Why startups and scaleups need to care about data protection (and it's not for the reasons you might think)
Is GDPR only something mature companies should care about? In this post, data protection expert Ben Martin makes the cas...
Introduction
This article has two goals:
- to provide you with information about what needs to be included in your privacy policy so your company complies with GDPR, and
- provide a tutorial on how to build your legal justification table with the SeedLegals website and employee privacy policies available on SeedLegals.
If you’re building a legal justification table on SeedLegals and you’ve been taken to this article by the on-platform link, scroll down to How do I build my own legal justification table on SeedLegals? below.
What do you need to do to comply with GDPR
There are a variety of obligations created under the GDPR that must be followed. You have to outline the procedures you put in place to protect Personal Data, where you send any Personal Data (if you send it to third parties), how individuals can request deletion of their personal data, and so on.
However the primary obligation under the GDPR and the whole spirit of the regime is to explain, to anyone you collect “Personal Data” from:
- When you collect their Personal Data (activity);
- What type of Personal Data is being collected (type);
- Why you collect their Personal Data (purpose); and
- Why you are legally entitled to collect their Personal Data (justification).
“Personal Data” is any information about a person from which that person can be identified E.g. their name, address, gender, IP address etc.
It’s all about empowering the individual so that they know what data is being taken from them and giving them some control over use of that data.
What many people do not realise is that this definition means that you owe obligations under the GDPR not only to your customers, but also to your employees.
Because of this need, SeedLegals has created two new privacy products to allow companies to comply with their GDPR obligations:
- A Website Privacy Policy (applies to your customers)
- An Employee Privacy Notice (applies to your team, given to them when they join)
Why are SeedLegals’ privacy products the best on the market and why are competing products not fit-for-purpose?
What we noticed when we were doing our research on competitors‘ privacy/data protection/GDPR solutions is that many were simply not fit-for-purpose.
There were plenty of off-the-shelf templated privacy policies, that made a generic reference to the GDPR and to the legal justifications within the GDPR, along with some standard wording about putting in place data protection systems and how people can opt-out of marketing emails.
But, generic references to “consent” or “legitimate interest” and standard wording about security, in our opinion, does nothing to actually explain to individuals what is being done with their data, which was the driver behind the introduction of the GDPR. So, in our opinion those competing products do not even achieve compliance with the GDPR, let alone reflect best practice.
What we have included in our privacy policies to ensure proper compliance is something we call a “legal justification table”. This allows you to clearly set out when Personal Data is collected, what type, why it is being collected and why you believe you are legally entitled to collect it.
What is a legal justification table?
We decided the easiest way to show this information is through a table with three columns:
- a left-hand column summarising the activity you or your customer undertakes that gives rise to collection of Personal Data,
- a middle column identifying what type of Personal Data is collected e.g. profile/identity/financial, and
- a right-hand column explaining what legal justification is relied on to collect the Personal Data, with a space to add narrative to explain why you need to collect that particular Personal Data.
Click this link to be taken to our own legal justification table within our own privacy policy to see an example of a completed legal justification table.
As you can see from our own legal justification table in the link, it clearly shows when we collect specific types of Personal Data from an individual, why we collect it and what legal justification we rely on. Higher up in our privacy policy we explain what those justifications mean so it is easy for our customers to understand.
How do I build my own legal justification table on SeedLegals?
When you get to the section of our product that asks you to build your own legal justification table, you will have already identified what types of Personal Data you collect from either your customers or your employees (depending on which privacy policy you are making). To remind you of the different types of Personal Data you can collect from your customers, they are:
- Profile/Identity Data: data relating to first name, last name, gender, date of birth.
- Contact Data: data relating to your phone number, addresses, email addresses, phone numbers.
- Marketing and Communications Data: preferences in receiving marketing information and other information
- Billing Data: debit and credit card information such as the name attached to your payment details and your billing address.
- Financial Data: banking details e.g. your account number and sort code.
- Transactional Data: details and records of all payments you have made for our services or products.
- Technical Data: IP address, browser type and version, time zone setting and location, operating system and platform, and other technology on the devices you use to engage with us.
- Customer Support Data: This includes feedback and survey responses.
- Usage Data: information about how people use websites, products and services.
You then need to pair each type of Personal Data you collect with one of the legal justifications permitted under the GDPR. Those justifications are as follows:
- Consent
Certain situations allow you to collect your customer’s Personal Data, such as when they tick a box that confirms they are happy to receive email newsletters from you, ‘opt in’ services and when the customer enters their own details voluntarily. - Contractual Obligations
Certain information is required from a customer in order to fulfil your contractual obligations to them and provide them with the promised service. - Legal Compliance
Occasionally there is a legal requirement to collect and process certain types of data, such as fraudulent activity or other illegal actions. - Legitimate Interest
This is the broadest justification. You are entitled to process personal data to be able to meet your own legitimate interests – this covers aspects that can be reasonably expected as part of running our business, that will not have a material impact on your customer’s rights, freedom or interests. Examples could be a customer’s address, so that you know where to delivery something to, or their name, so that you will have a record of who to contact moving forwards.
Two things to note:
- if you do not think any of the above justifications apply to the type of Personal Data you have in mind, you should consider whether you are in fact entitled to collect the particular kind of Personal Data; and
- if you collect any “special categories of data” you will need to be able to show that you can rely on one of the “enhanced legal justifications” if you are unsure about those enhanced justifications please contact us.
When you head back to the platform, you’ll be presented with the request Please list an activity or time when you collect your employee’s/customer’s Personal Data. Here, you need to think of your first activity, such as “when a user signs up to our service” or “when an employee turns up for his first day” (as appropriate). Once answered, you will then be asked to tick from the list of the types of data your company collects (that you previously identified from a bigger list) which of those categories are collected under that activity.
For example, when a user signs up to your service, you will probably collect (at least) “Profile”, “Contact”, “Marketing and Communications” and “Technical” data and so you would select those types from the list. Once you have chosen which categories of data apply to the activity, lastly, you need to choose what legal justification you are relying on to collect that data. You can choose more than one justification. E.g. You may rely on “consent” for Profile and Contact data, but may rely on “legitimate interest” to collect Technical data.
You are finally presented with a freeform textbox to provide a short narrative about why you believe you can rely on the justification(s) you have chosen and/or to explain which justification applies to which type of data.
All you then need to do is repeat this process for every activity your company undertakes that leads to data collection, and once finished, the platform will create a legal justification table within your privacy policy so you are fully compliant with GDPR!
Conclusion
We have not only made GDPR compliance possible (given the low quality of the rest of the GDPR compliance market), but also made it easy for our customers to comply with GDPR.
The platform also allows you to update your privacy policies at any time. So, if your company pivots and you start undertaking more or different activities which give rise to collection of Personal Data, you can update your policy in a matter of seconds.
If you want to purchase our privacy policy products, have any further questions about our privacy policies or our company policies in general, please reach out to us at [email protected] or use our live chat to get in touch.
