GDPR 101: What Startups Need to Know About GDPR

Your Name ·

Table of Contents

I. Takeaways and Summary 
II. Introduction to GDPR for Startups: Understanding the Fundamentals
III. Who is Who: Defining Roles Under GDPR
IV. Adopt these Data Processing Principles
V. Your Startup Needs a Lawful Basis in Order to Process Personal Data
VI. Rights of the Data Subject
VII. What is the Relationship Between the Controller and the Processor?
VIII. Fines and Penalties Under GDPR
IX. Startup Checklist and Steps for GDPR Compliance
X. GDPR FAQ
XI. GDPR Compliance Tips for Startups

 I. TAKEAWAYS AND SUMMARY

The General Data Protection Regulation (GDPR) is a EU regulation that primarily provides data protection for individuals. It applies to “controllers” and “processors”. Startups, companies, tech groups, etc. handle personal data all of the time. Depending on what the startup is doing it will be classified as either a controller or a processor. A controller is one that determines the purposes and means of processing personal data while a processor processes personal data. Both a controller and processor must accomplish its tasks safely and lawfully according to GDPR. If these rules aren’t followed massive penalties will be brought down on violators. GDPR also gives special rights to individuals whose data is being handled.

Key Point 1: Complying with GDPR: GDPR applies to EU based organizations OR non-EU based organizations that target, offer goods, etc. to EU based individuals. Figure out your startup’s role under GDPR when it comes to dealing with personal data: it’ll be either a controller or a processor. Make sure the collection of data, storage, processing of data, etc. is done properly. Allow individuals whose data you are using to exercise their rights.

Key Point 2. A controller decides the purposes and means of data processing: A startup/company is acting as a data controller under GDPR when it decides the purposes and means of how personal data is processed. The controller is the primarily responsible party when it comes to handling and processing data. GDPR places obligations on the controller to make sure that contracts with processors are in order. The controller shall only use data processors that are able to process data safely. GDPR gives certain principles to abide by when dealing with an individual’s data.

Key Point 3. A processor processes the data and must have a legally valid basis for doing such: A startup/company is acting as the data processor when it processes personal data; and it must do so legally in accordance to GDPR. There must be a contract between the controller and the processor to govern this process. The meaning of process is extremely broad under GDPR and includes actions like manipulating, using, and handling data. A valid underlying basis for processing is required in order to process data, such as consent from the individual.

Key Point 4. Appointments to overlook the process: Certain parties such as a data protection officer are designated to assist in making sure things are done by the book, that proper procedures are being followed, etc.

Key Point 5. Individuals have rights over their data: The data subject, i.e. the EU individual whose data it is, has special rights with respect to its data such as the right of erasure of data and the right to be forgotten.

Key Point 6. Parties must take care to deal with breaches: If there is a data breach or other problem then the issue must be addressed in a prompt manner as according to GDPR.

Key Point 7. You better abide by the rules: Failure to abide by GDPR and its privacy concerns can result in massive penalties to the responsible party (not just a slap on the wrist).

Use the checklist in this article to help you approach GDPR systematically. Use the FAQ in this article to help fill in gaps in knowledge.

II. INTRODUCTION TO GDPR FOR STARTUPS: UNDERSTANDING THE FUNDAMENTALS

Data privacy is all of the rage these days. Lots of asshole companies are shelling your data for big bucks. Essentially, companies give you services that you pay for not via money but through data. Or they sell your data to create another revenue stream. There are lots of other issues.

A. Problems with data and data handling currently

You can easily tell that there are a few problems with companies utilizing data as a currency and selling your data. 

a. data is a bizarre version of currency that doesn’t have good historical precedent that liquid money has had for many thousands of years;

b. data is heavily tied to an individual and gives rise to privacy concerns;

c. the transaction involving data is not consensual as the lay person does not understand what is being transacted; and

d. data privacy and handling issues are not properly regulated, just yet. 

I’m sure you can think of more issues. 

B. GDPR’s objectives

GDPR attempts to resolve some of these issues and is point blank attempting to achieve these things:

a. protect people by making rules regarding the collecting, processing, and movement of people’s personal data; and

b. protect and establish rights and freedoms of people particularly as it relates to their right to the protection of their personal data. 

C. GDPR is applicable in two circumstances

So it’s clear that there are data privacy issues and that GDPR exists to deal with these concerns. When does GDPR apply to startups? GDPR applies in two situations:

a. the startup is located in the EU; or

b. the startup is not in the EU but is offering goods or services, targeting, etc. those in the EU.

If one of the above is true then GDPR will be applicable to the situation and must be followed. Who needs to follow it exactly? Essentially GDPR basically lays it out for three primary parties: the people or startup deciding what to do with personal data (i.e. the controller), the person whose data it is (i.e. the data subject), and the people (startup) who are manipulating the data (i.e. the processor). It restricts and governs the roles and rights of each of these parties.

D. GDPR applies to protection of personal data

Thus far I have explained that GDPR applies to data protection and privacy issues, concerning EU individuals, or startups in the EU. But to what type of data does it exactly apply to? GDPR is concerned about the protection of personal data. Personal data is defined as information that relates to an identified or identifiable individual.

You should interpret this broadly and err on the side of caution. GDPR is really concerned about individual privacy. Information that is truly anonymous is not applicable to GDPR.

In this article, I’m going to define some of the parties, go over various roles, objectives, responsibilities, rights, and other matters. Then I’ll give a checklist of things to do in order for the startup to comply with GDPR and finally I’ll finish off with a FAQ.

As a side note, GDPR also explains what kinds of items the EU member states are to regulate. Essentially authorities of different governmental bodies get to enforce GDPR. Don’t worry too much about this.

III. WHO IS WHO: DEFINING ROLES UNDER GDPR

All right—so now I want to go over who is doing what with data and explain how their function is impacted or regulated under GDPR. Essentially your startup does some stuff with data. What does that mean exactly for GDPR purposes? The answer is that you need to figure out what kind of role you’re playing as according to GDPR and then go from there. That will tell you what you can do and can’t do with data and privacy and all of that. According to GDPR, depending on what you’re doing with people’s data your startup will be classified as having a certain role. The startup has a role as either a controller or a processor. I explain what that means below. While I’m at it I’ll explain what the data protection officer is as well. And if your startup isn’t doing anything with anyone’s data—what role do you have then? None really and in that case you don’t need to worry about GDPR. Note: a more robust, checklist of objectives is down below in this article for the different parties.

A. Controller

Definition: this is the startup/company/group that determines the purposes and means for how personal data is processed (the how and why). Think of the controller as the main-decision maker. If your startup is deciding these kinds of issues when it comes to data then your startup is a controller under GDPR. If you’re unsure who is the controller and who is the processor, think about about who is the one calling the macro shots as far as why this data needs to be processed—that one will be the controller.

Practical Objectives of the Controller:  

If your startup is a controller then you’ll have certain principles and objectives to deal with. Here they are.

1. Put in appropriate technical and organizational measures to protect data and to make sure processing is performed properly

GDPR looks to make sure that companies that are behaving as controllers have safeguards when it comes to personal data. The controller needs to ensure the privacy of data (e.g. data is not made available to an indefinite number of people). GDPR repeatedly makes it clear that you need to adopt proper organizational measures to protect data. Your startup needs to make sure that it has proper data protection best practices procedures in place.

2. Be the main decision-maker

While a lot of the technical data handling and such will be done by the processor, the controller is the one that’s pulling the strings and is the main decision-maker. The controller is deciding the “purpose” and “means” of processing.

