As the law develops, many businesses get caught up in expensive and grueling compliance efforts. Consider the scramble to comply with the GDPR when it passed in May of 2018.

Despite the two-year transition period, many people were tearing their hair out right up until the deadline day, trying to jettison personal data that it would suddenly become unlawful for them to hold.

If you're building a business, you have a great opportunity to comply with privacy law right from the start. Too many start-ups focus exclusively on chasing investment or getting their product to market. These things will no doubt occupy most of your attention in the early days. But you can't neglect legal compliance.

We're going to take a look at some of the key challenges that new start-ups face when complying with privacy law. We'll also be looking at some real examples of successful young businesses that have implemented some great solutions.


Why Privacy Law Matters

What's the main purpose of your new start-up? Perhaps you've found a cost-effective way to produce a consumer product. Or you've developed an app that people will want to download. Or maybe you're setting up a website that you hope will draw large amounts of traffic.

Whatever your answer to this question, you will almost certainly need to comply with privacy law. Any business that engages in the processing of personal data will have to think about the legal implications of doing so. And every successful business "processes personal data" to some extent.

Personal Data

Privacy law (and data protection law - we'll be using the terms interchangeably throughout this article) seeks to help consumers maintain control over the way businesses treat personal data.

The term "personal data" (sometimes called "personal information" or "personally identifiable information") can refer to any piece of information that identifies a person. This definition can be interpreted very broadly.

Personal data can include:

  • Information that directly identifies a person. A name or an email address are good examples of this.
  • Information that could indirectly identify a person. A person's phone number, on its own, won't identify a person. But it could identify a person when combined with other information. The principle extends to online identifiers, such as login credentials, cookies and even IP addresses (under certain circumstances).

Processing personal data means doing something with it - collecting it, storing it, sharing it, erasing it, etc.

The Purpose of Privacy Law

It's increasingly easy, and common, for a business to gather large amounts of personal data.

Privacy law can fulfill some of the following purposes:

  • Limiting the amounts or types of personal data that businesses can collect
  • Restricting the ways in which businesses can collect, store and share personal data
  • Setting rules about how businesses directly communicate with their customers

This means that privacy law is particularly relevant to many common business activities, including:

  • Behavioral advertising (sometimes called "targeted" or "personalized" advertising)
  • Direct marketing (e.g. email marketing)
  • Market research
  • Data collection via apps and other software (for example, use of location data)

Some Important Privacy Laws

Some Important Privacy Laws

Different legal jurisdictions have very different approaches when it comes to regulating the processing of personal data.

Many privacy laws have extraterritorial scope, meaning that they apply to any businesses operating within the law's jurisdiction, whether the business itself is based there or not.

United States

Privacy law in the United States is not well-established. There are some important federal privacy laws that apply to specific types of businesses. For example:

  • The Children's Online Privacy Protection Act (COPPA)
  • The Health Insurance Information Privacy Act (HIPAA)
  • The Gramm-Leach-Bliley Act (a law regulating financial institutions)

These privacy laws don't apply to everyone. If you're operating in the US, however, you need to be aware of some of the state privacy laws of California, such as:

  • The California Online Privacy Protection Act (CalOPPA)
  • The California Consumer Privacy Act (CCPA)

Because these laws protect the privacy of California consumers, they effectively apply to all businesses operating in the US (so long as they fit within the definition of a "business" within the scope of the laws).

It's also important to be aware of CAN-SPAM, a federal law which regulates direct marketing activities.

European Union

The European Union (EU) is streets ahead of the rest of the world when it comes to regulating online privacy. All EU countries are signed up to these laws (including the United Kingdom).

Two important privacy laws in the EU are:

If your start-up can comply with the strict rules set by the EU, it will be in a position to comply with many other privacy laws as well. With this in mind, the guidance in this article is designed to help start-ups reach this very high standard of compliance.

Of course, not all businesses will actually need to obey EU law. But it does apply to many companies based outside of the EU. You'll have to comply with EU privacy law if you:

  • Offer goods and services in the EU, or
  • Monitor the behavior of people within the EU, including via behavioral advertising campaigns

This applies regardless of where you're doing business from.

