💻

GDPR Compliance

Data protection and cyber security is a vital part of ESG-compliance. Data is extremely valuable to every business and therefore must be handled and protected properly. The European GDPR (General Data Protection Regulation), which manages the sustainable and responsible handling of private data, has been conveyed in national data protection laws, for example, the DSGVO (Datenschutz-Grundverordnung) in Germany.

1.1. GDPR Compliance

What is the GDPR and what scope does it have?

For an overview of the GDPR, its scope, and general guidance refer to

🔐

Data Protection

How to handle GDPR compliance?

Depending on the size of your company and industry, or what kind of data you process, there are three different approaches founders can take to handle GDPR compliance.

‣

In-house

The simplest way is to deal with data protection in-house. This might be the best approach for your company as long as your data flow has a manageable extend.

‣

Software

There are numerous software solutions available that help you to digitalise your data handling and becoming compliant to applicable regulation.

Suitable providers include the following: heyData, secjur and Vanta

‣

Agency

Another option would be to contract an agency to take care of your data protection. While this might get a bit costly, it allow you to fully outsource GDPR compliance.

Our Agency: Simpliant ; Contact: Steffen Gross steffen.gross@simpliant.eu

Generally, startups can follow available checklists to determine their data protection needs. The To-Do’s can be divided into four sections:

‣

Lawful basis and transparency

What information do you have and who handles it?
Is your data processing legally justified?
Have you stated your way of handling data in your privacy policy?

‣

Data security

Anonymize data whenever possible.
Raise awareness within your team.
Create a data protection impact assessment.
Know how to notify the authorities in the case of a data breach.

‣

Accountability and governance

Make someone responsible / assign a Data Protection Officer.
Make third parties undersign a data processing agreement.

‣

Privacy rights

Third parties have a right to see what information about them you have and how you are using it. Make it easy for third parties to review this information, update it or delete it.
Be prepared to offer copies of these data sets.
If you make use of automatic data handling, be sure that your processes do not conflict with legitimate interests (e.g. equality).

The official checklist is available here:

GDPR compliance checklist - GDPR.eu

Use this GDPR compliance checklist to plan your organization's data privacy and security measures. Document your steps to show compliance.

gdpr.eu

Another checklist can be found here:

GDPR Checklist

Cookie Manager Privacy is important to us, so you have the option to disable cookies that may not be necessary for the basic functionality of our website. Please note, blocking categories may impact your experience on our website. View our Cookie Policy for more info.

www.vanta.com

Best Practices for an early adoption

Appoint a data protection officer
Classify all data
Implement an Application Tracking System (ATS) as soon as possible
Train employees in GDPR
Document, maintain and enforce privacy policies, procedures and processes
Complete a privacy impact assessment
Test data breach response procedures