3. Shoulder responsibility

Just because you may not be doing a lot of the technical processing work does not mean you’re scot-free from GDPR. Controllers have the highest level of compliance responsibility. GDPR also puts the responsibility of compliance on the part of your processors on you. You must use and contract with processors that provide sufficient guarantees to implement appropriate technical and organizational measures.

When it comes to data protection and safe practices, it is ultimately the controller that bears most of the responsibility.

B. Processor

Definition: this is the company that is doing stuff with the data. It’s analyzing it, it’s breaking it down, it’s doing cloud services action with it, etc. As I’ve mentioned—processing is very broad in GDPR.  It includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, dissemination, and other operations performed on data. If your startup is doing those kinds of activities then it is a processor.

Practical Objectives of the Processor:

If your startup is a processor then you’ll have certain principles and objectives to deal with. Here they are.

1. Process personal data only when there is a proper contract in place

The processor shall engage with a controller to set out subject matter and duration of processing, nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. This is governed by contract between the controller and processor.

2. Have a proper basis for processing data

Make sure there is a proper basis for processing data. If you’re going to process personal data you have to have a lawful underlying reason for processing. There are only a handful of types of basis that are valid. You can’t just start processing data for whatever reason you want. More on this below.

3. Refrain from engaging with other processors or sub-processors without prior specific or general written authorization of the controller

When data processing obligations are transferred to a different processor, note that if the other processor fails to fulfill its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processors’s obligations.

4. Implement organizational and technical measures

As a processor you have responsibility to use proper data protection practices.

These organizational and technical measures include:

  • psuedonymisation and encryption of personal data

  • ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services

  • ability to restore availability and access to personal data in a timely manner in the event of an incident

  • process for regularly testing, evaluating effectiveness of measures

5. Be careful about high risk

Take special precautions if processing is using particularly new technologies and is a high risk to individuals. In such a scenario, the controller must consult the data protection officer and carry out a data protection impact assessment and consult the supervisory authority.

6. Take certain actions when there’s a problem

As a processor you have a responsibility to let the appropriate parties know if there has been a data breach or other problem. You must notify data controllers without undue delay when the processor learns of a data breach.

C. Data subject

Definition: an identified or identifiable EU natural person whose data is being collected/processed. The data subject is not the startup. But it’s the person whose data the startup is doing stuff with.

Practical Objectives of the Data Subject:

The natural person whose data is being subjected to all these rules does not necessarily have an objective so to say. Rather, this person instead has a number of rights as far as what happens/can happen with their data and has a number of remedies available to them.

GDPR aims to protect the handling of a data subject’s personal data. What is personal data? Personal data is any information relating to a person. This includes name, location data, social media usernames and information, biometric data, government ID numbers, and a whole of other information. GDPR also highlights what it calls special categories of personal data that include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, etc. The processing of these types of data receives increased scrutiny.

D. Data Protection Officer (DPO)

Definition: I mentioned that I would explain what the DPO is. The DPO is an expert person that the controller/processor designates to overlook activities and make sure that rules are abided by.

Practical Objectives of the Data Protection Officer:

1. Be designated by controller/processor as appropriate

2. Advise controller/processor of their GDPR obligations

3. Act as the contact point and cooperate with the Supervisory Authority (basically independent public authority set up by an EU member state).

4. Have expert knowledge of data protection law and practices

5. Be able to advise in an independent nature despite its designation by an affiliated party

 IV. ADOPT THESE DATA PROCESSING PRINCIPLES

GDPR stresses a number of principles when it comes to data processing. These are not necessarily strict rules per se but ideas that you need to adopt. A lot of people think that a regulation just lays it flat out that you must do X, Y, and Z. Yes, GDPR does do this but it also gives. general principles that you need to follow. In this section I go over those principles. How do you put translate these principles into practical ideas? You adopt the principles into your technical systems, practices, and policies.

The controller is responsible and shall be able to demonstrate compliance with the following principles:

A. Lawfulness, fairness, and transparency: data is to be processed lawfully, fairly, and in a transparent manner in relation to the data subject; i.e. be transparent about what you’re doing.

B. Purpose limitation: personal data is collected only for specific, explicit, and legitimate purpose. i.e. can only be collected for a specific purpose.

C. Minimized: data collected should be limited to only what is necessary in relation to the purposes for which they are processed.

D. Accurate: reasonable steps must be taken to ensure that data that is inaccurate is erased or rectified without delay.

E. Storage limitation: data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

F. Integrity and confidentiality: data should be processed in a manner that ensures appropriate security

G. Processing special categories of personal data: processing is prohibited if it reveals certain sensitive information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, processing of genetic data, etc. for the purpose of uniquely identifying a natural person or similar. If processing personal data relating to criminal convictions and such then must be diner under control of official authority or other type of proper safeguard.

V. YOUR STARTUP NEEDS A LAWFUL BASIS IN ORDER TO PROCESS PERSONAL DATA

I mentioned that when it comes to data handling there is the controller and the processor. The controller is deciding the purposes and means of data processing. On what basis can data be processed and handled? That issue is covered in this section.

Let’s say your startup gets its hands on some data in the course of business. You can’t just start processing and doing stuff with it. GDPR does not work that way and does not allow you do to that. You have to have a lawful REASON for processing it. And remember—processing is very broad and it includes a ton of stuff.

So there has to be a valid lawful basis in order to process personal data. There are only a few available bases available for processing. For some of the items, “processing is necessary” for a specific purpose. What does this mean? It means that if you can meet your purpose without processing the personal data then you can’t use that particular basis as a lawful basis.

Figure out your lawful basis before you start processing and write it down. More on steps in a checklist down below. But for now just understand the concepts.

Here are the allowable bases in order to process personal data:

A. There is consent

Consent is a major basis for processing. When processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing. In order for consent to be valid the following must be true:

1. consent is clearly distinguishable from other matters
2. consent is in an intelligible and easily accessible form, using clear and plain language
3. the data subject has the right to withdraw his or her consent at any time
4. withdrawal of consent shall not effect the lawfulness of processing based on consent before its withdrawal
5. prior to giving consent, the data subject shall be informed thereof
6. it shall be as easy to withdraw consent as it is to give it
7. if the data subject is a minor, then the controller needs to make reasonable effort to verify that consent is given or authorized by the holder of parental responsibility over the child.

B. Necessary for performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

This can be a lawful basis for processing if processing an individual’s personal data is for the delivery of a contractual service to them or because they requested the action prior to entering into the contract.

C. Processing is necessary for compliance with a legal obligation to which the controller is subject

You can use this basis when processing is necessary to comply with the law or statutory reason.

D. Processing is necessary in order to protect the vital interests of the data subject or of another natural person

e.g. processing is necessary to protect someone’s life

E. Processing is necessary for public interest reasons or in exercise of official authority vested in the controller

F. Processing is necessary for the purposes of legitimate interests pursued by controller or third party, except where interests of fundamental rights and freedoms of data subject outweigh those interests

VI. RIGHTS OF THE DATA SUBJECT

I mentioned that the data subject has certain rights under GDPR.

The controller shall facilitate the exercise of data subject rights as below. The information shall be provided without undue delay and in any event within one month of receipt (3 months if excessively complicated) of the request.

Reasonable requests shall be provided free of charge. If requests are excessive, then the controller can charge a reasonable fee.

Note: this is an important point a lot of people miss—some of these rights will be unavailable to the individual based on the lawful basis for processing. So for example, if the processing is on the basis of legal obligation then the individual’s right to erasure may not be available to the individual. You can understand that—if a court order requires a certain processing of data, the individual can’t just demand to have that data erased.

