Respecting rules pertaining to the protection of personal data is rarely considered as a matter of priority by startups. And yet, these rules have become one of the key elements in regulatory compliance and are thoroughly inspected during a legal audit prior to third party investment or prior to an acquisition.

Even more importantly, compliance as regards the processing of personal data has become a major concern for large companies, which may become your partners or your clients in the long run. You must therefore be in a position to efficiently answer their concerns on the topic.

There is no time like the present to make sure you are compliant!

Below are the main questions you should ask yourself:

1. Does the activity of my company involve the processing of personal data?

Know that personal data does not just encompass name and surname, it also covers all information pertaining to an identified or identifiable person, such as: telephone number, bank card number, GPS data, a navigation route drawn up using cookies, etc.

N.B. even if your company processes few amounts of personal data, regulations cover at the least the data of your employees and clients/prospective clients.

2. To what end is personal data collected?

The cardinal principle of the law on the protection of personal data is that of purpose, which means that the data must be collected for a known, legitimate, and legal purpose (e.g. management of the client relationship), and must not be then re-used for a different end.

You must not be content with indicating that the data is “collected for use”. You must indicate the purpose of such use.

Additionally, if you sell connected watches, it is not necessarily legitimate to automatically send on the data of your clients to running equipment brands without specific notification thereto and without having obtained prior agreement from your clients.

3. Is the data collected really necessary for the end purpose of my company?

You should bear in mind that only the personal data that is necessary to carrying out the end purpose of your company should be collected. For instance, online retailers do not need to know the political orientations of their clients to deliver their ordered goods to them. Only their contact details (full name, address and telephone number) are relevant. However, the site may also ask its users to enter their date of birth, so that it may send them a targeted special offer for their birthday.

You should also be aware of data conservation rules: non-anonymised data cannot be kept by the company for a duration extending beyond the time needed for the completion of the company’s end purpose. In France, the National Commission for Data Protection and Liberties (CNIL) considers for instance that the data pertaining to a prospective client and who does not respond to any contact attempt for three years must be deleted.

4. Have I informed the people concerned at the time of data collection?

The requirement of loyalty demands that the people concerned must be informed of:

(i) the reasons for which you are collecting their personal data,
(ii) the potential recipients such data will be sent to,
(iii) the duration for which such data will be kept on record, and
(iv) the rights said people have (access, rectification, objection) and how to exercise them.

As regards personal data processing, it is possible to do a lot so long as you appropriately inform the people concerned. Where such information is comprehensive and compliant with the regulation, it is alone sufficient to legally validate the collection and use of data in most cases.

5. Must I obtain a person’s “agreement” to process his or her data?

To process personal data, you must both inform the people concerned and obtain their prior consent.
For instance:

• If you wish to use the data for marketing purposes, depending on the case and type of prospection being considered (email, SMS, post, etc.), you must either offer an “opt-in” (prior express agreement) or an “opt-out” (possibility of refusing the processing of personal data) notice;
• You must obtain prior agreement (“opt-in”) to collect and use sensitive data (health, etc.).

6. Will I transfer personal data outside of the European Union?

You may, in full knowledge, transfer personal data to entities located outside the European Union, for instance to your parent company or a subsidiary, or to a service provider acting for your account. However, please be aware that you can also transfer data without realising it, for instance because the servers of your web host are located in the United States, or because your call centre is based in Morocco. Certain measures must be implemented depending on the case.

For further information (in French): click here

7. What administrative formalities must I fulfil (declarations, authorisations, etc.)?

Depending on the end purpose for which you are processing personal data, you must complete various formalities with the National Commission for Data Protection and Liberties (CNIL in France), such as a declaration or request for authorisation. For certain types of very common processing (management of clients and prospective clients, management of HR, access to the premises using badges, implementation of a professional alarm system), there are a number of simplified standards for which you will simply have to submit a compliance commitment.

For others, generally put in place by all companies (pay management, supplier files), the CNIL in France has also set up exemptions.

If you appoint a data protection and liberties representative, your company will be exempt from all declarations (except for processing requiring an “authorisation” from the CNIL). However, such representative will have to keep up to date a log book listing all the processing carried out, as well as its characteristics.

***

Data that is not validly collected or processed is likely to be unusable. Depending on your activities and your business sector (in particular health, biotechnologies, marketing and advertising, etc.), compliance as regards personal data can impact your economic model and the value of your company.

The basic rules are not that complex. Take a few minutes to ask yourself the above questions and think about the measures to be implemented in order to carry out your processing in compliance with the rules and regulations in force.

Additionally, bear in mind that the applicable regulations are changing under the impetus of new European texts. There is no time like the present to make sure you comply with the rules!