Other Places

Most major economies have laws regulating the way companies treat personal data and make contact with their customers. Here's just a couple of examples:

Overview of Privacy Law Obligations

Overview of Privacy Law Obligations

First, let's look at a very basic overview of the differences between the world's major privacy laws.

United States EU Other places
Who the law applies to

CalOPPA applies to operators of a commercial website or app that processes the personal data of consumers in California.

COPPA applies only to businesses of a certain size or type. Unless your startup is already making $25 million annually (if so, well done!), or makes most of its money selling personal data, COPPA likely doesn't apply to you.

The GDPR can apply to any organization or individual operating in the EU. Not only businesses but also sole traders, churches, government departments - everyone has to comply. The size of the operation is irrelevant for almost all purposes.

Canada's PIPEDA applies to businesses engaged in commercial activity and also certain federal institutions.

Australia's Privacy Act 1988 applies to public bodies, to any Australian company that has an annual turnover of over $3 million AUD, and any that trade in personal information.

Who the law protects CalOPPA and COPPA protect "consumers" (private persons residing in California). The GDPR protects "natural persons," and so applies whenever your company handles anyone's personal data (customers, employees, clients, etc).

PIPEDA only applies to commercial activity (in respect of private businesses), and so effectively only applies to consumers.

The Privacy Act 1988 applies in a broader range of situations, even for private companies, but is not as pervasive as the GDPR. It will cover customer data and employee data (in some circumstances).

How the law defines personal data

CalOPPA lists six types of information that it defines as personal information (personal data) including name, email address, and social security number.

Online identifiers such as cookies or IP addresses are considered personal information when they are stored in combination with one of the six types of personal information above.

COPPA defines personal data in the same way as the GDPR.

The GDPR has a very broad definition of personal data which covers any information that might directly or indirectly identify a person.

Aside from the obvious, this can also include cookies, IP address, Android IDs, GPS data, etc.

The obvious direct identifiers, such as name, address and social security number, will be considered personal data under any privacy law.

Cookies and other online identifiers have an uncertain place in privacy laws outside of the EU and California. In certain contexts, they might be considered personal data.

Please see our article on Cookie Consent Outside of the EU for more information.

Other obligations the law places on businesses

CalOPPA requires the website operator to create a Privacy Policy and display it conspicuously on its website or app.

COPPA requires businesses to facilitate a number of consumer rights. Consumers may request access to their personal data, request that it is not sold or shared, and request that it is deleted.

The GDPR places a large number of obligations on businesses.

These include writing a Privacy Policy, only processing personal data on a specific lawful basis, facilitating users' data rights, storing data securely, and quickly reporting data breaches. There are many more obligations beside these.

Both PIPEDA and the Privacy Act 1988 require businesses to adhere to certain principles that include providing access to personal data and storing personal data securely.

Both these laws and other privacy laws in many other places require the creation of a Privacy Policy. You can read our article on places where Privacy Policies Are Mandatory By Law for more information.

Getting Your House In Order

Getting Your House In Order

The first thing you should do to comply with privacy law is to learn how your start-up processes personal data.

Your start-up is still in its early stages, but you may already know:

  • What service or product you're providing
  • Which countries you're operating in
  • Who you're marketing to
  • What methods you're using for marketing

Even with this very basic amount of information, you can start taking practical steps towards privacy law compliance.

Conducting a Data Audit

Conducting a data audit is a crucial first step in preparing for compliance. You must get some idea of how personal data flows around your company.

This is a relatively simple process, but likely to reveal some surprises. Think about the sorts of information that constitute personal data in the laws that apply to you.

