Image

8 Simple Steps to make your startup GDPR compliant

Yuli Stremovsky
Privacybunker.IO Founder

I am an expert in marrying technological solutions with privacy.

Summary

This detailed guide provides you with step-by-step instructions on how to build GDPR compliant solutions. This way your European customers can enjoy your business safely.

Startup founders will certainly find this guide useful, especially ones on the early-stage round.

You do not need any technical experience to follow those simple step-by-step instructions.

If you run an established business, you will find this guide useful as well.

In this article, I will reference 2 solutions that I am working on now. One is an open-source secure vault and SDK to store personal records called Databunker https://databunker.org/ and https://github.com/securitybunker/databunker. The second one is a privacy automation service called Privacybunker.IO https://privacybunker.io/.

Why should I care about GDPR?

If your target market is Europe you are obliged to work by GDPR standards. Following GDPR rules allows you to satisfy more customers that brings you more business opportunities.

If you work directly with the end-users, GDPR compliance will increase your sales. As per CISCO report “From Privacy to Profit”, people are asking more questions about how their personal data is being used, and they now view privacy as an important component of a company’s brand.

Why is GDPR relevant for small companies?

Non-compliance can result in meaningful fines. Not only Facebook and Google are getting hefty fines. Small companies many times turn to be a target of privacy authorities too.

For example take a look at the following decision against PACKLINK SHIPPING. They had to pay €1,200 for cookies violations. The Spanish Data Privacy Authority (DPA) fined a website for placing Google Analytics cookies without user consent.

More info about this case can be found in the following article.

8 Steps to Eliminate GDPR Fines

  • 8 Step 1 and Step 2 do not include technical information.
  • For detailed technical description start from Step 3.
  • To save your time, you are welcome to schedule one to one meeting with me: https://calendly.com/stremovsky/30min

Step 1: Identify Personal Data

As a first step, you need to identify which personal data you collect.

Personal data is every single piece of information that can help to identify a person.

You need to check that personal data you collect is absolutely necessary for your business.

Here is a partial list of records that are considered personal:

Name Address RFID
Contacts Passport details IP address
Banking info Driving license Genetic info
Financial info Cookie info Mobile device ID
Personal ID Ethnic info Health / medical data
SSN Political views More

Step 2: Update your Privacy Policy and Terms-of-Service pages

According to GDPR Article 5:

Personal data shall be (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

To comply with transparency requirements, you need to make sure your service privacy policy and terms of service are correct and updated.

In addition, in order to make use of personal data (called “processing” in GDPR terms) you need to have a legal basis for it.

Any operation made with data is called GDPR processing. For example generating a list of customers, storage of data in a database, fraud analysis, sending out emails, shredding documents, image processing, saving in the audit log, etc…

GDPR identified a number of legal bases. For example consent and contract. Privacy policy and terms of services are under the contract legal bases.

Generating privacy documents

As a preparation step make a list of all services you use. For example MySQL, HubSpot, MailChimp, etc…

If you are low on budget, you can use one of the online policy generation services:

  1. Iubenda (https://www.iubenda.com/)
  2. Termsfeed (https://www.termsfeed.com/)
  3. Termify (https://termify.io/)

You can also find privacy policy experts on Fiverr https://www.fiverr.com/.

Personally I prefer Iubenda, as it allows me to list all 3rd party services that I work with. Here is a partial list I use:

Iubenda - my custom services

Storing and updating privacy policy and terms-of-service documents costs me 9 USD per month at Iubenda.

If you have a budget, it is better to prepare privacy policy and terms-of-service documents with a professional privacy lawyer.

If you need a privacy compliance specialist, I can recommend working with Vitomir Lučić at vitomir.lucic@boost.hr from Croatia: https://boost.hr/en/.

