The Guide on GDPR Compliance for Startups

The General Data Protection Regulation (GDPR) is a set of rules for companies that handle personal data of individuals of the European Economic Area (EEA). The EEA includes all EU countries plus Iceland, Liechtenstein and Norway. The GDPR went into effect on May 25, 2018.

The GDPR is considered to be the strictest data protection law in the world. It gives individuals more control over their personal data and sets stricter rules for companies to follow when collecting, using, and protecting that data.

If a company does not follow these rules, it may be fined or face other penalties. The maximum fine is either 20 million Euro or 4% of the company's global annual revenue for the previous year, whichever is higher.

Obligations under the GDPR

There are a number of obligations and responsibilities that a company must follow when collecting and processing personal data from EEA citizens:

1. Before launching a new product or service, take some time to think about how it will collect, store, and use personal data from EEA citizens. If necessary, conduct a data protection impact assessment to identify and mitigate any potential risks to personal data protection.
2. Implement appropriate technical and organizational measures to protect personal data, such as encryption and secure storage. Make sure that your systems and services are kept up to date with the latest security patches and updates.
3. When collecting personal data, only ask for the information that is strictly necessary for the specific purpose for which it will be used. This will help you to minimize the amount of data you collect and reduce the risk of data breaches.
4. Be transparent with your customers about what personal data you collect, why you collect it, and how it will be used. Provide clear information about data protection and obtain explicit consent before collecting personal data, unless there is another legal ground for the collection.
5. Respect your customers' right to object to the processing of their personal data, and make sure that they are aware of this right.
6. Appoint a data protection officer if 20 or more people regularly process personal data, or if the company conducts data processing operations requiring a data protection impact assessment or processes personal data for transmission, anonymized transmission, or market and opinion research.
7. If you share personal data with third parties outside the EEA, put in place appropriate safeguards such as EEA standard contractual clauses or the Privacy Shield.
8. Use the double opt-in process when sending emails to make sure that recipients have given their consent to receive them.
9. Keep all personal data accurate and up to date, and have processes in place to update data when it changes.
10. If a data loss or security breach occurs, take immediate action to contain the incident and prevent further harm. Have a plan in place for how to handle such incidents and how to notify customers and the relevant authorities.
11. In case of data breaches, notify the supervisory authority and your customers as soon as possible.
12. Keep records of all data processing activities to be able to demonstrate compliance in case of an audit by the supervisory authority.

The list contains the most important obligations and responsibilities that a company must observe under the GDPR when collecting and processing personal data of EEA citizens.

However, it is possible that there are additional requirements that need to be considered in some cases. For example, there may be specific requirements for companies that operate in certain industries or that process particular types of personal data.

It is therefore always advisable to seek advice from a data protection expert or contact the supervisory authority to ensure that all applicable regulations are complied with.

GDPR for Non-EEA Companies

While it is well known that companies based in the EEA will need to comply with the GDPR, not everyone knows that countries outside the EEA also need to comply with the GDPR in some circumstances. We’ve outlined the different ways that non-EEA companies need to comply, below.

Collecting Personal Data in the European Economic Area

If a company based outside the EEA does offer goods or services to, or monitor the behavior of, individuals in the EEA, it must comply with the requirements of the GDPR when collecting, using, and protecting the personal data of EEA individuals.

If a company based outside the EEA is found to be in violation of the GDPR, EU authorities do have a number of tools at their disposal to ensure compliance with the GDPR.

For example, if a U.S. company is found to be in violation of the GDPR, EU authorities could seek enforcement of a judgment against said. company in a U.S. court, depending on the nature of the breach and the laws of the state in which the company is located.

In addition, EU authorities may also use other means to pressure a company outside the European Economic Area to comply with the GDPR, such as by blocking the company's access to the EU market or publicly pillorying the company.