A. Right to be informed: individuals have the right to be informed about collection, use, and what’s going on with their personal data

B. Right of access: data subject has the right know whether or not personal data concerning him/her is being processed, and the purposes of processing, categories of personal data concerned, recipients to whom the personal data has been disclosed

C. Right to rectification: data subject has the right for the rectification of inaccurate personal data concerning him or her

D. Right to erasure (right to be forgotten): right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data where one of the following grounds applies: personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or where consent is withdrawn

E. Right to restriction of processing: data subject has ability to restrict processing in certain circumstances such as when the accuracy of the data is contested or the processing is unlawful

F. Right to data portability: data subject has the right to receive the personal data concerning him/her which they have provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller

G. Right to object: the data subject shall have the right to object to processing of personal data, particularly when it concerns direct marketing purposes. This right shall be explicitly brought to the attention of the data subject.

H. Rights regarding automated individual decision-making: the data subject shall have the right not to be subject to a decision based solely on automated processing unless consented to by the data subject or necessary for a contract between data subject and data controller.

I. Right to lodge a complaint: every data subject shall have the right to lodge a complaint with a supervisory authority

J. Right to effective judicial remedy against a supervisory authority: each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

K. Right to an effective judicial remedy against a controller or processor: each data subject shall have the right to an effective judicial remedy where his or her rights have been infringed as a result of the improper processing of data.

L. Right to compensation: any person who has suffered material or non-material damage as a result of infringement of GDPR has the right to receive compensation from the controller or processor.

VII. WHAT IS THE RELATIONSHIP BETWEEN THE CONTROLLER AND THE PROCESSOR?

A lot of what I have discussed so far should give you the clue that there is a relationship between a controller and a processor and that various responsibilities need to be clarified. The legally binding document that addresses these concerns between the controller and the processor is the Data Processing Agreement (DPA). So make sure you have this. Note that some parties, in rare occasions, do not call this a DPA and they may call it something else. Regardless, the main point is this: there needs to be a written contract between the controller and the processor that defines the terms of processing and other matters.

The DPA (or similar) needs to have the following:

- set out the subject matter of the processing

- duration of the processing

- the nature and purpose of the processing

- the type of personal data

- categories of data subjects

- the obligations and rights of the controller

- processes data only on instructions from controller

- ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

- implementation of technical and organizational safeguards

- only engage with other processors as per authorization from controller

- assist controller in ensuring compliance

- delete or return all personal data at choice of controller

- makes available to the controller all information necessary to demonstrate compliance

VIII. FINES AND PENALTIES UNDER GDPR

Up above I detailed how to comply with GDPR rules and regulation. You need to figure out your role under GDPR as either a controller or a processor. You need to adopt proper data processing principles, have a proper basis for processing, enable data subjects to exercise their rights, and define the relationship between the controller and the processor.

Now I’m going to explain what happens if you don’t do those things—the answer to the “What ifs?” or “What if I don’t comply with GDPR?”

The following actions will be taken, most likely in order:

1. Disciplinary action or warning from the supervisory authority

While you may have heard that penalties under GDPR are huge, it’s not like they slap that on you on day 1. If you violate GDPR (and assuming it’s not a huge violation) you may get off with some type fo disciplinary warning from the supervisory authority. If they’ve warned you and you still keep violating GDPR then you’re more likely to be fined.

2. Fines and penalties under GDPR

If you violate GDPR you may be fined the greater of up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year.

This, in other words, is a ton of money. Fortunately for many companies this has not happened as of yet. However recent trends as of July 2019 show that regulators are stepping up their penalty game.

You can see a list of fines and notices here.

3. Lawsuits promulgated under GDPR

As I’ve mentioned before, lawsuits can severely damage your startup.

GDPR in Chapter 8: Remedies, Liability and Penalties states that any person who has suffered material or non-material damage as a result of an infringement of the regulation shall have the right to receive compensation from the controller or processor for the damage suffered. Thus, plaintiffs have a legal theory upon which to pursue damages.

IX. STARTUP CHECKLIST AND STEPS FOR GDPR COMPLIANCE

Here is the checklist to follow for complying with GDPR.

___ 1. Figure out if GDPR is applicable to you

If you are located in the EU (either as a controller, processor, or data subject) then GDPR is applicable to you.

If you are located outside of EU but collect or process personal data of individuals inside the EU, then GDPR applies.

If you are not in the EU and the data subject is not in the EU, then don’t worry about GDPR.

[Article 3]

___ 2. Decide if you are a controller, processor, or data subject under GDPR

Controller: You are a controller if you decide the why and how the data is processed

Processor: You are a processor if you process data (remember that this is broad)

Data subject: You are a data subject if you are a natural person in the EU whose information is being collected or processed

There are only a few real roles within GDPR. You will likely find yourself to be the controller, processor, or the data subject. Keep in mind that you may be both a controller and a processor or be a joint-controller with another party.

[Article 4]


___ 3. If you are the controller do the following:

___ 3a. Implement appropriate technical and organizational safeguards

One of the points that GDPR stresses is that parties need to take responsibility and make sure that they take proper measures to protect systems and data. In order to implement appropriate technical and organizational safeguards, do the following and if the data is of a high-risk nature, make your safeguards even more robust.

___ create internal company documents and practices that govern policies regarding data and data privacy and protection

___ educate employees and workers

___ institute proper cybersecurity protocols

___ draft a privacy policy

One of the most important items to include is the purpose of the processing as well as the lawful basis for which the data will be processed.

Additionally, include the information from Article 13 of GDPR if the personal data is collected from the data subject. Or include the information from Article 14 if personal data is not obtained from the data subject.

___ have a data breach plan

___ track thoroughly your own handling of data; keep records

___ have terms of service agreements drafted

___ perform data breach risk assessments

___ look at best practices within your industry; make sure appropriate certifications are in place; use guidelines provided by data privacy organizations.

___ have more robust safeguards if there is a large risk to the rights and freedoms of natural persons including physical, material or non-material damage/where processing may give rise to discrimination, identity theft, fraud, financial loss, etc.

___ implement appropriate data protection policies within your startup and use appropriate safeguards like pseudonymisation

[Article 24]

___ 3b. Have a plan in place to facilitate the exercise of rights of data subjects

These are the rights that I mentioned above. The best way to do this is have a system in place that will allow individuals to do what they need to do. Do this BEFORE you start handling data. Document how you will allow these rights to be exercised and allow it from a technical perspective.

The rights again are: right of access, right of rectification, right to erasure, right to restriction of processing, right to receive notification, right to data portability, various rights regarding automated individual decision-making, right to object, right to lodge a complaint, rights regarding judicial remedies, and right to compensation.

[Article 12]

___ 3c. Designate a data protection officer (DPO) in writing

Someone in your company can be designated as the DPO. As mentioned, this person is designated to help make sure rules are abided by. GDPR gives protections to make sure that this person isn’t compromised in terms of conflicts of interest. The DPO needs to have expert knowledge of data protection law. The DPO’s contact details need to be in the Data Processing Agreement. Additionally, make sure that the DPO has proper resources to carry out its tasks (i.e. don’t hide the ball with your DPO). The DPO should be allowed to operate relatively independently when it comes to items that the DPO feels needs to be implemented for safeguarding data.

[Article 37]

___ 3d. Do a Data Protection Impact Assessment (DPIA) if the type of processing is likely to result in a high risk to the rights and freedoms of natural persons

One of the areas of concern that GDPR attempts to address is the safeguarding of data or processing of data that may be of high risk to people. In order to figure out what kinds of safeguards need to be implemented a Data Protection Impact Assessment (DPIA) should be performed.

