Share

The Ultimate Privacy Compliance Guide

February 4, 2022

The Legal Nodes Team presents the Ultimate Privacy Compliance Guide for UK and European businesses

Privacy, Data Protection, GDPR, these words all seem only one step away from becoming the latest buzzwords for businesses. So, what is all the fuss about it anyway? Do any of these things concern your organisation at all?

This guide to privacy compliance will cover four key topics:

  • Who needs privacy compliance
  • Why a business would need it
  • Which country has the authority to enforce it
  • How businesses can become compliant

Does My Business Need Privacy Compliance?

Almost all companies now collect personal information to some extent. Privacy laws deal with the protection of personal identifiers, such as a name, email or IP address (personally identifiable information), as well as with any information about individuals that you collect (personal data).

Personal data includes website traffic, log, or cookie data, and all possible website accounts, public profiles, event registration and contact forms. Details of employees processed in electronic form also count as personal data.

Examples of companies that need privacy compliance are:

  • SaaS providers that either collect information from its users directly or receive sets of collected data from the clients;
  • E-Commerce companies that have a website with registration, order or contact form;
  • Companies that use analytics or cookies on their sites;
  • Employers with regard to details, work performance level, and legal information (e.g., sick leave records) about their employees.

If your company collects any of the above-mentioned types of information, you will need to comply with data protection regulations.

Examples of companies that need privacy compliance are:
What companies need privacy compliance

Why Do Companies Need Privacy Compliance?

Ok. So, my company collects personal information, why do I need to be compliant??

It is reasonable to expect each individual to want to protect their assets, and in the 21st century, data is turning out to be one of the most valuable assets you might have. It is unsurprising, therefore, that individuals take the use and abuse of their data seriously.

Non-compliance may cost your business 2.5 times more than putting all the relevant measures in place. Here is why:

  • Winning clients without privacy compliance can prove difficult. B2B clients that want to use SaaS for customer data processing may only consider providers that have necessary data protection safeguards;
  • Investment attractiveness is impacted by compliance status. Investors looking to secure their assets in a new venture will evaluate the data protection compliance of the startup before any investments are made. Revealing non-compliance may cost a startup investment, or its 30% discount;
  • Listing on Google Play Market or Apple Store. These marketplaces require their vendors to have a Privacy Policy and secure users data;
  • Fines and regulatory sanctions. For example, for breaching GDPR rules, you can get a penalty of up to 4% of the business’s annual turnover or €20m. Moreover, the EU and the US authorities are authorised to impose temporary or permanent bans on the company's operations on user data, resulting in an ever-increasing loss of profit.

Finally, privacy is about trust between you and your customers: people are more willing to share their details if they feel their data is being handled securely and that they can trust the provider to protect and respect their data. Breach is not just about wrongdoing, it’s specifically about a breach of trust: a study claims that 78% of respondents do not want to engage with a brand that suffered a major data breach.

Which Privacy Laws Apply To My Business?

Factor 1 - Actual location of doing business

Data protection laws apply based on your actual place of doing business. The country of registration does not play a decisive role: the applicability depends on the office location, employees, bank account, and decision-makers. German law will apply to its activities if a business is registered in South Asia but has its team and computations in Germany.

Factor 2 - Target Market

Some privacy laws apply to your business, even if you are located outside of the country's territory. For example, the European GDPR applies:

  • When you target end-users of your goods or services in the European Union, say, through targeted advertising, providing an EU-language interface or by mentioning EU customers in client references;
  • When you monitor the behaviour of the individuals in the European Union. For example, marketing research activities or analysis of publicly available data about the citizens of one of the EU countries.

Factor 3 - Laws applicable to the business of your client

Additionally, you may want to comply with the country's data protection requirements if you partner with the companies on that territory. B2B businesses, which process customer data on behalf of their clients, can be involved only if they meet local privacy requirements.

Various examples of such B2B partners include CRM, cloud storage, email notification providers, and remote technical support or software development agencies.

How Can My Business Comply with Privacy Laws?

Data protection compliance is a gradual, step-by-step process. Simply drafting a Privacy Policy or encrypting data without a clear map of how to manage data or where to safely store data collected by your company is a bad idea. It’s better to consider an action plan:

  1. Privacy Audit / Assessment. Start with an assessment that allows you to map out all the activities within your company and create a comprehensive picture of data management or, more officially, records of processing activities. To achieve a complete picture, involve all departments that are engaged in data processing: HR, recruiting, marketing, business intelligence, accounting, and even teams involved in software development and technical support. After the mapping, you can assess the risks and determine the measures to address them best.
  2. Internal Policies, Technical and Organisational Protection. Based on your initial assessment, you can start drafting relevant Data Protection Policies and Security Policies and set a procedure for answering data requests from your users. From a technical perspective, cover each data operation by protective measures that prevent a data breach: ensure that you control who can access the data, by two-factor authentications for example. Where applicable, encrypt and mask the data, use antivirus and firewall softwares, and monitor possible threats to data security.
  3. Privacy Kit: User Interface and Privacy Policies. How you interact with users on your website or application is also important. For that, we suggest using a Privacy Bundle, a standardised solution consisting of the Privacy Policy, Cookie Policy, and guidance on a privacy-friendly user interface. For B2B startups, it also includes a Data Processing Agreement to protect data of client companies;
  4. Data Protection Training. Spread privacy culture within your team since human error is the number one cause of personal data breaches. Familiarise your employees with basic privacy concepts and train them to perform their duties in data protection compliance;
  5. Data Processing Agreement. Manage relationships with partner companies that receive customer data from you and sign appropriate data protection agreements. Another critical point is international transfers: if your partners or suppliers are located in another country, this will require additional contractual safeguards, such as Standard Contractual Clauses;
  6. Data Protection Officer. Last but not least: consider whether you need a Data Protection Officer, a professional who oversees the company's data protection compliance. An internal employee or an external contractor can perform this role. Learn more about it in our article on DPOs.
How Can My Business Comply with Privacy Laws?
Steps to comply with privacy laws

Privacy compliance is not just about measures - it is about the mindset of you and your company. If you treat it as a company value, data protection becomes your competitive advantage, and we highly recommend all businesses start seeing it this way.

Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.

Vlad is Head of DPO Product @Legal Nodes and a certified (CIPP/E, CIPM, FIP) privacy specialist. He's currently doing a PhD study on the topic of AI and personal data protection.

FEATURED