General Data Protection Regulation—often referred to as GDPR—is a far-reaching regulatory framework that governs data protection and privacy issues for individuals in the European Union. Attention startups: even American companies with no overseas presence must comply with GDPR if they are controlling or processing the personal data of individuals in the European Union. Individuals covered by GDPR need not be EU residents or EU citizens; instead, the regulation focuses on where a company is offering its goods or services and where the company is monitoring an individual’s data. GDPR requires that such companies provide a “reasonable” level of protection for consumers’ personal data, which the regulation broadly defines as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Careful processing of customer data and incorporating robust privacy controls are essential for GDPR compliance and should be a top priority for your startup in 2020.
Resources in a startup are often spread thin, with a skeleton legal function and a strong focus on rapid growth this can make it difficult to know where to focus efforts with compliance with the GDPR.