Here’s how that’s done. The DPO shall advise on this according to GDPR and do a study on the risk assessments. The DPIA must contain:

- systematic description of processing operations and purposes including interest pursued by the controller

- an assessment of necessity and proportionality of the operations in relation to the purposes

- an assessment of the risks to the rights and freedoms of data subjects

- the measures proposed to address the risks, including safeguards, security measures, and mechanisms to ensure protection of data and demonstrate compliance.

If the DPIA indicates that there is high risk, then the Supervisory Authority will need to be consulted.

[Article 35]

___ 3e. Have a plan in writing with the processor. Sign a Data Processing Agreement (DPA)

Essentially you need to make sure that parties you work with are compliant. Make sure you have the following:

- the subject matter of the processing

- duration of the processing

- the nature and purpose of the processing

- the type of personal data

- categories of data subjects

- the obligations and rights of the controller

- processes data only on instructions from controller

- ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

- implementation of technical and organizational safeguards

- only engage with other processors as per authorization from controller

- assist controller in ensuring compliance

- delete or return all personal data at choice of controller

- makes available to the controller all information necessary to demonstrate compliance

[Article 28]

___ 3f. When collecting data, at the time obtained, provide data subject with the following information

___ contact information

___ contact details of the DPO

___ purposes, legitimate interests, and legal basis for processing

___ recipients or categories of recipients of the personal data
___ if applicable, the fact that controller intends to transfer personal data

___ period for which the personal data will be store, or if not possible, the criteria used to determine that period

___ existence of the rights of the data subject such as right of erasure

___ rights regarding consent and withdrawal of consent when processing is based on consent

___ explain the right to lodge a complaint with a supervisory authority

[Article 13]

___ 3g. Ask for consent when collecting data

___ Be able to demonstrate that data subject has consented to the processing of his or her personal data

The way you do this is by getting consent in writing and having a paper trail

___ Have the consent distinguishable from other matters in an intelligible and easily accessible form using clear and plain language

___ Make sure consent is freely given

Consent is not freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

___ Consent must be given for one or more specific purpose under Article 9(2)

Be articulate when you explain the purpose needed for the consent

___ Allow data subject to withdraw his or her consent at any time.

Prior to giving consent, the data subject shall be informed thereof. It should be easy to withdraw as it is to give consent. Make it easy for the data subject. Don’t play any games.

[Article 7]

___ 3h. Record data processing activities

You need to do this if you are employing more than 250 person or processing is high risk to data subjects (even if you have less employees it is still a good practice to do this)

Maintain a record of the following information:

- name and contact details of the controller and DPO

- purposes of processing

- description of categories of data subjects and categories of personal data

- categories of recipients to whom data will be disclosed

- any transfers to a third country or organization

- the envisaged time limits for erasure of the different categories of data

- a general description of the technical and organizational security measures

[Article 30]

___ 4. If you are the processor do the following:

___ 4a. Implement appropriate technical and organizational safeguards

___ create internal company documents and practices that govern policies regarding data and data privacy and protection

___ educate employees and workers

___ institute proper cybersecurity protocols

___ have a data breach plan

___ track thoroughly your own handling of data. Keep records.

___ perform data breach risk assessments

___ look at best practices within your industry, make sure appropriate certifications are in place, use guidelines provided by organizations.

___ have more robust safeguards if there is a large risk to the rights and freedoms of natural persons including physical, material or non-material damage/where processing may give rise to discrimination, identity theft, fraud, financial loss, etc.

___ implement appropriate data protection policies within your startup and use appropriate safeguards like pseudonymisation

[Article 28]

___ 4b. Have an agreement with the controller (DPA)

Essentially you need to make sure that parties you work with are compliant. Make sure you have the following clauses or account for the following ideas:

- that data is processed data only on instructions from controller

- ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

- implementation of technical and organizational safeguards

- only engage in processors as per authorization from controller

- assist controller in ensuring compliance

- delete or return all personal data at choice of controller

- makes available to the controller all information necessary to demonstrate compliance

___ 4c. Make sure data can be lawfully processed.

Recall that there must be a lawful basis for processing. Make sure the basis you are using to process data is at least one of the following:

* consent: consent has been given for one or more specific purposes

* contract: processing is necessary for the performance of the a contract to which the data subject is a party or will enter into

* legal obligation of controller: processing is necessary for compliance with a legal obligation to which the controller is subject

* protection of vital interests: processing is necessary in order to protect vital interests of the data subject or another natural person

* legitimate interests of controller or third party: it’s necessary for public interest or in the exercise of official authority vested in the controller (subject to the data subject’s fundamental rights)

[Article 6]

___ 4d. Have a lawful basis for processing AND satisfy a condition when processing special categories of data or criminal offense data

Special category data:

Be careful about processing special categories of personal data. Some types of data revealing racial or ethnic origin, political opinions, etc. for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited unless explicit consent given by the data subject.

Have a lawful basis and satisfy one of the conditions for processing listed in Article 9 Paragraph 2: https://gdpr-info.eu/art-9-gdpr/

Criminal offense data:

When processing data relating to criminal convictions etc. make sure you have a lawful basis and either process it under the control of official authority OR meet a specific condition under Article 10 https://gdpr-info.eu/art-10-gdpr/

[Article 9, 10]

___ 4e. Maintain a written record of all processing activities

If you are employing more than 250 person or processing is high risk to data subjects (yes, most startups don’t have that many employees but even if you have less employees it is still a good practice to do this):

- name and contact details of processors and controllers

- categories of processing carried out on behalf of each controller

- any transfers of data to a third country or international organization

- a general description of the technical and organizational security measures

[Article 30]

___ 4f. Do NOT engage with other processors/sub-processors without authorization from the controller

___ 6. Items to complete if things go wrong

___ 6a. Have the plan already in place to deal with data breaches and other problems

As I’ve said elsewhere, it is important that you have a plan in place ALREADY and BEFORE troubles arise. Decision making gets fuzzy if you’re trying to do this when you’re already in the thick of it.

___ 6b. Notify the supervisory authority

Controller shall without undue delay and where feasible, not later than 72 hours after having become aware of a breach, notify in detail the supervisory authority of the breach. You must do this unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Processor should notify controller without undue delay.

[Article 33]

___ 6c. Notify the data subject

If it’s likely that the breach will result in high risk to the data subject, the controller shall communicate the data breach to the data subject without undue delay. Describe it in clear and plain language. This is not necessary if any of the following conditions are met:

- controller has implemented appropriate technical and organizational protection measures (in particular those that render the data unintelligible such as encryption)

- controller has taken steps to ensure that high risk to data subjects won’t materialize

- it would involve disproportionate effort (in which case a public communication may suffice)

___ 6d. Work with supervisory authority to fix any violations

The authorities are helpful in this regard of not just blanket fining the maximum allowable amount against companies. Authorities will often issue a warning or tell a company that there is an issue. Expect that type of leniency to decrease as time goes on however.


X. GDPR FAQ

Does GDPR apply to my startup?

If your startup is in the EU OR you’re targeting, soliciting, etc. EU individuals then GDPR applies to your startup.

[Article 3]

Do I have to follow GDPR if I collect data from my spouse/sibling/family member/friend?

Depends on why you’re doing it. This Regulation does not apply to the processing of personal data: 

  1. in the course of an activity which falls outside the scope of Union law;

  2. by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;

  3. by a natural person in the course of a purely personal or household activity;

  4. by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security

So if you’re collecting data from a family member and you’re doing it for some household activity in that case GDPR would not apply.