Inbound sources of personal data
  • Emails and mail from:

    • Customers
    • Employees
    • Other businesses
  • Web forms
  • Server logs
  • Analytics logs
  • Cookies
  • Apps
  • Third parties
  • Market research
  • CCTV
Types of personal data you collect via these sources
  • Names
  • Email addresses
  • Phone numbers
  • Shipping addresses
  • ID numbers
  • Login credentials
  • IP addresses
  • Website usage data (e.g. heatmaps)
  • Cookies
  • Internet activity
  • Location data
  • Sensitive data about people's:

    • Race
    • Gender
    • Religion
    • Sex life
    • Biometrics (e.g. fingerprints, photos)
    • Genetics
    • Physical appearance
    • Political or philosophical beliefs or affiliation
    • Union membership
    • Health data
Purposes for collecting this personal data
  • Maintaining lists:

    • Customer lists
    • Mailing lists
    • Marketing lists
    • Invoicing lists
    • Payroll lists
  • Sending email:

    • Marketing email
    • Transactional email
    • Internal communications
  • Behavioral monitoring:

    • Targeting ads
    • Website analytics
    • Conversion optimization
    • A/B testing
  • Providing core services
  • Improving website/app functionality
  • Maintaining security
  • Recruitment and selection
  • Shipping products
  • Taking payments
Locations where personal data is stored within your company
  • Hard drives
  • USD devices
  • Cloud storages
  • Laptops
  • Desktops
  • Filing cabinets
  • Notebooks
  • Desk drawers
  • In-trays and out-trays
  • Mail rooms
Outbound recipients of personal data
  • Marketing companies

    • Behavioral advertising companies
    • Direct email marketing companies
    • Conversion optimization companies
  • Web servers
  • SaaS (software as a service) providers:

    • Email hosts
    • Analytics companies
    • Cloud storage companies
    • Database companies
    • Online word processing tools
  • Payroll or accounting companies
  • Payment processors
  • Government agencies
  • Other customers

By thinking about personal data in this systematic way, you can keep it under control and ensure that you're always legally compliant.

Determining Your Lawful Basis

Determining Your Lawful Basis

If you're required to comply with the GDPR, you'll need to consider your lawful basis (or "legal basis") for processing personal data. This means thinking about each of the different ways in which you process personal data, and considering whether or how this fits within the GDPR's six lawful bases for processing personal data.

If you've identified something you want to do, and you need to process personal data in order to do it, you need to have a lawful basis before you can go ahead.

The GDPR provides six lawful bases:

  1. Consent: You've gained the person's permission to process their personal data
  2. Contract: You need to process personal data to carry out your obligations under a contract, or in order to enter into a contract
  3. Legal obligation: You're required by law to process personal data in a specific way
  4. Vital interests: You need to process personal data to preserve someone's life
  5. Public task: You've been given special legal powers to process personal data for the benefit of the general public
  6. Legitimate interests: Your business is carrying out a legitimate activity, and it is necessary to process personal data. You've carefully weighed the benefits against the risks to the person whose personal data is being processed.

It's up to you to decide which of these lawful bases apply to the activities of your business. If you can't see that an activity conforms with any lawful basis, you may need to stop doing it, or do it in a different way.

It's likely that you'll be mostly relying on consent, contract, and legitimate interests for the bulk of your data processing activity. Let's take an in-depth look at these three lawful bases.

Consent commonly forms the lawful basis for activities that are not essential to carrying out your core services or for activities where your customers might not expect their personal data to be used in a given way.

Certain activities will almost always require consent under the GDPR, for example:

  • Using cookies for advertising or tracking purposes
  • Sending direct marketing communications, particularly to people with whom you do not have a strong pre-existing business relationship
  • Processing sensitive personal data, for example without a contract in place

There might be other reasons to ask for your customers' consent. Here's a real-life example.

Flux launched in 2017. Its business model focuses on the digitization of shopping receipts. Part of Flux's activity involves behavioral advertising. Flux offers information about its users to third-party companies who then target those users with discount offers.

