GDPR for startups: How to start

GDPR in Ukraine… For many startups, this phrase sounds like something distant and incomprehensible. Why go deeper into this legal jungle if you can explain the main principles of data protection in simple words? And in general, does GDPR apply to startups in Ukraine, let alone? After all, these are rules for industry giants, right? Today we will debunk the most common myths about the GDPR and prove that this topic is relevant even for small companies that want to grow and conquer the world.

Section 1: Does your startup need GDPR?

You already know that GDPR is not just about big corporations. But how do you know if these rules really apply to your startup? Do you need to implement GDPR for your website if you are just starting out in the online business? And what about GDPR for an online store – are there any peculiarities? In this section, we’ll take a look at the most common questions startups have about the GDPR and help you decide whether you need to take action today.

1.1. Is it necessary to implement the GDPR if my startup works only with users from Ukraine?

Many Ukrainian startups mistakenly believe that the GDPR does not apply to them because their activities are focused exclusively on the territory of Ukraine. At first glance, the logic makes sense: the law was adopted by the European Union, so it should apply only there. However, not everything is so clear. The GDPR is extraterritorial in nature. GDPR for a website or online store becomes mandatory if you:

• Collect and process personal data of EU citizens. Even if your startup is physically located in Ukraine, but you provide services or sell goods to EU citizens through your website or online store, you are required to comply with the GDPR.
• You use cookies and other tracking technologies on your website. If your website is visited by users from the EU, you must obtain their clear and unambiguous consent to the use of cookies that are not necessary for the website to function.
• Your activities are related to the monitoring of the behavior of data subjects located in the EU. This applies, for example, to startups that analyze data, provide targeted advertising, or develop mobile applications with geolocation.

Which websites and online stores are subject to the GDPR?

• Websites and online stores that offer goods or services to EU citizens, regardless of whether they accept payment in euros or have a version of the website in an EU language.
• Websites and online stores that specifically target their advertising to EU citizens.
• Websites and online stores that use cookies and other tracking technologies to collect data about EU users.

What happens if you ignore the GDPR?

Ignoring the GDPR can lead to serious consequences for your startup, even if you only work with users from Ukraine. EU data protection authorities have the right to impose significant fines for GDPR violations – up to €20 million or 4% of the company’s total annual turnover for the previous fiscal year, whichever is greater.

In addition to fines, there are other unpleasant consequences:

• Reputational damage and loss of customer confidence.
• Lawsuits from data subjects.
• Prohibition on personal data processing.

Therefore, even if your startup does not yet work with EU citizens, it is important to start implementing the GDPR now. This will help you avoid risks in the future and make your business more attractive to investors and partners.

1.2. GDPR for mobile games: is it necessary to obtain consent to data processing if the game is intended for children?

Mobile gaming is not just entertainment, but also a full-fledged business that often deals with a huge amount of personal data of users. And although it may seem that GDPR for mobile games is something too complicated and far from reality, it should never be ignored. Developers of games for children should be especially careful, as the GDPR sets higher requirements for the protection of minors’ data.

Why is GDPR important for mobile games?

Mobile games collect a variety of data about their users, including:

• Identity data: name, email, nickname, date of birth, profile photo.
• Contact information: phone number, address.
• Technical data: IP address, geolocation, device type, operating system.
• Usage data: game history, in-app purchases, interaction with advertising.

All this information is subject to the GDPR, and game developers are obliged to ensure its safe storage and processing.

GDPR specifics for games intended for children

If your mobile game is aimed at children (under the age of 16, and in some EU countries, under the age of 13), you need to comply with additional GDPR requirements:

