How do we know whether the GDPR applies to us and our startups? Does my startup need to comply? In order to comply with the GDPR, it’s important to see the bigger picture. We first have to understand what the GDPR is, to whom it is applicable, and what standards your startup is trying to meet. Looking at this article is the first step in reaching the goal of being GDPR compliant, where you can scroll through this series of articles and self evaluate how you are complying or what you are missing.
WHAT IS THE GDPR?
The GDPR is an abbreviation for the General Data Protection Regulation, which was passed by the European Parliament in 2016 and remains in force since 2018. Its predecessor, the Data Protection Directive of 1995, had become outdated in response to changing needs. Technological advancements and an increase in globalisation meant that the EU wanted to harmonize data protection in the European Union, as well as increase the level of data protection standards for users. Since its introduction, users have more control of what happens to their data and are able to manage how it is being used more effectively. As a result, companies find themselves re-evaluating their privacy and data protection standards.
WHO DOES THE GDPR APPLY TO?
The GDPR does not apply to private individuals, but rather companies, who use data for the purpose of their business activities. Any company inside or outside the European Union (EU) that offers goods or services to individuals within would fall within the ‘scope’ of the GDPR. The scope essentially means that the company would be subject to the regulation if it meets the prerequisites found in the GDPR. Alternatively, any company outside the EU that processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed, will have to comply with the GDPR.
OFFERING GOODS OR SERVICES
So, what does the offer of goods or services entail? As a start-up, you may be offering goods or services online. A simple example is when a company sells a product through a website and markets it to EU consumers in the local currency. It is important that there is an intention to sell that particular product in the EU. A way of showing that intention is by giving the customer the opportunity to pay in their own currency.
Here are some ways of indicating the intention to sell to the European market, including:
- Offering the information on the product in the language of the user.
- Offering the user, the ability to pay in their local European currency.
- Using a search engine that redirects them to their European website.
- Having a European phone number for customer support or service.
- Offering a service that is particular to Europe (generally applies to travel agencies).
For the GDPR to be applicable, the business located within the EU will still be subject to the regulations even without an online presence.
On the other hand, monitoring behaviour is another aspect that may cause your startup to be subject to the GDPR. If your startup’s website allows you to track IP addresses and the potential customers are in the EU, then you fall within the scope of the GDPR. To put this in simple terms, if you create a website in the US aimed at providing information about your local community and it has the ability of attracting a Spanish viewer, the startup will be held accountable for the data generated.
The big takeaway here is that you on behalf of your startup need to evaluate whether it falls subject to the GDPR. You can do this by checking if you are a company located in the EU, observe who is clientele and whether they are European, and finally whether you are monitoring behaviour of EU citizens.
To find out more about what you can do to be compliant, continue reading “What obligations does my startup have under the GDPR?”