Key topics for privacy documents:

  1. Make sure to list all 3rd party services that you use in your privacy policy. For example cloud CRM, email marketing service, advertising tracking tools, etc…
  2. You need to create a distinguished email address for a person that will handle user requests like privacy@company-name.com. List this email address in your privacy policy and terms-of-service documents.
  3. Make sure to list which personal information you store in your internal system.

Step 3: Personal data protection

Leading GDPR principles are confidentiality and integrity. Meaning that security measures have to be applied to protect personal data.

Although there are no explicit GDPR encryption requirements, you have to enforce security measures. The GDPR repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of personal data security.

So, it is always recommended to encrypt personal data you store. Encryption also complies with “privacy by design” GDPR requirements.

Technical solutions

  1. You can pick a very easy solution for database or disk encryption provided by your cloud provider. Most architects, CTOs and even ISO auditors consider those options as an ok solution.

In my opinion database and disk encryption can be considered as fake security solutions. Any SQL Injection or any security problem found in GraphQL will dump your customer personal data in clear text.

  1. You can use the open-source Databunker project to store your customer data. Instead of talking with Databunker using SQL, your backend will have to call an API function to retrieve specific user details. It is similar to the API of most NoSQL databases. Databunker does not have an API to fetch all users at once like SELECT *. Databunker encrypts customer records and builds a secure search index for quick user lookup (i.e. using email, token, etc…). Databunker also supports encrypted session storage.

  2. You can build your own solution to encrypt sensitive customer records on application level.

Step 4: Personal Data Minimization

According to GDPR Article 5:

Personal data shall be (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (DATA MINIMIZATION) and (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

What does this actually mean?

You need to remove customer data that is no longer needed. You must remove or anonymize users’ data for expired trial accounts and for customers who left your service.

In the SaaS business converting 60% of the trial accounts to customers is a big success. That means that you still need to remove 40% of personal data or convert it to anonymous form.

Example of data minimization email

Data minimization email

You can see an email received by a job candidate from GitHub. GitHub tells the candidate that his personal data will be removed in 30 days. Or, the candidate can leave his details by pressing “Keep my Data”.

So, how to comply?

For free trial accounts, when creating a user record in a database, make sure to add the last login date or last access date. If the user does not convert to a paying customer, you can try for a few months to convert him with emails. If it does not work, you need to remove his records from internal databases and from external systems (Mailchimp, Hubspot, etc…).

You do need to wait for a user forget-me request to remove his records. You have a data minimization GDPR requirement and you need to remove user details in a proactive manner.

Technical solutions

  1. You can use Privacybunker service to automatically remove user records from different services (Mailchimp, Hubspot, MySQL, PostgreSQL, etc…).
  2. You can use the open-source Databunker https://databunker.org/ project for secure storage of customer records. It has an internal API to remove expired records.
  3. You can build your own solution.

You see cookie banners on almost any website these days. You can find hundreds of examples of cookie banners. In reality, most of the cookie banners you see are not GDPR compliant.

Here is a top list of common errors integrating cookie banners:

We see a lot of websites including Google Analytics or Facebook Pixel Tracking or similar JavaScript URLs called before cookie banners are displayed. By GDPR, users, at first, must give their consent on advertising or analytics tracking before calling external services i.e. from Google or Facebook.

Displaying a cookie banner with only one button like “Accept” or “Got it” is not legal. It does not give your users a free choice to reject unnecessary cookies.

Make sure that non-essential cookie groups are displayed as not pre-checked by default in the advanced cookie settings window. Explicit consent requires a very clear and specific statement of consent.

cookie banner - advanced screen

You can go the other route and leave your website without the cookie banner. For that, you will need to completely remove all 3rd party services and scripts from your website. More information about this method can be found in the following article: https://github.blog/2020-12-17-no-cookie-for-you/.

Technical solutions

  1. Privacybunker service comes with a full GDPR compliant cookie banner in every plan and has a daily scan service that checks websites for common GDPR pitfalls including broken cookie banners.
  2. Good cookie banner script is provided by https://seersco.com/ service.
  3. You can build your own cookie banner based on some open-source code examples.

