Previously we started to talk about the chaos this law brought with itself. We talked about the extension and the difficult part for a business. Although this law is being around for a long time, it still cough many companies having to approach this subject with changes and adapt their business on last minute terms. The thing most business complains are that “is really complicated subject”. And because of this, they are no able to adapt on time to this law. On the other side, bigger companies are more prepare because they hired a complete team that will take care of this. Being able to take care of all the updates, protecting, and making sure to fulfil the GDPR law.
But, what about businesses like startups, or pymes? Well this a great question, and even if we always advice to get help from a legal department, just to be sure not to find yourself and your company into a uncomfortable situation. We want to bring you our particular tips you could apply to your Startup.
At first, the focal point was in the structures, but now instead, European regulations are focus on the customers and users, getting based in three principles: Responsibility; Data Protection; and Transparency.
Talking about responsibility: we have to stand out the fact that organizations have to prove that they adjust all regulations to treat personal data. About this subject (personal data), you have to take in consideration the essence of re-design a business, product, activity or service.
Getting into transparency: you have to take time to re-write your legal notifications and cookies policy. The text appearance of your platform-website is essential to be simple, comprehensive, and easy to read for anybody. As a company is your duty to make easier the legal texts you have. Is essential to be specific and easy, as well as no letting any doubts of the treatment of your customer information.
If you still need more tips to complete your formation in this subject, you should not forget this ones: Purpose; Consent; Information; Evaluation of Impact; and certifications.
But let’s get deep into detail a bit more: About the purpose, regulations establish the need to identify with precision the necessity to treat personal information you might receive from your client/customer.
Aside, it is demand of the person or adviser of the personal data, (this service can be external or internal DPO) to plan what’s going to happen with the future treatment of the personal information of the customer and clientes. Your DPO has also to prevent and inform to customers of all this changes-modifications. In that way, clients will be able to give their consentment to your company. This is a tricky situation, because your DPO have to anticipate all this, and the options you and inform to this customers-users before it happens, in the same way they will have to give their consentment.
And speaking of witch (consentment) it has to be free, specific to give away information and unequivocal. For example, if you have a form in your website/platform, and you ask your customer for personal information. You will have to specify what is going to be the treatment of that information. You have to let your customer know if you’re going to use their information for campaigns, for email marketing or any other used you’re planning to make. And as we said before, that customer-user has to give you his permission.
And now let’s pass to the information. As we said before, this part has o be wide, bigger. That is to say the user- client cannot have any doubts of any o the information you have in your platform. Your platforma has to be clear, comprehensive, and with easy access.
So lets pass to impact evaluation, this one will provide the methodology that will aloud you to evaluate the risks of the personal data. In this way, you will be able to adapt and transform the changes you might had to have or to get rid of.
And at last, it is possible that near future EU create seals and certifications that aloud companies to prove officially that they pass and achieve the GDPR.