However, it is unlikely that the EU will immediately impose sanctions on any small company if it violates the GDPR. Nevertheless, even for small companies outside the EEA, it could be beneficial to comply with the GDPR. This is because compliance with the GDPR can provide startups with better business opportunities, as they can work with other companies that also comply with the GDPR.

In addition to the risk of fines and other penalties, startups may also face reputational damage if they are found to be in violation of the GDPR. This could make it more difficult for them to do business in the EEA and could also impact their business internationally.

Companies that comply with the GDPR may be more attractive to customers and partners, as they demonstrate a commitment to protecting personal data and respecting the privacy of individuals.

Overall, the GDPR is a significant development for startups that handle the personal data of individuals in the EEA, and it will have a significant impact on how these startups collect, use, and protect that data.

Startups outside the EEA will need to be especially mindful of their obligations under the GDPR and to take steps to ensure compliance in order to avoid the risk of fines and other penalties, as well as reputational damage.

What If You Aren’t Collecting Data In The EEA?

It is worth noting that even if a startup outside the EEA does not currently offer goods or services to, or monitor the behavior of, individuals in the EEA, it may still be advisable to implement the GDPR.

This is because the GDPR is a global standard for data protection, and implementing the GDPR can help a startup to establish itself as a reputable and trustworthy company that values the privacy of its customers and partners.

The GDPR in the United Kingdom (UK)

After the UK left the EU on January 1st, 2021, the GDPR was no longer applicable in the country. However, the rules of the GDPR were incorporated directly into UK law as the UK-GDPR, so everything that discussed above about the GDPR also applies to the UK.

How to create a GDPR compatible Sign-up Form in the Maildroppa App

Maildroppa is an email marketing app and allows you to create customized signup forms, through which prospects can sign up to receive regular information or newsletters from you.

You can freely define which information is required for registration. For example, first and last name, birthday, and the nationality of the prospect would be possible. This is, of course, personal data.

If you don't technically exclude Europeans from visiting your website and filling out your signup form, you are subject to the GDPR, even if your company is located outside the European Economic Area.

Maildroppa, however, makes it incredibly easy for you to comply with the GDPR. You can set whether customers who want to sign up to your list must always or never view and sign the data processing agreement, or you can set it that only customers from the EU, UK, and Switzerland must give their consent to your GDPR consent form.

As a business, you need to inform your customers about the types of data you collect, why you collect it, and how it's stored and processed. Because every company is different, the data they collect and how they use it can vary. It's important for you, as the business owner, to be transparent with your customers about your data practices and comply with GDPR regulations.

Maildroppa, as a service provider, understands this responsibility - that's why we offer a feature to customize the GDPR consent form to your individual requirements. Our app also saves the wording of the GDPR consent form that a subscriber has agreed to, providing you with proof of the agreement years later.

Another requirement of the GDPR is that customers must double opt in to your newsletter. This ensures that only those customers who have given their explicit consent to receive information from you, as per your GDPR statement, do so. Since double opt-in is Maildroppa's default behavior, there is no need to take any additional measures.

Summary

In summary, the GDPR is a set of regulations that apply to companies that handle the personal data of individuals in the EEA. The GDPR gives individuals greater control over their personal data and imposes stricter rules on how companies can collect, use, and protect that data.

Startups in the EEA will need to take steps to ensure compliance with the GDPR in order to avoid the risk of fines and other penalties, as well as reputational damage.

Startups outside the EU will also need to ensure compliance with the GDPR if they offer goods or services to, or monitor the behavior of, individuals in the EU. While it is unlikely that the EU will immediately implement sanctions against every small company that violates the GDPR, EU authorities do have a number of tools at their disposal to ensure compliance.

If a startup wants to establish themselves as a reputable and trustworthy company that values the privacy of their customers and partners, it may be beneficial to implement the GDPR, even when they do not reside in the EU or engage with individuals inside the EU. Lastly, it is important to remember that even though the UK has left the EU, the GDPR continues to apply there in the form of the UK-GDPR.