Although the information shared with Flux's partners is stripped of direct identifiers, it must still be treated as personal data under the GDPR. Customers who are using the app for its primary purpose might not expect their personal data to be shared in this way. Therefore, Flux has determined that a suitable lawful basis for this activity is consent. Here's how this is disclosed in the Flux Privacy Policy:

Flux Privacy Policy: Consent for third party use of information clause

We have a full-length article on consent under the GDPR if you want to know more about this topic. We'll also be looking below at how to request consent for cookies and direct marketing.

Processing Under Contract

Sometimes you have agreed to carry out an activity under a contract, and you need to collect or use someone's personal data in order to do this.

For example, you've sold a customer a product and agreed to deliver it to them. How could you possibly do this without collecting their shipping address?

The lawful basis of contract is not interchangeable with consent. To engage the lawful basis of contract, it must be necessary to process someone's personal data in order to either

  • Fulfill your contractual duties to them, or
  • Enter into a contract with them

If it's not necessary to process personal data to do either of these things, this lawful basis does not apply.

Let's take a look at an example of the first point above.

UK start-up Perlego launched in 2017. The company provides a subscription service for textbooks. Obviously, the nature of such a service requires a contract to be set up and some personal data to be collected. Perlego explains this in its Privacy Policy:

Perlego Privacy Policy: Lawful basis to collect and use information clause excerpt

Under this contract, it's necessary for Perlego to use a customer's email address to communicate with them.

It would not be necessary for Perlego to use a customer's email address to send them marketing emails. Consent would be a more appropriate lawful basis for this, and it would have to be sought separately (i.e. not through the Terms of Use).

Your Legitimate Interests

There are some occasions on which it might not be possible or appropriate to get someone's consent to process their personal data in a particular way. You might need to process personal data in pursuit of the legitimate interests of your business.

This is quite a flexible lawful basis that can be used for a broad variety of purposes. But you must exercise caution if you plan to rely on it.

Before you can know whether legitimate interests is an appropriate lawful basis for a given act of data processing, you'll need to carry out a Legitimate Interests Assessment. You can read our article on the 3 Part Test for Legitimate Interests for more information about this.

If you've determined that the data processing you have in mind satisfies the GDPR's requirements, you can process personal data without consent or a contract (or on any of the other lawful bases).

Here's an example of a start-up that uses legitimate interests. Language-learning service Lingumi was launched in 2016. Lingumi's Privacy Policy identifies two types of data processing for which it relies on legitimate interests:

lingumi-privacy-policy-how-use-personal-data-legitimate-interests-sections
Lingumi Privacy Policy: How we use your personal data - Legitimate interests sections

Liguimi is saying that it has a legitimate interest to send, receive and store correspondence with its customers, and also process data about that correspondence. The company identifies several legitimate reasons for which it can do this:

  • Communicating with its customers
  • Keeping records
  • Administrating the site and app
  • Exercising or defending against legal claims

Being Transparent with Your Customers

Being Transparent with Your Customers

Transparency is a cornerstone of almost every privacy law. You must tell people, at every reasonable opportunity, how you process their personal data. And you need to tell them in a language that they understand - not in complicated legalese.

Creating a Privacy Policy

One of the most important ways you can be transparent is to create a clear and accessible Privacy Policy.

It's amazing that there are still companies out there that have failed to provide a Privacy Policy. This a potential source of legal problems. It can also appear amateurish and suspicious.

Pretty much everybody needs a Privacy Policy. This is clear from almost all of the privacy laws we've mentioned so far. It's also a requirement of many third parties.

Want to get your app hosted on Google Play? Google's Developer Distribution Agreement requires you to have a Privacy Policy:

Google Play Developer Distribution Agreement: Privacy Policy requirement highlighted

Want to use Mailchimp to help with your email marketing? Here's what Mailchimp requires from its EU users:

Mailchimp Terms of Use: EEA Requirement for Privacy Policy clause

The contents of your Privacy Policy will largely depend on two things:

  • The practices of your company
  • The laws with which you need to comply

Most privacy laws require a Privacy Policy to contain basic information such as:

  • The types of personal data you collect
  • The purposes for which you process personal data
  • The types of companies with whom you share personal data

Beyond this, different laws have different transparency requirements.

