GDPR: How US-based Startups Can Cope with New EU Data Privacy Laws
Changes to European data privacy laws are coming – and they stand to impact your business. More specifically, starting in May of 2018, the EU’s General Data Protection Regulation (GDPR) will bring about some of the biggest changes to international data security laws in 20 years.
US startups should know that (among other things) GDPR:
- Applies to anyone processing personal data of EU residents, even if it happens outside the EU;
- Gives EU individuals (data subjects) the right to access their data, correct it and have it deleted;
- Requires companies to find a legal basis under the GDPR for processing EU personal data; and
- Authorizes fines for violations of up to the greater of €20 million or 4% of total revenue.
So how might GDPR impact your business, and what should you do to prepare? I sat down with Andy Wilson, Founder and CEO at Logikcull, an OpenView portfolio company and provider of discovery and data management software used throughout the legal industry, to find out.
Rufus King: Can you start by telling us what got you started on the process of GDPR compliance? Was it a customer request?
Andy Wilson: Pursuing GDPR compliance was actually not driven by a sales inquiry, but by the data-intensive nature of our business. Discovery is the process of finding and exchanging information in the course of litigation, investigations, and other legal disputes. Given the way people communicate today, this information is 95% electronic. So our customers are entrusting us with their most sensitive data, and we must take every precaution to protect it.
While we have little GDPR exposure given that most of our customers reside in the United States, the GDPR imposes far more strict controls than US privacy laws, and meeting its standards is a further assurance to our customers that the security of their data is our top priority.
RK: Are you seeking to comply as a “data processor” or “data controller” under GDPR?
AW: Logikcull processes and stores two types of customer data. “End-user data” includes login and contact information of our customers and those they invite to use Logikcull. Most companies, if they collect basic personal information – for example, through marketing forms – likely process and store this type of data. “Native data,” on the other hand, is the term for all of the discovery-related data our customers upload to Logikcull.
Logikcull is designed as a resource to simplify the discovery process for customers. In using Logikcull, customers act as controllers of their own native data as they edit, tag, and delete uploaded documents.
RK: Where did you begin? Can you briefly describe the steps in your process?
AW: We want to be clear that we are not GDPR-compliant at the moment, but are in the process of becoming compliant by the May 25 deadline. With respect to initial steps, our internal legal and security teams read up on the law and started off with a two-part analysis of the impact of GDPR on our business. First, we mapped all of our data to ensure we properly understand its flow within our organization and to those third parties we use in the course of conducting business. And then we engaged an external consulting firm to help us conduct a gap and priorities assessment.
GDPR is an evolution of the data protection directive which has long been in existence in the EU. Pulling in the expertise of a consultant or lawyer that is experienced with GDPR compliance and has a history with the data protection directive can be invaluable.
RK: What was the biggest challenge you faced?
AW: The biggest challenge we will likely face is assuring that our business partners and third-party vendors meet the strict standard the GDPR imposes. Specifically, we will evaluate our existing third party / vendor assessments and standards in regards to data retention and erasure obligations under GDPR, and take steps to assure that we can vouch for their data privacy precautions. We may also have to update existing agreements to reflect revised definitions under the GDPR.
RK: How is complying with GDPR different in scale and scope from complying with US privacy laws (e.g. HIPAA or financial privacy rules)?
AW: In general, the GDPR is more comprehensive and broader in scope than US privacy law due to the way EU member states view privacy – essentially, as a fundamental human right. The GDPR also aims to be a law that standardizes the entire continent’s approach to privacy, whereas the US privacy framework is made up of a patchwork of state, federal and industry-specific law – which is why information subject to, say, healthcare (HIPAA) has different protections than information subject to financial regulation (GLBA,FCRA, etc.).
Among the other big differences is the way in which the GDPR treats cross-border data transfers. If you’re in the EU and send data to a country that is not subject to the GDPR, you must have assurances that the receiving country takes privacy precautions that meet or exceed those imposed by the GDPR. It will be surprising to no one to learn that the US does not rise to this threshold, which is why companies have to become GDPR-compliant in the first place.
A final difference worth mentioning is the severity of sanctions that may be leveled for failures to comply. Countries that violate the GDPR cross-border transfer laws are subject to fines theoretically up to 4% of their total annual revenue, though it’s yet to be seen whether fines in practice will be this harsh.
RK: The GDPR goes into effect on May 25, 2018. How long should a US-based SaaS company budget to get into compliance?
AW: It really just depends. The responsibility of companies under GDPR are more specific, broader in scope and come with greater consequences than other privacy laws in the US. Compliance efforts and requirements depend on the nature of your business, geography of your services, the data you are processing, and the nature of your relationships with the people whose data you possess. Some companies will have minor tweaks to contracts and processes and be ready in weeks while others may need over a year to comply.
Regardless of timeline, it’s clear that the GDPR stands to impact software businesses both in the US and abroad. And it’s more important now than ever before to prepare your company and team to ensure a smooth transition when the new regulations go into effect this coming spring.
How do you plan to prepare? Let us know in the comments.