Is GDPR Relevant for Your US-based Tech Startup?
DOES GDPR AFFECT SMALL US-BASED COMPANIES AND STARTUPS?
If you have any customers or even users in the EU, the answer is likely yes. GDPR jurisdiction applies to all companies processing the personal data of anyone living in the EU, regardless of the company’s location. Plus, violations come with hefty fines that no bootstrapped outfit can afford. GDPR Article 29 states that companies under 250 employees may need to comply with the regulations if they:
- Process data that could risk/affect the rights and freedoms of individuals
- Process personal data on a regular basis
- Process data which is covered by Article 9 of the GDPR
ARE YOU OBLIGED TO COMPLY?
Perhaps intentionally, the regulation’s reach is quite generalized. If any of these situations apply to your business - regardless of size - then you must comply with all aspects of GDPR . Of course, the devil will be in the interpretation and application of the law. We sense that enforcement will tend to be more broad than narrow. The reasoning behind this conclusion is that Article 8 (1) of the Charter of Fundamental Rights of the European Union has included privacy rights as a human right. This alone justifies a demand for more rigid adherence. The practical implications are that any tech firm, no matter how large or small, is subject to being identified as a processor of personal data.
STEPS TO ENSURE GDPR COMPLIANCE FOR SMALL BUSINESSES
Despite the waves the new EU law has created, there are concrete steps businesses can take to shield themselves from non-compliance penalties:
- Beef up consent and disclosures.
- Update user notices. Privacy is no longer a commercial transaction codified in Terms of Service agreements.
- Apply transparency, documentation and evidentiary compliance in key operations.
- Audit and document lawful and legitimate access to user data. Document rationale.
- Implement annual audits to verify compliance.
OUTSOURCE FOR FASTER & MORE RELIABLE COMPLIANCE
No matter how onerous the task may be, ignoring the situation could put your entire operation in jeopardy. Furthermore, if you plan to grow, it’s best to implement solutions now rather than adopt piecemeal fixes later. This is especially important if you consider the retroactive nature of some sections of GDPR.
Proactive firms that adopt robust practices will avoid problems down the road. However, most startups lack the in-house resources to achieve full compliance. Digital security firms, on the other hand, have already developed templates and tools to:
- Implement the basics of Right of Consent notices.
- Document data flows.
- Establish/publish policies.
- Prescribe/enforce controls with employees.
- Demonstrate transparency with partners and end users.
Tech startups and small business would be wise to enlist the services of experts that can minimize any GDPR non-compliance risk.