This detailed guide provides you with step-by-step instructions on how to build GDPR compliant solutions. This way your European customers can enjoy your business safely.
Startup founders will certainly find this guide useful, especially ones on the early-stage round.
You do not need any technical experience to follow those simple step-by-step instructions. If you run an established business, you will find this guide useful as well.
In this article, I will reference 2 solutions that I am working on now:
If your target market is Europe you are obliged to work by GDPR standards. Following GDPR rules allows you to satisfy more customers that brings you more business opportunities.
If you work directly with the end-users, GDPR compliance will increase your sales. As per CISCO report “From Privacy to Profit”, people are asking more questions about how their personal data is being used, and they now view privacy as an important component of a company’s brand.
Non-compliance can result in meaningful fines. Not only Facebook and Google are getting hefty fines. Small companies many times turn to be a target of privacy authorities too.
For example take a look at the following decision against PACKLINK SHIPPING. They had to pay €1,200 for cookies violations. The Spanish Data Privacy Authority (DPA) fined a website for placing Google Analytics cookies without user consent.
More info about this case can be found in the following article.
As a first step, you need to identify which personal data you collect.
Personal data is every single piece of information that can help to identify a person.
You need to check that personal data you collect is absolutely necessary for your business.
Here is a partial list of records that are considered personal:
|Contacts||Passport details||IP address|
|Banking info||Driving license||Genetic info|
|Financial info||Cookie info||Mobile device ID|
|Personal ID||Ethnic info||Health / medical data|
According to GDPR Article 5:
Personal data shall be (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
In addition, in order to make use of personal data (called “processing” in GDPR terms) you need to have a legal basis for it.
Any operation made with data is called GDPR processing. For example generating a list of customers, storage of data in a database, fraud analysis, sending out emails, shredding documents, image processing, saving in the audit log, etc…
As a preparation step make a list of all services you use. For example MySQL, HubSpot, MailChimp, etc…
If you are low on budget, you can use one of the online policy generation services:
Personally I prefer Iubenda, as it allows me to list all 3rd party services that I work with. Here is a partial list I use:
Key topics for privacy documents:
Leading GDPR principles are confidentiality and integrity. Meaning that security measures have to be applied to protect personal data.
Although there are no explicit GDPR encryption requirements, you have to enforce security measures. The GDPR repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of personal data security.
So, it is always recommended to encrypt personal data you store. Encryption also complies with “privacy by design” GDPR requirements.
In my opinion database and disk encryption can be considered as fake security solutions. Any SQL Injection or any security problem found in GraphQL will dump your customer personal data in clear text.
You can use the open-source Databunker project to store your customer data. Instead of talking with Databunker using SQL, your backend will have to call an API function to retrieve specific user details. It is similar to the API of most NoSQL databases. Databunker does not have an API to fetch all users at once like
SELECT *. Databunker encrypts customer records and builds a secure search index for quick user lookup (i.e. using email, token, etc…). Databunker also supports encrypted session storage.
You can build your own solution to encrypt sensitive customer records on application level.
According to GDPR Article 5:
Personal data shall be (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (DATA MINIMIZATION) and (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
You need to remove customer data that is no longer needed. You must remove or anonymize users’ data for expired trial accounts and for customers who left your service.
In the SaaS business converting 60% of the trial accounts to customers is a big success. That means that you still need to remove 40% of personal data or convert it to anonymous form.
You can see an email received by a job candidate from GitHub. GitHub tells the candidate that his personal data will be removed in 30 days. Or, the candidate can leave his details by pressing “Keep my Data”.
For free trial accounts, when creating a user record in a database, make sure to add the last login date or last access date. If the user does not convert to a paying customer, you can try for a few months to convert him with emails. If it does not work, you need to remove his records from internal databases and from external systems (Mailchimp, Hubspot, etc…).
You do need to wait for a user forget-me request to remove his records. You have a data minimization GDPR requirement and you need to remove user details in a proactive manner.
You see cookie banners on almost any website these days. You can find hundreds of examples of cookie banners. In reality, most of the cookie banners you see are not GDPR compliant.
Here is a top list of common errors integrating cookie banners:
Displaying a cookie banner with only one button like “Accept” or “Got it” is not legal. It does not give your users a free choice to reject unnecessary cookies.
Make sure that non-essential cookie groups are displayed as not pre-checked by default in the advanced cookie settings window. Explicit consent requires a very clear and specific statement of consent.
You can go the other route and leave your website without the cookie banner. For that, you will need to completely remove all 3rd party services and scripts from your website. More information about this method can be found in the following article: https://github.blog/2020-12-17-no-cookie-for-you/.
On July 16, 2020, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission (DPC) v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules.
The case arises from a complaint filed with the DPC in Ireland against Facebook by privacy activist Max Schrems in 2013 alleging that the company violated EU law when it transferred personal data to the U.S. (where the company is obliged to provide access to the government).
Data exporters are liable to personal data when performing a cross-border transfer. Basically the Data exporter can be your startup company.
Data exporters need to implement supplemental technical measures to prevent governmental authorities from identifying individuals pertaining to the data in the target countries.
You can also change your lead generation forms and get explicit user consent for his personal data to be processed by, for example, by US CRM companies (Salesforce, HubSpot, etc…).
In case you change your landing pages you need to collect consent records.
A well-known method used to save application logs turned out to be tricky with the GDPR regulations. In fact, new regulations define an IP address as a personal identifier. Like other user identifiers, it should be treated with caution.
According to GDPR, you have one month to respond to a user forget-me request. This actually means that you have one month to filter your log files from all user-related records – for example, filter out logs for user IP addresses.
You can limit the log retention period just to one month. The rest of customers’ older log entries will get removed. This way you do not need to do anything besides a one-time configuration of the log retention period.
Take a look at the following article of mine for more technical solutions: https://www.freecodecamp.org/news/how-to-stay-gdpr-compliant-with-access-logs/
As of today, this article is rated in the top 4 in Google “gdpr logging” search ;-)
Right to access gives your users the right to obtain a copy of their personal data, as well as other supplementary information.
Right of rectification allows your customers to fix any incorrect or incomplete personal data.
Right to erase or forget-me right.
Your customers have the right to restrict processing of their personal data.
Right to data portability gives your customers the possibility to obtain and reuse their data with another service provider. Basically you need to return to the user JSON file with their data.
Right to object allows users to file an objection.
The last user right is the right related to automated decision making including profiling. One of the examples here is that your users can request you to apply human intervention when processing is done in an automatic manner (for example by AI).
Option 1. Choose open-source Databunker.
In compliance with right of access, Databunker can provide your customers with passwordless access to the internal user privacy portal. Inside the portal, your customer can perform the following: change personal information, ask for account removal, manage and view consents, view history, etc…
Option 2. Privacybunker employs an even simpler method to execute most of the user requests. Inside the cookie banner, your customers can click on the “Privacy portal” link.
The following screen with the options appears:
When user clicks on “Get personal data” the service asks the user to fill in his email address:
The user enters his email address and in a second he gets a comprehensive personal information report that has all details collected from all services like MailChimp, Hubspot, and from internal databases Databunker, MySQL, PostgreSQL, etc….
Option 3. You can build your own solution. It is possible you can do it by combining with Zapier or similar tools.