An article written by Olivier Proust.
Startups are at the heart of the new digital economy. They contribute to the growth of the digital economy by developing new products and technologies, and offering new services to users. One thing all innovative companies have in common is: data. Whether you are developing a new web platform or a mobile app, or providing a new service to your customers, you are necessarily collecting personal data. Companies collect, process and analyse personal data continuously to develop their products and services, and market them to their customers and buyers. Data is at the heart of any company’s business.
As a result, start-ups need to think about privacy compliance at an early stage in the development of their business. Failing to address this issue in a timely and structure manner constitutes a risk, which can have serious consequences for your company.
Why is privacy important?
- Data protection laws in Europe and the rest of the world are rapidly evolving. In Europe, a new Data Protection Regulation will soon come into force, which will impose new obligations on controllers and processors, increase the rights of individuals and strengthen the enforcement powers of the national data protection authorities.
- In a globalized economy, data is continuously being transferred, accessed and stored in different locations around the world. Companies must therefore comply with the data export restrictions that apply in many countries.
- Data protection law concerns all organizations, regardless of their business sector, size or structure.
- Privacy is a hot topic. When something goes wrong, it makes the headlines.
- Companies are either developing or using new products, services and technologies that rely heavily on the collection and use of personal data.
- You don’t have a choice! It’s the law.
What are the benefits of complying with data protection laws?
Complying with data protection laws will help start-ups to:
- Be transparent both internally and externally with regard to how they collect and process data.
- Reduce the risks of violating the privacy of individuals.
- Increase the trust of their customers, their users and the national regulators.
- Be more competitive and limit the risk of reputational damage.
- Use the data effectively.
- Streamline their internal processes and data processing operations.
- Save time, money and management efforts in the long term.
- Be more attractive to investors.
What are the risks if strat-ups don’t comply with privacy laws?
- The national data protection authorities have enforcement powers. They can investigate your company and inspect your processing activities.
- They can also pronounce fines or other sanctions (such as an order to cease the processing), which can have a disruptive effect on your business.
- Companies can be “named and shamed”, which can cause serious reputational damage to your business.
- Bad publicity can also have undesired effects: the CEO of a company may need to resign, loss of business, unwanted exposure in the press, etc.
- Individuals know their rights and litigation is on the rise with the number of privacy law suits increasing each year.
What must strat-ups do to comply with privacy laws?
At the beginning of any new project, you need to carry out a privacy assessment; which will help you to:
- analyse the scope of the processing: purpose(s) of the processing, individuals whose data is collected, types of data that are collected, data transfers involved, etc.
- assess the potential impact of the processing on the privacy of individuals and any risks that are associated with the processing activities.
- identify the legal restrictions (if any) that may apply to your processing operations.
- identify and prioritize the key compliance measures that you need to implement in order to comply with privacy laws.
- mitigate the risks of non-compliance (fines, sanctions, reputational damage, etc.).
Therefore, by integrating privacy compliance into your project from the start, this will give more credibility to your project, attract more investors and increase the trust of your future customers and users.
About Olivier Proust
Olivier Proust is a European-qualified lawyer specialized in privacy, data protection and cybersecurity law and a member of Fieldfisher’s Privacy, Security & Information Law group.
He assists companies of all sizes and across sectors to comply with European data protection laws. He has successfully assisted international organizations on a whole range of privacy and data compliance issues, such as conducting privacy impact assessments, adopting a sustainable data management strategy, implementing appropriate measures for transferring personal data globally (e.g., intra-group data transfer agreements, binding corporate rules, model clauses, Safe Harbor) and implementing global privacy policies.
Olivier also assists companies on various cybersecurity issues (such as complying with data breach notification requirements or implementing a data breach notification response plan) and assists companies to draft data protection and security clauses in their service provider agreements. He also advises companies on various aspects of technology law (privacy-by-design, cloud computing, social networking, geolocation), e-commerce and consumer protection (website compliance, direct marketing, cookies), and employee privacy rights (whistleblowing, employee monitoring, corporate investigations, e-discovery requests).