[Article 2]

Does my startup need to abide by GDPR if my company is in Texas and the data processing is happening in Texas? 

Yes; GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

  2. the monitoring of their behaviour as far as their behaviour takes place within the Union.

In other words, if your Texas startup is targeting, soliciting, etc. EU individuals then GDPR applies to your startup.

Do I need to appoint a data protection officer (DPO)?

Yes if the core activities of the controller or processor consist of processing operations; or if the core activities of the controller or processor consist of processing on a large scale special categories of data such as race, ethnic origin, genetic data, etc. or personal data relating to criminal convictions and offenses.

Am I data processor under GDPR?

Processing is very broad under GDPR. It is likely that if you are manipulating personal data and doing something with it that you are a processor. A controller is the one that determines the why and how the personal data is being processed. Under Article 4 processing is:

“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

Thus, unless you are the one that is determining the why and how; and you are performing operations on the data you are a data processor.

What do I do under GDPR if there is a data breach?

A. put out notice to the appropriate parties usually within 72 hours; and
B. make sure appropriate technical and organizational protection measures are applied to the data

It is possible that notification is not necessary depending on the situation. Use the checklist above to decide exactly what to do.

[Article 33, Article 34]

Am I a controller under GDPR?

Yes if you are determining the purpose and means of the processing of personal data. Note that it is possible to be both a controller and a processor. There are also situations where there may be joint controllers.

[Article 4]

Am I a data subject under GDPR if I live in the U.S.?

No. The regulation applies to those data subjects that live in the EU.

[Article 3]

Where does the GDPR excel? 

It provides an excellent jumping point for future data privacy regulations. It also does a good job of having stringent penalties—no more simple wrist-slapping on huge data privacy infringers.

What is a privacy shield?

The Privacy Shield serves as a framework/system that ensures an adequate level of protection for transfers of data from the EU to a different territory. I will write a separate article on this later.

Does my startup need to appoint a data protection officer (DPO)?

Here’s how to figure that out. Your startup must appoint a DPO if:

a. your startup’s core activities require large scale, regular, and systematic monitoring of individuals; or

b. your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offenses; or

c. you are a public authority or body; or

d. if you voluntarily wish to appoint a DPO

[Article 37]

Who can be a data protection officer (DPO) under GDPR?

This person can be a staff member or other of the controller or processor or fulfill the tasks on the basis of a service contract. The person needs to be well versed in data protection policies and GDPR.

[Article 37]

Can a minor give consent under GDPR? 

Yes, but only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.

[Article 8]

Where does GDPR fail? 

The failures we have yet to see. There’s a model in this industry that you keep breaking things and fixing things as you go along. The problem so far has been that there are a number of startups and companies that are repeatedly violating GDPR and they are simply getting a slap on the wrist. Expect that to change within the next few years as companies get more accustomed to following the regulations and the tolerance of regulators diminishes.

Where can I read more information about GDPR?

Honestly, just read the regulation. It’s well written. Here is where you can find the regulation: https://gdpr-info.eu/ Use this article as a guide and read more in detail on the relevant sections that you are interested in.

What happens if my startup does not comply with GDPR?

Okay. So you may have heard that the maximum penalty is a fine of 20 million euros or 4% of the company’s annual global turnover, whichever is higher. This means that it could theoretically be in the billions.

If you don’t comply, the most likely thing that will happen is that you’ll be contacted about the infringement and you will be instructed to fix the issue in order to comply with GDPR. Fines will then be levied on further infractions. In other words, GDPR has a lot of teeth, but regulators have been extremely forgiving in how they go about getting you to comply. Expect that to change.

I didn’t follow GDPR when I started my startup, will I be fined a billion dollars?

No. The trend has been fairly gentle. You may (not even definitely) get a warning. From there there will be an escalation of fines. And you will be instructed to fix compliance issues. Yes, the maximum penalty under GDPR is 20 million euros or 4% of global turnover. But you will likely not be penalized the maximum amount. The maximum is relatively high compared to other regulations in part to get big players to pay attention to GDPR.

So don’t worry too much. Yes you need to comply with GDPR. But don’t freak out about past issues as long as they are not ongoing.

What is personal data under GDPR?

Technically, personal data means any information relating to an identified or identifiable natural person. You can imagine what that means. It includes items like:

  • names

  • phone numbers

  • driver’s license number

  • email addresses

  • home address

  • social media usernames

  • financial information like credit card numbers, bank account numbers, etc.

  • identification numbers like social security number

  • genetics information

  • biometric data

  • many other forms of information

[Article 4]

Does my startup need to appoint a data protection officer (DPO)?

Not necessarily: it is only required for controllers and processors whose main operations concern regular and systematic monitoring of data subjects on a large scale or processing activities that are in regards to data which concern criminal convictions and offenses.

If your startup is doing regular processing and the like then yes you should appoint one. It is not difficult. Keep in mind that the DPO can be an “in-house” individual.

What do I do if things went wrong?

Figure out if there has been a breach. A breach under GDPR is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Not all breaches are the same. Not all of them harm the data subject. If however it could result in risk to the data subject then notify the Supervisory Authority without delay and no later than 72 hours from learning of the breach. If you don’t do it within 72 hours then make sure to explain why there is a delay.

If you need step by step instructions, go to the checklist above and follow the directions under what to do if things go wrong.

Can I have a pre-ticked box for consent?

No. Silence and pre-ticked boxes, or inactivity do not constitute consent.

[Recital 32]

What are the rights of the data subject?

I’ve highlighted those up above. They are:

  • Right to be informed

  • Right of access

  • Right to rectification

  • Right to erasure (right to be forgotten)

  • Right to restriction of processing

  • Right to data portability

  • Right to object

  • Rights regarding automated individual decision-making

  • Right to lodge a complaint

  • Right to effective judicial remedy

  • Right to an effective judicial remedy against a controller or processor

  • Right to compensation

The important thing is to not necessarily know all of these off the top of your head but rather to design your platform with those in mind. Another trap that many people miss in understanding GDPR is that these rights are not always available to individuals. The rights that are available are subject to the lawful basis of processing that is used.

[Chapter 3]

Who can be a Data Protection Officer?

This is pretty flexible and can be a staff member of the controller or processor or someone on a contractual basis.

[Article 37]

What are the tasks of the Data Protection Officer?

- Inform and advise the controller and processor of their GDPR obligations

- monitor compliance with GDPR

- cooperate with the supervisory authority

- act as contact point for the supervisory authority

- have due regard to the risk associated with processing operations

[Article 39]

What is a GDPR representative?

Unless the processing is occasional (or if there’s not processing of a special category of data on a large scale), the controller or processor that is outside of the EU should designate a EU-based representative. The representative should act on behalf of the controller or processor and may be addressed by any supervisory authority.

Basically, the EU wants an EU-based contact point if the controller or processor aren’t based in the EU. In some ways it is like having a registered agent in a state for corporate filings.

[Article 27]

What is data processing?

Data processing is extremely broad in GDPR. Think of any action that’s technical action performed on the data as amounting to processing. The GDPR in Article 4 describes processing as any operation or set of operations which is performed on personal data such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, restriction, dissemination or otherwise making available, etc.

Am I the controller or the processor of data under GDPR?

Determining roles: some times it is difficult to know who is a controller and who is a processor. Keep in mind that it is possible that there are joint controllers. In such a situation they need to transparently determine their respective responsibilities for compliance. The essence of that arrangement shall be made available to the data subject.

The easiest way to figure out is this:

If you are responsible for deciding why and how the data will be processed you will be considered the controller. If you are processing the data on behalf of a data controller then you are the data processor.

