Meta was fined 1.3 billion US dollars this Monday (nytimes.com, 23.5.2023) for violating the European Union data protection rules by not protecting Facebook data whilst shipping it across the ocean. This is not the first time Meta has breached the GDPR rules and as they have noticed, the consequences are steep. For smaller startups, the consequences can be crushing. Therefore, it is important to be concerned on how your company receives, handles, and protects data, especially in today’s world where everything revolves around data.

It has soon been five years since the General Data Protection Regulation, or GDPR, was fully implemented across EU. With a much broader and more specific protection replacing the 1995 Data Protection Directive, startups (or, all businesses) need to be extra careful when handling in-flowing data and making sure that there are no leakage or mishandling. As apparent, failing to be compliant leads to massive penalties – and at that point, it doesn’t matter how big or small of the business it is.

Can’t ask for forgiveness afterwards

The fines for lack of compliance can be as much as 20 million euros or 4% of the company’s revenue.“Companies are responsible for the whole customer data lifecycle – even outside of their infrastructure”, states Sylvian Kalache in the article Think GDPR is a big company problem? (sifted.eu 20.4.2022). Kalache says that more and more investors are seeing poor GDPR compliance in startups a risk for potential funding. On top of this, consumers want their data protected: Company’s non-compliance of GDPR can be made public. Hard recovery.

What should be included in the GDPR compliancy package?

A company needs to have a killer Privacy Policy outlining the data is collected, processed, and protected. It should be easy for consumer or user to understand, written in plain language. Cookiesyes.com lists that a comprehensive Privacy Policy enhances trust with the company and the user as, where the data is going and how it is used, stays transparent.

GDPR also includes the rights of the data subject for added transparency. This means that data subjects have a right to, for instance, access their data, obtain information about their data, and restrict the processing of it (tietosuoja.fi). The legal side of data processing includes identifying and documenting the process of personal data collection: Making sure that consent is given, contracts respected, and legal compliance fulfilled.

 When to hire help?

If a company processes personal data, a Data Protection Impact Assessment, an DPIA, is in place, says Kalache: “Companies must ensure that the personal data they collect is actually a requirement, that it is stored just for the time it is needed and that the right level of protection is put in place depending on the sensitivity of that data.” For this, it is recommended to hire an expert of the matter, an DPO. But when is hiring help crucial for a startup?

Depending on the sensitivity of the data processed, a startup should contemplate when an expert is hired to look after privacy or DPIA process started. It is good to recognize what areas to outsource and where to focus on. The typical ’execute now and ask for forgiveness later’ should not be the way to operate alongst the GDPR lines. Like said, the consequences might end the whole company.

The typical ’execute now and ask for forgiveness later’ should not be the way to operate alongst the GDPR lines.

Sanni S