Step 6: cross-border personal data transfer

On July 16, 2020, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission (DPC) v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules.

The case arises from a complaint filed with the DPC in Ireland against Facebook by privacy activist Max Schrems in 2013 alleging that the company violated EU law when it transferred personal data to the U.S. (where the company is obliged to provide access to the government).

Why is the Schrems-II case so important?

Data exporters are liable to personal data when performing a cross-border transfer. Basically the Data exporter can be your startup company.

Data exporters need to implement supplemental technical measures to prevent governmental authorities from identifying individuals pertaining to the data in the target countries.

One of the methods is to get explicit consent from your customers for their personal data to be processed in the US. It is called Standard Contractual Clauses (SCCs). You will need to update your privacy policy with this clause.

You can also change your lead generation forms and get explicit user consent for his personal data to be processed by, for example, by US CRM companies (Salesforce, HubSpot, etc…).

Technical solution

In case you change your landing pages you need to collect consent records.

  1. You can use Databunker to store your user’s consent.
  2. You can build your own solution to store consent.

Step 7: GDPR compliant logging

A well-known method used to save application logs turned out to be tricky with the GDPR regulations. In fact, new regulations define an IP address as a personal identifier. Like other user identifiers, it should be treated with caution.

According to GDPR, you have one month to respond to a user forget-me request. This actually means that you have one month to filter your log files from all user-related records – for example, filter out logs for user IP addresses.

The simplest solution

You can limit the log retention period just to one month. The rest of customers’ older log entries will get removed. This way you do not need to do anything besides a one-time configuration of the log retention period.

Additional methods

Take a look at the following article of mine for more technical solutions: https://www.freecodecamp.org/news/how-to-stay-gdpr-compliant-with-access-logs/

As of today, this article is rated in the top 4 in Google “gdpr logging” search ;-)

GDPR logging serp

Step 8: Prepare to execute user privacy request

GDPR introduced a number of user rights. Most users will contact you using a privacy email as displayed on your privacy policy page. You can as well build a form on your website to request personal data or you can use other commercial tools available. For example, Privacybunker solutions.

Brief of user privacy requests.

Users have the right to be informed on how their personal data is used. You have to update your Privacy Policy and Terms of Service pages accordingly.

Right to access gives your users the right to obtain a copy of their personal data, as well as other supplementary information.

Right of rectification allows your customers to fix any incorrect or incomplete personal data.

Right to erase or forget-me right.

Your customers have the right to restrict processing of their personal data.

Right to data portability gives your customers the possibility to obtain and reuse their data with another service provider. Basically you need to return to the user JSON file with their data.

Right to object allows users to file an objection.

The last user right is the right related to automated decision making including profiling. One of the examples here is that your users can request you to apply human intervention when processing is done in an automatic manner (for example by AI).

Technical solutions:

Option 1. Choose open-source Databunker.

In compliance with right of access, Databunker can provide your customers with passwordless access to the internal user privacy portal. Inside the portal, your customer can perform the following: change personal information, ask for account removal, manage and view consents, view history, etc…

Option 2. Privacybunker employs an even simpler method to execute most of the user requests. Inside the cookie banner, your customers can click on the “Privacy portal” link. Cookie Banner -Poratl Link

The following screen with the options appears: Privacy Portal Option

When user clicks on “Get personal data” the service asks the user to fill in his email address:

PII Report

The user enters his email address and in a second he gets a comprehensive personal information report that has all details collected from all services like MailChimp, Hubspot, and from internal databases Databunker, MySQL, PostgreSQL, etc….

Option 3. You can build your own solution. It is possible you can do it by combining with Zapier or similar tools.

Need more info on Databunker, Databunker PRO or Privacybunker?

You are welcome to send an email to our at hello@privacybunker.io or schedule a call: https://calendly.com/stremovsky/30min.


Learn more