The Basics About GDPR

So you can sleep better at night

Not all of us at The Family are exactly legal experts, which is why we make sure to have some great lawyers around to help us 😉

Just one of our many resources.

And that’s good, because right now we have lots of entrepreneurs asking us about the new GDPR data regulations that are going into effect in May 2018. They’re worried about their cold email campaigns, whether they can store data in Brazil, how to communicate clearly with their users…We knew we had to do something.

So we did one of the things we love best — organize a dinner! Good food, good wine, and great experts around the table with our entrepreneurs, ready to answer their questions and give them a hands-on look at the topic.

We’ve known Adrien Basdevant for years. He’s a brilliant young lawyer who knows the laws of the internet and data like few others. He’s been able to seize business opportunities where everyone else just sees a big mess of trouble and also lectures on cybercrime at Sciences Po. His big loves in data? Algorithms and profiles.

Nicolas de Bouville is one of the rare people to have worn the hat of the CNIL and Facebook Privacy Europe. That explains his mix of idealism and pragmatism, which comes in handy with the new GDPR that is both technical (in terms of the rules themselves) and philosophical (in terms of one’s attitude toward users).

The rest of the table was filled with four of our beloved entrepreneurs, running companies at different stages and with different levels of data sensitivity in both B2B and B2C: Rafael from Luko, Hugo from Side, Nicolas from Saagie and Aylic from Heetch.

The goal at the dinner, like this article, wasn’t to synthesize the GDPR legislation — you can find that elsewhere (I linked to some good resources below). It also wasn’t meant to be an individual consultation on specific legal risks. Instead, it was to give the entrepreneurs an idea of the mentality they should adopt to turn data into a real competitive advantage.

(By the way, if you’re looking for specific advice and head for a lawyer, make sure to know exactly what you’re asking them to look at in your business. Otherwise, you’re going to end up with the full package and it’s going to be 💸💸 💸 )

Your Team

From the time the company is founded, one of the cofounders should be responsible for data — essentially, you should always have someone who is the “data owner” within the company. That way, you can have a process in place to log and store data from the very beginning.

[For French companies, you can find info on this with the CNIL; for European companies you can find a decent template here.]

This will let you have a good map of how you’re using data and to see if you have any that are considered “sensitive” (sex, age…). Anytime your business is using sensitive data, you want to have a clear explanation ready describing its “legitimate interest” to your business, meaning that you are really using that data to improve your UX or your service.

The DPO

Before, having a data protection officer was only needed once your company reached 50 employees. Now it will be obligatory for everyone, even if you’ll only really need to think about appointing one when you reach 20–30 employees. At that point, the DPO needs to be independent from top management, even if they report directly to the founders. Before that you can just designate one of the co-founders to take care of data as part of their daily chores.

When you do name a DPO, it should be someone in the company who enjoys topics surrounding IT security, data and the handling of data.

Not to be overly stereotypical, but probably not this guy.

For example, at Side they’re currently in the process of putting one of their operations developers in charge as DPO — someone they all recognized as a natural fit for the position.

What does the DPO do?

1. They have the right to look at how all data is used throughout the company.
2. They should educate people within the company on the importance of data; for example, they could develop a data training program for all employees.
3. They have a role in marketing your use of data to outsiders, most notably your users. This could be as simple as a Medium article explaining how data is used at Heetch, for example.
4. Since the DPO will certainly be technically-minded, and will likely be the CTO for very early-stage companies, they will have a role in constructing the tech infrastructure and adhering to Privacy by Design.

Your Users

More than worrying about legal risks (which really exist primarily when you’re selling your company or generating a lot of revenue), the new GDPR rules are an opportunity to create a new relationship with your users, adopting proactive and healthy data measures. It’s kind of like a bit of spring cleaning to get everything sparkling.

Take care of your users (and their data).

This is important, because the regulators are going to be looking much more at your attitude and your desire to treat your users — and their data — well, than at a 100% literal application of the rules.

An example of pragmatism in data came from a question by Luko, which collects data on electricity usage. If they collect information on a household’s electricity usage, or follow a user’s mouse movement on the screen, they then subtract all information that could identify that user before sending it to a subcontractor. In that case, is it personal data or not, given that it’s impossible to connect the data to the original user?

As our experts noted, truly anonymous data is practically impossible. That’s why a pragmatic approach and good faith is key. Recognizing that data should be treated with care is the first step to respecting your users. If you act in good faith, always trying to improve little by little, regulators aren’t going to be overly harsh. (And don’t forget that the regulators are going to have to adapt to the new GDPR rules as well.)

Change is hard for everyone.

But do note that with the new regulations in place, the burden of proof is going to be on founders and companies to prove that they are in compliance, whereas before (at least in France) it was the CNIL who had to tell you why you weren’t in compliance.

That’s the logic behind, for example, the new rule on data breaches: any data breach must be reported within 72 hours, which means you need to have a good map of your system on hand before any problems come up so that you can respond quickly.

Nicolas pointed out several times during the dinner that the goal of the legislation is to emphasize TRANSPARENCY 😃 and CARE 💖 in how you use personal data from your USERS 👥 . Keep that in mind.

Your Contractors

Our entrepreneurs had lots of questions about their relationships with contractors and subcontractors. For example, Side works with American companies that must access part of the personal data that they have for their users. How should they handle those relationships?

The basic response was that there are two relationships: one with a small subcontractor and one with a big (typically American) company.

• For a small subcontractor, the biggest issue is protecting data in case of a data breach or piracy caused by that subcontractor. In that case, the key will be showing the regulators exactly what procedures you put in place to avoid that kind of situation. If you haven’t started working with a particular subcontractor yet, it would be a good idea to put in a personal data clause (dealing with confidentiality, availability, etc.) in your contract with them.
• When working with big companies, most of them have ratified the Privacy Shield: an agreement between the U.S. and E.U. that also deals with enforcement. In that case, it is the FTC and the DOC who are responsible for verifying that those companies are in compliance.

Your UX

You want to build an infrastructure that is USER FRIENDLY and DATA FRIENDLY. “Privacy by Design” essentially means that companies need to take data privacy into account during the design stages of all projects, including the lifecycle of the relevant data.

On the back end, that doesn’t necessarily mean heavy infrastructure with everything encrypted. It simply means saving information at every stage and respecting common sense best practices, like never storing user passwords in plain text.

On the front end, you don’t want Terms and Conditions that go on forever in some obscure legal language that no one understands. The rule of common sense comes in again — you want to explain everything using clear, simple language. As a great example of this, check out Pinterest’s T&C:

Pretty. Obvious. Written by a human being.

Still have questions? Obviously you do, this is a topic that takes time and more than a little bit of effort to figure out. Check out these resources to up your knowledge even further:

• Probably the best paper by SalesForce to sort out the true from the false on GDPR
• Segment and the GDPR blog article: Segment (Analytics API & Customer Data platform) shares best practices on enforcement of the GDPR, from automatic suppression feature to UX, through their own use cases.
• Another practical guide of actionable things to implement tomorrow in your company.
• A more exhaustive look at what you need to do to prepare yourself for GDPR.