I know. This can get confusing. Keep in mind that there are some situations where you will be considered joint-controllers or even both a controller and a processor. I have even seen situations where in a contract the role flips between controller and processor. If you are a processor typically and you help the controller determine the purpose and the means of processing then you will be considered a joint controller.

What if the contract says my startup is the processor but I think my startup is the controller?

This is a question of what is more “correct”—the substance or the form? It does not matter what is in the contract. If your startup determines the “purposes and means” or processing, your startup is a controller—it doesn’t matter how you are described in the DPA or other contract.

What is the future of GDPR?

In regards to GDPR, I suspect we will see the following:

  • certifications issued by independent groups to allow companies to say that they comply with GDPR.

  • a lot of complaining from some big profile companies about GDPR

  • similar laws put in place in other jurisdictions will develop laws and regulation that are modeled of GDPR

  • size of fines to increase over time

  • companies will still violate GDPR and hope that they are small enough to not be caught; companies will still hide the ball from individuals and individuals will still not know to what they are exactly consenting. The cat and mouse game will continue (or maybe it’s just started).

Does GDPR apply to companies?

The rules and regulations of GDPR applies to companies in that companies need to follow GDPR. However, if you’re wondering about the protections of company’s ‘data’ then no, information about companies or public authorities is not personal data. But information individuals as their roles in a company (such as employees, directors, etc.) may be personal data as it is individually identifiable.

Does GDPR apply to a deceased person?

Information about a person who has died is not personal data; therefore GDPR, does not apply to it.

What kinds of fines will there be under GDPR?

Under GDPR violators may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. That is a MASSIVE amount for some companies.

While these numbers can be quite scary, regulators have not yet fined companies that much. The biggest fines have been laid down by Information Commissioner’s Office (ICO), which is a UK body to uphold information rights. Just this July 2019 Marriott was fined 99 million pounds and British Airways was fined 183 million pounds.

[Article 83]

XI. GDPR COMPLIANCE TIPS FOR STARTUPS

1. Re-read the takeaways and summary at the top of the article. Just understand the basics at the least. It’ll put you past 99% of the people out there.

2. Try to limit the amount of data you collect. Do minimization techniques. Taking in less data makes you more exacting in what you’re doing and that you have data protection discipline.

3. Really know and understand what the basis for processing is. This is extremely important for GDPR compliance. A lot of talk I hear is how GDPR is just about consent. It’s not. There are other types of basis to explore.

4. Practice good data handling housekeeping. There’s that idea—how you do anything is how you do everything. Set a good tone within your startup.

5. Don’t get tricky with consent issues. I see a lot of companies still mess this up. Don’t get too cute. Consent shouldn’t be a difficult thing.

6. Give users more control over its data. Create a digital section and really empower users to take control over their data.

7. There may be times that you didn’t necessarily have consent for a particular data. See if you can use the contract basis as a basis for processing. You won’t be able to use performance of a contract as a basis when dealing with sensitive personal data that is high risk in nature. For that you will need explicit and clear consent. But for other issues you may be able to rely on performance of a contract.

8. The substance is more important than the form: if contract says you’re a controller but you’re behaving like a processor, then you’re a processor.

9. Try not to switch basis for processing, particularly mid-stream. The one that is most risky is to switch from consent basis to some other basis. That will get you in trouble. Purposes can change, and you might be able to continue processing under the original basis if there’s compatibility.

10. When processing special category of personal data (sensitive data) make sure to have a lawful basis for processing AND satisfy a condition for processing. See Article 9 Paragraph 2 for list of conditions.

11. Don’t bundle consent requirements with other terms and conditions. Keep it separate.

12. Document, document, document everything you can. It helps show compliance.

Startups and Cybersecurity 101: What Do Startups Need to Know about Cybersecurity Law?

Your Name ·

Right now I am seeing more startups getting involved in the cybersecurity space with more and more money being splashed around in this area. The fact of the matter is that all companies, regardless of industry, are getting involved with cybersecurity or need to be concerned about it.

All of this is relatively new—particularly from the legal side.

As more money is being poured into all matters tech-related, the internet, tech information systems, networks, etc. cybersecurity has become more of a growing concern. In this article, I go through the issues that startups need to think about regarding cybersecurity. I’m going to start off with defining cybersecurity, go into some of the rules and regulation regarding such topic, and then end with practical notes as far as what trends I’ve been seeing in the cybersecurity space and tips for startups.

Table of Contents

I. What is cybersecurity law?
II. What cybersecurity laws do startups need to pay attention to?
III. “Does my startup need cybersecurity insurance?”
IV. Cybersecurity for Texas startups
V. What are the latest startup trends in cybersecurity?
VI. Cybersecurity legal tips for startups
VII. Conclusion

I. What is cybersecurity law?

No one has defined cybersecurity law as of yet in a real solid official capacity. You will be hard pressed to find a straight up definition. In the Cybersecurity Act of 2015, the term cybersecurity is not strictly defined. For practical purposes for yourself and in such a circumstance, just go with what’s common knowledge as far as what you think cybersecurity is. Cyber deals with networks, information systems, software/hardware processes, etc. You know what security is. I’m not going to bother explaining what that is.

Don’t worry too much about what cyber and security and cybersecurity law mean. Is it a big deal that there’s not a clear definition? In some ways, yes. In some ways, no. There are other things to worry about for an entrepreneur. Leave it to the lawyers to break down the semantics and technical details of it. 

Regardless, you know essentially what cybersecurity law is. It’s just law that’s concerning these topics that I just mentioned. And if you’re in the information systems space, data networks, etc. then there may be laws governing the security of these systems that you need to abide by and follow. 

Don’t ignore cybersecurity law

Look, the fact of the matter is that you will never achieve 100% security. The law is designed in a way that shows understanding of this. You will not believe some of the (massive) cases where a huge breach was achieved by perpetrators in a manner that could not reasonably be foreseen by a company. Thankfully for companies the law does not simply impose full liability to the company for a breach.

Security back in the day is different than it is now. Back then if some perpetrators broke in to someone’s office or maybe stole someone’s briefcase, that might very well be all they get—whatever is in that person’s briefcase. 

Now is a different story. Now if someone breaks into an executive’s account, there is potential that they get access to all sorts of confidential information, including all corporate records depending on the how data is partitioned and secured. Recent examples of big cybersecurity breaches include Sony, Equifax, Target, and Ashley Madison. 

What does this mean? It means that the stakes for security are higher than ever and that if you screw up the consequences can make your life miserable.

Cybersecurity law is important because either a couple of things can happen: (1) there are some laws and regulations you have to follow and you will be in trouble if you don’t; and (2) there are some standards that are created that if you don’t follow them, youll have negative, potentially devastating repercussions.

One of the biggest reasons, besides a general moralistic reason, to pay attention to cybersecurity is that a lawsuit can be extremely damaging to your company.

I’ve talked about this before. A lawsuit can totally crush your company.

I will say though that you can definitely bounce back from a large cybersecurity suit. Customers that have been loyal to Sony and Target are still loyal to those companies despite cybersecurity breaches. If they stopped using those companies, it may be for other reasons beyond cybersecurity. In other words, a cybersecurity “event” is not a death sentence in and of itself. But it can be extremely costly, extremely disruptive, and a huge mark on the company’s numbers. 

II. What cybersecurity laws do startups need to pay attention to?

A. Cybersecurity laws and regulation

As I mentioned, the fact of the matter is that cybersecurity is an unsettled area of law—it is yet to be more developed.

