Are you a startup company?
We understand that you have plenty to think about other than data privacy when starting a business. However, it is wise to think about data privacy early on, as it is most often easier to incorporate from the start. If you need investors, it is also a great advantage to be compliant. If you plan on selling the business, a lack of data privacy compliance can be perceived as a risky defect, which in turn may reduce the selling price, or increase the guarantees you will have to give to the seller.
We therefore recommend that you start by taking these three steps:
1. Place the responsibility for privacy on one person (even if several need to assist)
2. Provide the responsible person with basic training (like courses, webinars, reading, or legal advice)
3. Make sure you have the basic documents in place:
- A record with an overview of the processing activities that already are taking place or are going to in the future.
- Identify the legal basis for the processing
- Inform those whose information you process (e.g. through a privacy statement)
- If you have suppliers who process data on your behalf, enter into a data processing agreement
Once you have completed these three steps, you can breathe more calmly. The next steps you should take are these:
1. Consider whether the processing means a high risk for the data privacy. If so, you need to consider carrying out a data privacy impact assessment (DPIA).
2. If you are transferring personal data out of the EEA, make sure you have a legal basis for the transfer
3. Start planning an internal control system - stating who are responsible, policies, etc.
4. Enter data privacy as an item in the board's annual work plan. The data protection supervisor should submit a report at least twice a year and appear before the board at least once a year.
Remember that everything you do must be documented in accordance with the GDPR.
Once you have completed these steps, you are almost there. Continue with these steps, preferably posted in an annual plan:
- Prepare the internal control system. Prioritize the most important polices first.
- Assess whether you need a data protection officer.
- Consider whether you need cyber insurance, which may offload substantial risk related to privacy breach and cyber-attacks.
If you have any questions about this, or need assistance, please contact us.