1. 1. Develop a clear and understandable privacy policy.
      • Language: Use simple, clear language, avoid legal terms and complex wording. Remember that your policy should be understandable not only for lawyers but also for ordinary users, including children and their parents.
      • Accessibility: Place the privacy policy in a prominent place, for example, on the main screen of the game or in the settings menu. Provide easy access to it at any time.
      • Informative: Specify what kind of data you collect, for what purpose you process it, how long you store it, and to whom you can transfer it.
      • Transparency: Explain what technologies are used to collect data (e.g., cookies) and how users can manage them.
      • Contact information: Provide contact information where users can reach out to you with questions about data protection.
      2. Implement mechanisms to obtain consent for data processing.
   2. • Clarity and unambiguity: The request for consent should be clear and unambiguous. Do not use general language or pre-ticked boxes. The user must knowingly consent to each type of data processing.
      • Informed: Before asking for consent, provide the user with all the necessary information about what data you are collecting and how you plan to use it.
      • Separability: Ask for consent for each type of data processing separately. Do not bundle consent requests with other terms and conditions.
      • Voluntariness: The user should be able to refuse or withdraw consent at any time.
      3. Ensure secure storage and processing of user data.
   3. • Technical measures: Use modern encryption technologies, protection against unauthorized access and other measures to ensure data security.
      • Organizational measures: Develop internal policies and procedures for data processing, limit the number of people who have access to it.
      • Data Minimization: Collect and store only the data that is truly necessary to achieve the stated objectives. Don’t keep data longer than necessary.
      • Regularly review and update: Periodically review and update your security measures to reflect new threats and technologies.
      4. Enable users to exercise their rights under the GDPR.
   4. • Inform: Inform users about their rights regarding their data, such as the right to access, rectification, erasure, restriction of processing, etc.
      • Enforcement: Implement clear and transparent procedures that allow users to easily exercise their rights.
      • Timeliness: Respond to user requests for their data in a timely and efficient manner.
      5. Create a GDPR-compliant version of the game for children.
   5. • Age restrictions: Set clear age limits for the game. If your game is intended for children under the age of 16, make sure that it fully complies with the GDPR requirements for the protection of children’s data.
      • Design and content: Adapt the design and content of the game to the age of the target audience. Use bright colors, a simple interface, and clear characters and storylines.
      • Safe environment: Provide a safe gaming environment for children, free from inappropriate content, cyberbullying, and other threats.

GDPR compliance is not just a legal formality, but an investment in your business’s reputation and user trust. And when it comes to children, it’s also your responsibility to keep them safe online.

Section 2: GDPR in practice: from words to deeds

We’ve already explained why GDPR is important for online startups. Now let’s move from theory to practice. In this section, we’ll look at specific steps that will help you implement GDPR requirements for your website or app and ensure the security of your users’ data. You’ll learn how to comply with the GDPR on your own, without hiring expensive consultants, and avoid common mistakes that can cost you dearly.

2.1. GDPR audit on your own: is it realistic for a startup and how to avoid common mistakes?

Implementing GDPR may seem like a complicated and costly process, especially for startups with limited resources. Many people believe that GDPR audit is only possible with the help of expensive consultants. However, this is not entirely true. Startups can conduct an initial GDPR audit on their own, saving money and gaining a deeper understanding of the specifics of this regulation. The key is to understand the key aspects and avoid common mistakes.

Is it possible to conduct a GDPR audit on your own?

Yes, it is! Especially if your startup hasn’t yet managed to grow to the scale of a corporation, and you’re ready to spend some time learning about GDPR and analyzing your own business processes. A self-audit will allow you to:

• • Save money: you won’t have to pay external consultants.
  • Take a deeper look at the GDPR: you will be able to study the regulations and their requirements in detail, not just receive a formal report.
  • Better understand your own business processes: during the audit, you will analyze how your startup collects, stores, and processes personal data.
  • Develop an individual approach: you can adapt the GDPR to the specifics of your startup and avoid unnecessary measures.

Here is a step-by-step guide to conducting a GDPR audit on your own:

Step 1. Form a team and assign responsibilities.

Even if your startup is small, it’s best to involve several people from different departments who know their areas of work and data processing processes best. Assign someone responsible for coordinating the process and collecting information.

Step 2. Identify the types of personal data you process.

Analyze all your business processes and determine:

• What categories of personal data you collect and process (e.g., name, email, phone number, IP address, purchase data, etc.).
• For what purpose you process each type of data.
• Where you get the data from (e.g., registration forms, cookies, third-party services).
• How long you store the data and how you protect it.

Step 3. Analyze the legal basis for data processing.