If you operate in more than one legal jurisdiction (e.g. the US and the EU), you might have to make clear which sections of your Privacy Policy apply to which customer base.

Some companies go as far as to provide two separate policies, such as Industry Guru:

Industry Guru Privacy Policy for EU Users: Intro and Policy options section

Others, such as sports clothing retailer Hoka One One, simply provide an annotation to their main Privacy Policy:

Hoka One One Privacy Policy: Special Note for EU Users - Your Rights and Choices clause excerpt

We have more information about creating a Privacy Policy to comply with privacy laws such as the GDPR, CalOPPA, and PIPEDA.

TermsFeed Privacy Policy Generator: How to Create a Privacy Policy for Your Website

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. Click on the "Start the Privacy Policy Generator" button.
  2. At Step 1, select the Website option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy for Website - Step 1

  4. Answer the questions about your website and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate My Privacy Policy." You'll be able to instantly access and download your new Privacy Policy:
  9. TermsFeed Privacy Policy Generator: Enter your email address - Step 4

Presenting Your Privacy Policy

It's no good having a Privacy Policy if it's not accessible to your customers.

You should present information about your privacy practices on your website's homepage, within your app, and whenever you request or collect personal information from your customers.

Let's look at how some recent successful start-ups present their privacy information online.

Tech start-up Wondrwall launched its Internet of Things automation software in 2018. Privacy is obviously a very important concern in this field. Wondrwall provides access to its Privacy Policy in the footer of its website:

Wondrwall website footer with Privacy Policy link highlighted

Start-up Ideal Flatmate launched in 2016 to help people find housemates in the rental market. Here's how the company presents its Privacy Policy to users when they first provide personal data via its website:

Ideal Flatmate sign-up page with Privacy Policy link highlighted

Amicable launched an app in 2016 to help married couples stay on good terms throughout the divorce process. Amicable has even taught its chatbot to recite some basic privacy information:

Amicable: Screenshot of chatbot Privacy Policy information

Make sure your Privacy Policy is easily and readily accessible for your users in a variety of places to make sure it's noticed.

Facilitating Your Users' Rights

Your customers have certain rights over their personal data.

Many privacy laws require companies to provide their customers access to any personal data that they hold on them. Some privacy laws go further, requiring companies to amend or erase customer data on request.

You might not be surprised to hear that the GDPR goes the furthest of all privacy laws in this regard. You can read more about this in our article about the 8 User Rights Under the GDPR.

You should include some information about your customers' rights in your Privacy Policy. You should also be prepared to respond to requests, and ensure that everyone in your company can recognize such a request if they receive one.

Home insurance comparison website Homelyfe launched in 2017. Let's take a look at how its Privacy Policy explains its users' rights.

First, the policy lists the GDPR user rights, linking to the website of the Information Commissioner's Office (ICO) which provides further information about each one. Here's an excerpt of the full clause:

Homelyfe Privacy Policy: Your Rights - GDPR clause excerpt

Homelyfe then provides contact details for customers who might wish to exercise these rights:

Homelyfe Privacy Policy: Your Rights - GDPR clause - DPO contact information excerpt

Make sure you're aware of your customers' data rights, that you make your customers aware of these rights, and that you have a system in place to help them exercise these rights.

Respecting Your Customers' Choices

Respecting Your Customers' Choices

We've talked about when it's appropriate to get consent under the GDPR. You also need to know how to get consent in a way that is compliant with the GDPR.

The GDPR sets a very high threshold for what it considers to be consent. Unlike under some privacy laws, you cannot assume that you have a person's consent. You need to really ask for it, and they need to know what they're getting into.

There are five components of valid consent under the GDPR. Consent must be:

  • Freely given: Don't pressure a person into giving consent or impose any detriment on them if they refuse.
  • Specific: Don't "bundle" consent for several things up into a single request.
  • Informed: Provide clear information about what the request means.
  • Unambiguous: Make sure you can demonstrate that the person is clearly happy to consent.
  • Given via a clear affirmative action: Ensure you have your customer's express consent by asking them to tick a box or say "I consent."

