Yes, starting a privacy compliance project can be daunting.
For a small software company, it means more work.
But, if privacy means anything to you, your software is probably not that far from meeting the requirements.
And remember, EU do not want to put you out of business.
Consider the GDPR as a framework to help you provide privacy to your users.
The crux of the regulation is to force you to consider all the “things” you do with personal data and examine if you have a good reason to do so.
It boils down to:
- Identify the processing and their purpose
- Assess that you have a legal reason for performing it —this is the legal ground.
- Inform your users and customers about this
Now, let drill down a little bit
If we go back to the article 4, section 2 it gives you a list of the actions you may perform on a personal data that are “processing.”
As you can see, it’s extensive.
Consider it next time you come to me and say “I don’t do anything with this data.”
If you have it or send it to a processor: it’s processing in the GDPR sense.
You do it for a purpose that you must identify and record.
Next step: the processing of personal data can only happen if it’s legal.
The GDPR aims to eliminate practices that are dangerous for people rights and freedom.
If you want to do things with people’s personal data, follow the rules.
As a software business, there’s 4 legal grounds to choose from:
- execution of a contract
- legal obligation
- legitimate interest
You’ll want to pick wisely the one that best fits your purpose.
And if you can’t find any option that is suitable, it may be that you should not process this data point in the first place.
Now, some note about legitimate interest.
It is not a free pass.
It’s handy, but it comes with some strings attached:
you’ll have to perform a legitimate interest assessment, which you’ll have to document.
And your users have some other specific rights as well.
The last step is to inform your users
As I spend my time advocating for, it’s all about giving your users and customers the information they need to make an informed decision about using your service.
This is the part where you build trust in your business.