The GDPR allows you to process personal data only if you have a legal basis. The most common grounds are:

• Consent of the data subject: the user must clearly and unambiguously consent to the processing of his or her data for each specific purpose.
• Performance of a contract: the processing is necessary for the conclusion or performance of a contract with the data subject.
• To comply with a legal obligation: the processing is required by law.
• Protecting the vital interests of the data subject: processing is necessary to protect the life or health of the data subject.
• Legitimate interests of the controller or a third party: the processing is necessary for the realization of the legitimate interests of the controller or a third party, unless such interests override the interests, rights and freedoms of the data subject.

Make sure you have a lawful basis for processing each type of data.

Step 4. Check compliance with data subjects’ rights.

The GDPR provides data subjects with a number of rights, including

• The right to access their data.
• The right to correct inaccurate data.
• The right to have your data erased (“right to be forgotten”).
• The right to restrict the processing of your data.
• The right to data portability.
• The right to object to the processing of their data.

Make sure you inform users about their rights and provide mechanisms for exercising them.

Step 5. Analyze the risks and implement security measures.

Identify potential data security risks that may arise during data collection, storage, and processing. Implement appropriate technical and organizational measures to minimize these risks, such as

• Data encryption.
• Protection against unauthorized access.
• Data backup.
• Training of employees on data protection issues.

Step 6. Document all processes and activities.

It is important not only to implement GDPR, but also to document all your actions and decisions. This will help you to:

• Prove your GDPR compliance in case of an audit.
• Systematize knowledge and processes within the startup.
• It is easier to adapt to changes in legislation or your business.

Common mistakes during a GDPR audit and how to avoid them:

• Ignoring the audit: Some startups believe that the GDPR does not apply to them or postpone the audit for “later.” This is a grave mistake that can be costly in the future.
• Formal approach: Some startups conduct audits formally, without going into details and analyzing real business processes. This will not bring any results except for wasted time and the illusion of security.
• Lack of documentation: if you do not document your actions, you will not be able to prove your compliance with the GDPR in the event of an audit.
• Non-compliance of the website/application with the GDPR requirements: it is important not only to conduct an audit, but also to implement the necessary changes on your website or application, for example, add a privacy policy, obtain consent to data processing, ensure the possibility of exercising the rights of data subjects, etc.

Remember that GDPR is not a one-time event, but an ongoing process. It’s important to regularly review and update your processes and security measures to ensure that your users’ data is well protected.

2.2 From privacy policy to data security: creating a GDPR roadmap for a startup

You’ve conducted a GDPR audit, found out what data you process, and identified what needs to be improved. That’s great! Now it’s time to get practical and create a clear plan for implementing GDPR in your startup. Don’t worry, it’s not as scary as it sounds. Let’s take a closer look at each stage:

Step 1: Create a privacy policy

A privacy policy is your public contract with users. It explains how you collect, use, store, and protect their personal data. It is not just a formality, but an important document that demonstrates your responsibility and transparency.

How to create an effective privacy policy:

• Use plain language: forget about legal jargon and complex wording. Your goal is to make sure that every user, regardless of their level of technical knowledge, can easily understand what is happening with their data.
• Structure the information: divide the text into logical sections with clear headings. Use lists, bullets, and other formatting elements to make the information easier to read.
• Provide contact information: Give users a way to contact you if they have any questions about your privacy policy.
• Update your policy regularly: Legislation and your business processes can change, so review and update your privacy policy at least once a year, or more often if necessary.

What a privacy policy must contain:

• Information about the data controller: the name of your startup, contact details, website address.
• List of data collected: indicate all types of personal data you collect, such as name, email, IP address, purchase data, etc.
• Purpose of data processing: explain the purpose for which you collect and process each type of data. For example, to register on the site, send newsletters, analyze user behavior, etc.
• Legal basis for data processing: indicate on what basis you process the data: user consent, performance of a contract, legitimate interests, etc.
• Information about data recipients: if you transfer data to third parties (e.g., email newsletter services), specify their names and the purpose of the data transfer.
• Data retention period: indicate how long you keep users’ personal data.
• Information about users’ rights: describe the rights of users regarding their data, such as the right to access, rectification, deletion, restriction of processing, etc. Explain how users can exercise these rights.