Once you have a person's consent, you must make it as easy to withdraw the consent as it was to give it.

Behavioral advertising techniques that make use of cookies and other tracking technologies are practically ubiquitous among nascent companies that are trying to build their brand. But this marketing method is tightly regulated, particularly in the EU.

EU law (specifically the ePrivacy or Cookies Directive) requires you to earn consent for any cookies that aren't essential for communication or necessary to provide the user with a service they have requested.

This means that any cookies associated with advertising or analytics require consent. Cookies used for load-balancing, essential security, or multimedia players generally don't require consent.

If you're using cookies for other purposes, such as analytics, tracking, and advertising, you'll need to get consent before you set these on a user's device. And the same five components of GDPR consent must be met. This is why you might have noticed so many "cookie banners" popping up on websites in recent years.

Frankly, there are few companies that obey the rules around cookie consent to the letter. But it is a legal requirement, even if it's often ignored.

Here's an example of a reasonably good cookie consent solution from management consultant start-up Issoria:

Issoria cookie consent notice

Visitors to Issoria's website are invited to accept cookies, and given the option to decline them. Issoria doesn't simply tell visitors that cookies have already been set - a practice that is all too common, and that is not compliant with the GDPR.

You'll also need to provide information about your use of cookies. You can do this via a separate Cookies Policy, or as part of your main Privacy Policy. You can read our article about creating a GDPR Cookies Policy for more information and guidance.

TermsFeed: Cookies Consent - How to add Your Solution

Use our free Cookie Consent Solution to create, customize and add a Cookie Consent notice to your website.

  1. Click on the Cookie Consent link at the top of our website. Our Free Cookie Consent Solution will open:
  2. TermsFeed: Cookies Consent Solution

  3. Choose your consent preference: Implied or Express:
  4. TermsFeed Cookies Consent: Choose your consent preference - Step 1

  5. Customize your Cookie Consent widget with your website name, banner notice type and color palette:
  6. TermsFeed Cookies Consent: Customize your consent - Step 2

  7. Copy your Cookie Consent code and add it to your website page code before the closing of the </body> tag.
  8. TermsFeed Cookies Consent: Copy your Cookie Consent code - Step 3

  9. Adjust your website's JavaScript to accommodate your users' selections for consent:
  10. TermsFeed Cookies Consent: Adjust your website&#039;s JavaScript to users - Step 4

The GDPR means that "opt-out" methods of acquiring consent are no longer valid. Consent must be given by a clear, affirmative action.

Some companies have interpreted this as meaning that an unchecked checkbox will always be required to validate consent. Here's an example from snack food start-up Well & Truly:

Well and Truly newsletter sign-up form

In fact, clicking "subscribe now" would most likely be enough to satisfy the GDPR's consent requirements. There's no real need to ask the user to also check a box. But there's no harm in it, either.

It's important that consent is specific. So, if you're asking for personal data for one purpose, ensure that you ask specifically for consent if you want to use it for another.

Here's an example from parcel-tracking start-up HubBox. Here's part of its account creation process:

HubBox: Create account form with consent checkbox for marketing emails highlighted

Not everyone who creates an account will want to receive marketing emails. So it's good that HubBox has provided a clear opt-in for this.

If your company provides a mobile app, it's important to be aware that there are strict requirements around how that app collects data from a user's device.

These requirements arise both from privacy law and from third parties such as Apple and Google.

Apple is particularly vigilant when it comes to regulating how apps request "permissions". When a developer wishes their app to access user data, Apple requires them to request the user's permission, and also state the purpose for which they are making the request.

Here's an excerpt from Apple's guidance on Accessing Protected Resources:

Apple: Accessing Protected Resources - Provide a Purpose String section

Android developers must also carefully consider how their app collects user data and requests permissions. Android developers whose app has EU users are required to comply with Google's EU User Consent Policy. Here's an excerpt from the agreement:

Google EU User Consent Policy: Properties under your control clause

For more information about consent and mobile apps, take a look at our articles on GDPR and Mobile Apps and Android Collection of Data and Sensitive Data.