In the U.S., there are only very few federal cybersecurity laws and regulation that are in place. If you believe that there are no federal regulations in place for your particular startup industry you are probably right. Most of the rules are recent, or are formed on the basis of older laws that are being applied in a new ways. The cybersecurity laws that do exist mostly pertain to certain industries.

Here is the overview of some of the laws, regulations, and agencies giving recommendations. The reason I list them here is to give you notice of some of the more prominent laws and to also give you an idea as to what the trends are in this space: the trends primarily concern the protection of the privacy of the individual, including methods to control access to particularly sensitive data.

Health Insurance Portability and Accountability Act (HIPAA)

I am sure you have heard about HIPAA at your doctor’s office or when dealing with a medical issue. There are a number of provisions with this act; however, the part that we are interested in for the purposes of this article regard the privacy and security of identifiable health information for individuals. The general approach is that this health information needs to have properly regulated use and disclosure by certain types of entities (such as medical service providers). A great deal of these matters fall under what is called the Privacy Rule. A complementary rule called the Security Rule lays out regulations for compliance regarding the security of certain types of electronic health information. The Security Rules goes on to make sure that there are administrative safeguards in place as well as physical and technical (e.g. encryption of data). HIPAA goes into other avenues such as enforcement for breaches and other matters.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act deals with regulation of financial institutions. While the GLBA addresses a number of issues including removing certain types of entity restrictions, it concerns cybersecurity and privacy. One of the big issues that GLBA tackles is giving notice to individuals; it requires financial institutions to give each consumer a privacy notice periodically. This notice concerns the information that is collected about the consumer, how that information is shared and used, etc. Essentially the GLBA attempts to give some power to the individual in the form of awareness of what is going on with the individual’s data.

Food and Drug Administration (FDA)

The FDA regulates medical devices and as you may know different types of devices require certain reviews, notifications, and approvals. In regards to cybersecurity the FDA has released a number of guidelines in order to provide recommendations for premarket submissions. The FDA recommends design controls to ensure medical device cybersecurity. The approach the FDA takes is a risk-based approach that considers whether the device is capable of connecting to other devices or networks in combination with potential harm to patients.

National Highway Traffic Safety Administration (NHTSA)

Vehicles are increasingly using more electronic technology such as advanced driver assistance functions which employ many sensors, electronics, and computer systems. The NHTSA has given broad guidelines in regards to cybersecurity and, like many other institutions, recommends the National Institute of Standards and Technology Cybersecurity Framework. This framework is structured as so:

Identify: develop an organizational understanding to manage cybersecurity risk

Protect: create and implement safeguards

Detect: create and implement methods to identify a cybersecurity event

Respond: create and implement activities in how to take action as relates to a cybersecurity event

Recover: create and implement plans for resilience and methods to restore any lost capabilities due to a cybersecurity event

You can read more about this framework here: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

General Data Protection Regulation (GDPR)

GDPR is the buzzword these days, but not many people know what it is. GDPR is a data protection and privacy regulation in European Union law. In a nutshell, GDPR tries to give individuals control over their personal data, primarily through means of consent, disclosure, and technical and organizational methods. One of the issues that GDPR hits hard on is penalties on companies that violate its provisions. Violators of GDPR may be fined 20 million euros or 4% of annual worldwide turnover, which over is greater. That is enough for companies to pay attention to this regulation.

I will do an article about GDPR soon as this is a large topic.

Other

Similar agencies and groups have rules and recommendations regarding cybersecurity such as the Federal Energy Regulatory Commission for the national electric grid infrastructure. Expect these types of recommendations to increase in the near future.

B. Cybersecurity related claims arising under common law

There’s a catch here that even if a law does not seem like it’s directly related to high-tech issues or matters of the cyber vein, you still need to pay attention to cybersecurity issues. If, for example, you manage highly sensitive data on a computer hard-drive, and you work in airports on the way to a flight and you negligently leave your equipment wide open—maybe there is a legal issue there.

Essentially, even if you work in an industry without clear data security and privacy laws you still have to be careful because of common law claims that may be asserted against you. The basis of these claims include negligence, breach of contract, unjust enrichment, unfair or deceptive acts, and others.

Those reading this that are interested in the nitty gritty legal side court cases can read https://casetext.com/case/in-re-sony-gaming-networks-customer-data-sec-breach-litig to see a good discussion of the types of claims that are brought up in a cybersecurity related case.

What does this mean for data handlers, tech startups, and similar?

- Just because there are not cybersecurity laws in your specific startup industry, you still have to pay attention to industry standards of reasonableness and best practices in terms of how you handle data and other cyber related matters.

- Don’t make promises in a contract that you are unable to keep. Follow best practices when it comes to contracts. Watch out for standards, risks, qualifiers in contractual language.

- Be expedient when things go wrong - be careful of economic injury claims for lost money or property.

III. Does my startup need cybersecurity insurance?

YES: if your company is primarily in the business of handling or processing tech data or private information.

YES: if your startup is sizable even if its primary business is not related to cybersecurity.

NO: the only time a tech startup does not need to get cybersecurity insurance is when it is young/still working on that MVP and is not primarily in the business of handling data. Eventually however if you get large enough you will need to get insurance.

If you are handling a lot of data, then needing cybersecurity insurance should not come as any surprise. Almost every business in any industry has a specialized form of insurance that they go to. If you’re in the real estate industry and you rent out commercial space to tenants, do you have appropriate commercial property insurance? Yes. If you’re a physician practicing anesthesia, do you have medical malpractice insurance? Yes. There’s an industry specific type of insurance you can surely get. Look at what is the main nature of your business. Just talk to your insurance provider about it and see what kinds of options they have. It may be an extra addition or package to a general business liability insurance that they may offer. Talk to a number of different insurance providers to find the right fit.

Besides protecting your startup, there’s another key part of cybersecurity insurance. If you want to do business or have a contract with an entity, you may be required to have some form of cybersecurity insurance. In other words, some businesses will NOT work with your startup if your startup does not have cybersecurity insurance in place. I want you to keep that in mind when you are growing and operating your startup.

If your startup is still young and new, then you may not need the beefiest type of cybersecurtiy insurance that’s out there. Work with your insurance provider to see if there’s a good fit for the size and scale of your operations. This is not a binary thing—either you have cybersecurity insurance or you don’t. There are definitely different levels of insurance that is possible to get. 

Issues to watch out for when purchasing cybersecurity insurance

The name of the game for cybersecurity insurance is in part how to make sure your claim doesn’t get denied. There are other issues like speed of processing and such. This is a tricky area because unlike car insurance, for example, cybersecurity event issues are less clear cut and not as well defined as something like a fender bender. This will change as time goes on with the occurrence of more cybersecurity incidents and as cybersecurity definitions become more concrete.

General issues — pay attention to the same kinds of issues when you purchase cybersecurity insurance as you do any other kinds of insurance. When you see a coverage of $100 million, does that mean per event or does that mean overall? Watch out for language and pay close attention to what exactly your limits are and the terms of coverage.

General liability Insurance — general liability insurance nowadays does not apply to cybersecurity insurance. Back in the day this used to not be as much of an issue. But it is now. Don’t think that just because you have some general business coverage or similar that you are fine and covered. It doesn’t work like that.

Be careful of exclusions with cybersecurity insurance — make sure not to work yourself out of coverage. Consider the following: insurance companies often exclude coverage due to war because of obvious reasons (they don’t consider it a normal type of risk, they would go bankrupt if they accounted for acts of war and tried to offer generally accepted premium rates). After 9/11, the idea of war broadened as it pertained to insurance claims and coverage. Warfare, particularly in the cyberspace, is broad and difficult to ascertain. There have been legal cases where classifying a cyber attack by a certain actor changed whether or not the insurance company was liable under the war exclusions clause. What does this mean? It means to be careful about working your way out of coverage and for you to really think about how you classify cybersecurity events. It also makes the following point even more important.