Step 2: Obtain consent for data processing

Consent is one of the key principles of the GDPR. You cannot process users’ personal data without their consent, unless you have another legal basis.

How to obtain valid consent:

• Ensure free expression of will: The user must provide consent knowingly and voluntarily. Don’t use pre-ticked checkboxes.
• Separate consent requests: If you process data for multiple reasons, obtain separate consent for each reason.
• Use plain language: Explain exactly what the user is consenting to in plain and simple language.
• Keep a record of consents: Keep evidence of consents so that you can confirm that the user has agreed to the processing of their data if necessary.

Step 3: Ensure data security

Data protection is not just an item on the GDPR list, but your duty to your users. You must do everything you can to protect their data from unauthorized access, use, disclosure, alteration, or destruction.

How to improve data security:

• Implement encryption: Encrypt data in transit and in storage.
• Control access: Provide access to data only to those employees who really need it to perform their job duties.
• Back up regularly: Back up your data regularly and store it in a secure location.
• Install security updates: Install security updates for all programs and systems on time.
• Train employees: Train your employees on data security and privacy policies.

Step 4: Enabling users to exercise their rights

The GDPR gives users a number of rights regarding their data. You must enable them to exercise these rights easily and effectively.

How to ensure that users’ rights are exercised:

• Create clear procedures: Develop clear procedures for handling user requests for their data.
• Ensure access to data: Give users the ability to access their data that you store.
• Enable data rectification: Give users the ability to correct inaccuracies in their data.
• Ensure data erasure: Provide users with the ability to delete their data (“right to be forgotten”).
• Provide for restriction of processing: Provide users with the ability to restrict the processing of their data.
• Ensure data portability: Provide users with the ability to receive their data in a structured, machine-readable format.
• Report breaches: Notify users and data protection authorities of any data security breaches that may adversely affect their rights and freedoms.

Step 5: Document processes and activities

Documentation is an important part of GDPR. It helps you systematize your processes, monitor their effectiveness, and prove your compliance in the event of an audit.

What you need to document:

• Privacy policy.
• Procedures for obtaining consent.
• Security measures.
• Procedures for exercising user rights.
• Security incidents.

Create a roadmap for GDPR implementation

Once you’ve covered each step, it’s time to create a roadmap for implementing GDPR in your startup.

Your roadmap should include:

• Specific tasks: for example, “develop a privacy policy”, “implement data encryption”, etc.
• Deadlines: Set realistic deadlines for each task.
• Responsible persons: Assign people who are responsible for completing each task.
• Resources required: Determine what resources you will need to complete each task (e.g., time, budget, software, etc.).

Section 3: Minimize risks and avoid fines

Implementing the GDPR is not just a to-do list, but an important investment in your startup’s security. Ignoring this regulation can lead not only to serious financial losses due to GDPR fines, but also to irreparable damage to your business’s reputation. In this section, we will look at the liability for GDPR violations in Ukraine, learn about the real amounts of fines, and find out how to find reliable partners to help you avoid trouble.

3.1. Unconscious risk: what are the sanctions for a startup in Ukraine for ignoring the GDPR?

Many Ukrainian startups still treat the GDPR as something abstract and distant. They think that liability for violation of the GDPR is a problem for large international corporations, and that no one will get to them with their modest scale. Unfortunately, this is a dangerous illusion. Even if your startup operates only in Ukraine, you can still fall under the GDPR and get fines under the GDPR if you process data of EU citizens.

What are the penalties for violating the GDPR?

The GDPR provides for two levels of fines:

• Up to EUR 10 million or 2% of the company’s total global annual turnover for the previous financial year (whichever is higher) for less serious violations, such as failure to comply with the data breach notification obligation, lack of a legal basis for data processing, failure to respect the rights of data subjects, etc.
• Up to €20 million or 4% of the company’s total global annual turnover for the previous financial year (whichever is greater) for more serious violations. These include, for example, processing special categories of data without a proper basis, illegal transfer of data to third countries, disregard for child data protection requirements, etc.