Keeping Your Customers' Personal Data Safe

Keeping Your Customers' Personal Data Safe

Your business has an obligation to collect personal data only when necessary, and to keep personal data secure.

If you're still building your product or setting up your processes, you're at an advantage here. You don't need to retrofit your systems with legally compliant security features. You can build data protection into your systems by design and by default.

Limiting the Personal Data You Collect

One of the easiest ways to avoid a data breach is to have as little personal data in your as possible. This means only asking for the personal data that need in connection with a specific purpose.

For example, do you really need anything other than a person's email address in order to sign them up to your mailing list? Educational tech startup Curiscope keeps this process as simple as possible:

Curiscope subscribe to mailing list form

You can read more about "data minimization" in our article on the 6 Privacy Principles of the GDPR.

Regularly Deleting Unnecessary Personal Data

Another simple and effective way to avoid a security incident is not to have personal data hanging around in storage for any longer than necessary.

It's important to have a system for regularly reviewing the different types of personal data you keep on file.

You can schedule regular deletion of certain types of personal data. You might decide that you do not need to keep customer invoices for longer than, say, six years.

For other types of personal data, you can set a specific period after which the data will be deleted following a "trigger" event. For example, the personal data associated with an account is deleted 28 days after the account is closed.

Under the GDPR, you're required to make people aware of how long you store different types of personal data. This can form part of your Privacy Policy, or you can create a separate Retention Schedule.

Protecting Against Hackers

Cybersecurity becomes more crucial with each passing year. Practically every business needs to consider the steps they can take to keep personal data secure. And this is particularly important for innovative tech startups.

Let's take the example of Israeli startup Pixoneye, launched in late 2016. Pixoneye's product is an app that collects personal data from the photo gallery on a person's mobile phone. This can be used to infer information about their preferences, behavior, and intentions. The company then shares metadata gathered via this process with advertisers.

This activity is potentially very risky and intrusive. So Pixoneye is required to take some extraordinary steps to keep personal data safe. One way in which it does so is to keep data processing local to the user's device as far as possible.

Pixoneye Data Privacy Policy: On-device analysis security clause

This is just one example of the sort of methods that might be used to secure your customer's personal data.

Of course, the context of your start-up might be very different from that of Pixoneye. You can still implement security methods such as:

  • Using methods such as pseudonymization and anonymization wherever possible
  • Employing TLS/SSL protocols during data transfers
  • Encrypting company devices and hard-drives
  • Implementing strict access controls and regularly reviewing permissions

We have an article all about Protecting Personal Data in Your Business if you'd like to read more about this.

Assessing Risk

If your start-up involves innovative or untested technology that might present some threat to the security of people's personal data, it's important that you fully assess and mitigate the risks.

In the EU, this is known as a Data Protection Impact Assessment, and it can be done in conjunction with a Data Protection Authority. It's a legal requirement to conduct such an assessment under certain conditions.

Even if you're not legally required to run a risk assessment, it's advisable to do so if your business model has significant privacy implications.

We have an article about how to carry out a Data Protection Impact Assessment if you'd like to know more on this topic.

Conclusion

Complying with privacy law might be pretty far down your list of priorities if you're trying to get your new start-up off the ground. But taking steps towards compliance from the very start will save you a lot of work and hassle in the long-run.

  • Determine which privacy laws you'll need to comply with
  • Figure out how personal data flows in and out of your company
  • Determine your lawful basis for processing personal data (if you operate in the EU)
  • Create a Privacy Policy and make sure it's accessible
  • Consider how you can facilitate your users' rights over their personal data
  • Earn your users' consent whenever necessary or appropriate
  • Implement technical security measures to ensure you're transferring and storing personal data safely

This is just the start of your journey towards legal compliance. You'll also need to consider creating some of the following agreements:

Remember that it's important to tackle these issues as early as possible.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy