate administrative and technical safeguards to implement. These should first be reduced to policies and other process documentation appropriate for the organization’s size and scope of processing. The policies should outline management’s intent to implement, monitor, and enforce the privacy safeguards.

6. Technical Safeguards

Article 32 requires the controller and process to implement “appropriate technical measures” appropriate to the risk. Common technologies used to protect privacy include tools that:

  • Map data flows
  • Map devices and networks
  • Identify and track assets
  • Control access
  • Secure the network perimeter
  • Encrypt data in-transit and at-rest
  • Secure servers and endpoints
  • Identify malware
  • Prevent data leakage and exfiltration
  • Log and aggregate security incidents
  • Restore the availability and access to personal data
  • Manage the consent lifecycle

 7. Training

All users should be appropriately trained based on their role and potential access to data. This training should be conducted at the time of hire and continually enforced thereafter. Training content should specifically focus on the controller’s system, implemented safeguards, and data subjects’ privacy risks.

8. Monitoring

Privacy by design cannot be sustained without a process for regularly testing, assessing and evaluating the effectiveness of the privacy safeguards. A monitoring plan should be developed to ensure continuous security of the data processing. The plan should include the scope, methods, roles, frequency, and reporting or escalation procedures. Implement and execute the monitoring plan to provide continuous improvement of the privacy safeguards. The risk owner and other stakeholders should collaborate to determine whether any external notification is required.

9. Remediation

Monitoring results need to be analyzed to determine the root cause of any deficiency. Once analyzed, remedial actions should be developed, communicated, implemented, and documented. Remediation should be tested to ensure it fully addresses the identified risk.

10. Reporting

Each step of the privacy program should be documented and reported to appropriate internal and external stakeholders. Specific thresholds should be identified for escalation procedures. It is advisable to have a regular independent review of the program to ensure adequacy.

11. Where to Begin

Implementing privacy by design should be viewed as an organization-wide process. Establish a cross-functional governance structure to educate key stakeholders, including the Board. This body should drive the privacy program to ensure its success and continued operation. Privacy professionals should be consulted where the organization lacks clarity or requires assistance in program design. Developing a data privacy program under the auspices of legal counsel establishes a relationship with a trusted legal counselor and better prepares the startup for future incident response, breach notification, and potential litigation.

Download the Whitepaper: GDPR Compliance – Navigating the Legal Requirements

About the author

Michael Witt

Michael Witt

GDPR and NIST 800-171 are two critical compliance standards affecting many businesses. These requirements are best achieved when addressed by an effective management program to ensure effective implementation and continued compliance. I have been helping clients implement and monitor control frameworks, data privacy, and information security programs for 15 years.

My practice focuses on improving business processes to meet legal requirements - not forcing new laws on the business without proper preparation. I offer privacy and data security consulting, program development, process improvement, executive/board reporting, and traditional in-house counsel services.

View all posts Request a Proposal

Post a Job on
UpCounsel and get
high quality legal work done

Post a Job on UpCounsel
Shares