How is the amount of the fine determined?

The amount of the fine depends on a number of factors, including:

• The nature, severity and duration of the breach.
• The number of data subjects affected.
• Intent or negligence of the data controller.
• Measures taken to remedy the breach.
• Cooperation with the data protection authority.
• History of previous violations.

Can startups be fined in Ukraine?

Yes, they can. Although Ukraine is not a member of the EU, the GDPR is extraterritorial in nature and applies to anyone who processes personal data of EU citizens, regardless of the location of the data controller.

Other unpleasant consequences for business

In addition to fines, ignoring GDPR can lead to other unpleasant consequences for your startup:

• Reputational losses: A scandal involving a data breach or other GDPR violation can seriously damage your startup’s reputation and undermine the trust of investors and customers.
• Lawsuits: Affected users have the right to sue for compensation for material and non-pecuniary damage caused by a GDPR violation.
• Prohibition on data processing: in some cases, a data protection authority may prohibit you from processing personal data, which can paralyze your startup.

You should not neglect the GDPR, even if your startup is still small and does not have a large turnover. Implementing GDPR is not a cost, but an investment in the security and reputation of your business.

3.2. GDPR under control: where can a startup find reliable partners and consultants in Ukraine?

Implementation of the GDPR is a complex process that requires in-depth knowledge of the law and practical experience. Of course, some startups manage to do it on their own, but often involving external experts can save time, avoid mistakes, and minimize risks. Help with GDPR becomes especially relevant for startups that do not have their own legal department or experience in data protection.

Polikarpov Law Firm: your reliable partner for GDPR in Ukraine

If you are looking for experienced and reliable GDPR experts, don’t hesitate to contact Polikarpov Law Firm. We specialize in the protection of intellectual property and have in-depth expertise in the GDPR.

What we offer:

• GDPR audit: we will conduct a comprehensive audit of your startup for GDPR compliance and identify potential risk areas.
• Development of GDPR documentation: we will prepare all the necessary GDPR documentation, including privacy policy, cookie policy, data processing consents, etc.
• GDPR consultations: we will provide comprehensive consultations on all aspects of the GDPR, tailored to the specifics of your startup.
• GDPR implementation: we will help you implement all the necessary technical and organizational measures to ensure GDPR compliance.
• GDPR training: We will provide training for your employees on GDPR and data protection issues.

Why choose us:

• In-depth GDPR expertise: Our team has a deep understanding of GDPR and practical experience in its implementation.
• Individual approach: we develop customized solutions tailored to the needs and specifics of each client.
• Results-oriented: we work for results and help our clients achieve full GDPR compliance.
• Transparent and competitive pricing: We offer transparent and competitive pricing for our services.

Contact us today to find out more about how we can help your startup ensure GDPR compliance and protect your users’ data.

Conclusion

We have made a fascinating journey through the world of GDPR and figured out why this regulation is not just a set of complicated rules, but an important component of the success of any modern business, especially a startup that wants to grow internationally.

Key conclusions:

1. The GDPR applies to everyone. Regardless of the size of your startup and where it is registered, if you process personal data of EU citizens, you are required to comply with the GDPR. Ignoring this regulation can lead to serious fines and other unpleasant consequences for your business.
2. GDPR implementation is an investment, not an expense. GDPR compliance will help you build user trust, improve your brand reputation, attract investment, and avoid legal issues.
3. Implementing GDPR is not as complicated as it sounds. Start by conducting a GDPR audit, develop a clear privacy policy, implement the necessary security measures, and ensure that users can exercise their rights.
4. You are not alone on this journey. There are many resources and experts available to help you with GDPR implementation. Contact specialized law firms, IT companies, or consultants who have experience in this area.

Remember that GDPR is not just about fines and penalties. It’s about ethics, trust, and responsible treatment of your users’ personal data. By implementing the GDPR, you make the world a better place and strengthen your startup’s position in the market.

If you are looking for a reliable partner to implement the GDPR, contact the team at Polikarpov Law Firm. We have the necessary expertise and experience to help your startup become successful in the digital and data protection era.