Find a good insurance company — this makes a big difference. As I mentioned, insurance companies look for ways to deny claims or to find some exclusion so that they don’t have to pay you. But even beyond that, or less than that, you don’t want to have to deal with an insurance company that is super late to pay out or just plays games. A new field like cybersecurity insurance is even more ripe for game playing. Get a good feel when you talk to an insurance agent. Additionally, talk to more than one agent. Get one you have some confidence in. Insurance rates vary wildly. Don’t get too cheap with insurance premiums though. If you’re going to cut corners (e.g. not pay much of a premium), then they’ll cut corners too. Using different companies to insure different aspects of coverage can be challenging as well. Again, cybersecurity isn’t well defined. Should a claim fall under a crime fraud policy or cybersecurity policy? This is why it’s important to have a good insurance company to back you and not find every angle to screw you over.

IV. Cybersecurity for Texas startups

Texas, like other states, has looked to increase cybersecurity efforts and safeguards, primarily through the use of agencies to provide guidance.

While cybersecurity law is a new area of law globally, many states have adopted certain types of security breach notification laws. In Texas, this is codified in 521.002, 521.053 of the Texas Business and Commerce Code. This is also known under the Identity Theft Enforcement and Protection Act. This law defines personal identifying information and sensitive personal information such as a social security number, driver’s license number, certain types of financial data, and certain types of medical conditions.  

Section 521 is basically saying the following things:

1.  A person cannot obtain someone else’s sensitive personal information without the person’s consent and without proper intent;

2.  A business has a duty to protect that sensitive information; and

3.  A business has to give notification following a breach of security of computerized data

In other words a person may not obtain or possess this type of private content without the other person’s consent and without an intent to obtain a good, service, or similar. 

The important item for readers of this site is that a startup has a duty to protect this sensitive information. Like many types of laws, this law relies on a reasonableness standard. Texas Business and Commerce Code section 521.052 sates that a business shall implement and maintain reasonable procedures including taking any appropriate corrective action to protect from unlawful use or disclosure of sensitive personal information collected or maintained by the business in the regular course of business. 

The law gives further guidance that the business shall destroy or arrange for the descrution of the information that are not to be retained by the business. 

If the startup violates these section, then it is liable for sizeable civil penalties and injunction. 

V. What are the latest startup trends in cybersecurity?

Now that I’ve gone through a number of cybersecurity legal issues, here are some of the trends I’ve been noticing dealing with cybersecurity as a field. If you can hit one of these categories really hard and do all of the other things correctly—i.e. grow properly, raise money, etc. you’ll do really well in the cybersecurity space.

Physical security is merging with cybersecurity

In the past, physical security (e.g. doors, videocameras, and locks) were kept as physical. Cybersecurity, relating to data and similar networks, only pertained to situations where an individual would sit down at a company desktop and log in to the system. Now all of the systems I just mentioned are merging. While electronic key cards to enter a door are not new items, they are more sophisticated and more information is being processed through them in an integrated way with other information systems. Biometrics and other items related to the physical body are also playing a larger role. More and more startups are getting into this physical side of cybersecurity.

Value of data means more systems being in place to control data

There’s a saying that data is the new oil. Anything people believe or perceive to be valuable will see an increase in protections for it. A lot of startups out there are attempting methods of how to protect this data as data can be very difficult to contain. How do you keep something contained that is relatively intangible? As I mentioned, more money is being spent on cybersecurity than ever before. Spending money to control data is just simply a cost of doing business. It’s the cost of moving from physical cabinets to digital cabinets—and part of that is making sure data stays in those digital file cabinets unless properly removed. There is opportunity in this space.

Industries are working on defining cybersecurity

In order to best work on it, protect it, legislate around it, you have to define it. Many industries are working on defining cybersecurity right now. I already mentioned how this is true in the insurance industry. And as the Texas law shows, standards of reasonableness are important to define. Industries are working to define best practices and figure out what are reasonable measures to protect data and networks.

Startups are working to remove the human element of cybersecurity

The biggest hole for cybersecurity issues isn’t computers or devices, it’s people. This is being more and more realized. The Sony breach is testament to that; crappy passwords, Nigerian princes, phishing attacks—people are a weak point in the cybersecurity sphere. A trend is developing where there is a demand to removal the human element in cybersecurity. In the past, employees and others were simply reminded to change their password every x amount of months. While that is a good practice, cybersecurity professionals have noticed that this is simply not good enough and are thus promoting various forms of biometrics and similar. There has additionally been an increase in demand for cybersecurity education in companies.

Consolidation of trust

Because so many devices, physical objects, etc. are being integrated, we are seeing a farming out of cybersecurity to institutions that are more specialized for it. Inhouse IT units are relying more and more on third-party controls to assist in increasing security and making it more robust. There is an outsourcing of components of cybersecurity. This raises a good question of who is securing the securers. Corporate trust is a big issue at the moment. We have started to see how corporations, even large ones, like Apple and very recently Google want to be the players in the industry that is the one to trust.

VI. Cybersecurity legal tips for startups

1. Follow the law

This is obvious advice: “follow the law!” but it pertains to industry specific cybersecurity laws that are popping up. Cybersecurity law is a new and upcoming field with a lot of changes. As I mentioned, most industries don’t have specific cybersecurity laws pertaining to them, but this is slowly changing so you have to stay in tune with the law.

2. Adopt best practices with data and security

You have to pay attention. Learn what is going on in your industry and follow reasonableness or better standards. What you want to do is to make sure you adopt reasonable standards in order to comply with the law and in order to avoid any common law problems. Automate processes to allow for less human error. Do two factor authentication. Use encryption for certain types of sensitive data. Educate your employees. Use firewalls and other kinds of antivirus measures on items that store personal information.

3. Don’t make promises you can’t keep

Cyber events and attacks can lead to disproportionate loss. Have well documented, good contracts. Don’t make promises in contracts that you can’t keep. Don’t make representations and warranties that are inappropriate. This too is to keep from breach of contract claims from popping up. Remember that lawsuits can be brought up under common law claims.

4. Increase cybersecurity as your startup grows

A small startup is not able to build a robust framework on day one. You don’t have to, for example, have everything in the self-assessment package found here from the very get-go: http://www.us-cert.gov/sites/default/files/c3vp/csc-crr-self-assessment-package.pdf  Instead you have to build up over time, while paying attention to point 1 of following the law.

5. Get cybersecurity insurance

If you’re just getting started with your startup (pre-MVP), you don’t need this, but after that you will. Use this article to help you understand the main issues of cybersecurity insurance and to avoid any gotchas.

6. Have a cybersecurity action plan

Understand that cybersecurity events will happen. You cannot have perfect 100% security. That’s just not how security works. You cannot achieve it, and the law does not require it. If you are big enough, a cybersecurity event will occur. How you prepare for that is the key. The best practice is to have a plan ready in action that you able to execute. Essentially, you need to prepare for a crisis before the crisis and not during the crisis where decision making is more desperate and can go wrong. Furthermore, many states have passed breach notification laws.

The more you can show that you had a plan that is reasonable and that you execute the plan, the more favorable a court will look at your situation.

VII. Conclusion

Coming soon I will be writing more about cybersecurity law as I get a lot of questions about this area. If you are a startup working in the startup cybersecurity space in Texas and want to chat, email me and let’s get some coffee.