Quick Overview Of The GDPR (General Data Protection Regulation)

What Does GDPR Stand For?

It stands for General Data Protection Regulation (GDPR hereon).

What Does GDPR Mean Or Do?

It replaces the Data Protection Directive 95/46/EC by the European Union. The GDPR was designed to make the data privacy laws across EU member states uniform, to protect the personal data of every citizen in the EU, mainly to give citizens a control over who gets access to their personal data and to rework* organizations’ approaches with regard to data privacy.

The GDPR aims to protect EU citizens from data and privacy breaches and also gives them back the right over their personal data. All organizations serving the EU citizens must comply with this mandatory directive. It means that companies will have to change* the way they handle their clients’ information like names, photos, email IDs, bank details, social media posts, medical information, or IP addresses which constitute their “personal data”.

A few definitions taken directly from the Regulation

Personal Data definition

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing definition

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Restriction Of Processing definition

‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

Profiling definition

‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Pseudonymisation definition

‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

Filing System definition

‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

Controller definition

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Processor definition

processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; (9)

Recipient definition

‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the
framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

Third Party definition

‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

Consent definition

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Personal Data Breach definition

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Genetic Data definition

‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

Biometric Data definition

‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

Data Concerning Health definition

‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

Main Establishment definition

‘main establishment’ means:

(a)as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

(b)as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

Representative definition

‘representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

Enterprise definition

‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

Group Of Undertakings definition

‘group of undertakings’ means a controlling undertaking and its controlled undertakings;

Binding Corporate Rules definition

‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;

Supervisory Authority definition

‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

Supervisory Authority Concerned definition

‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because: (a) the controller or processor is established on the territory of the Member State of that supervisory authority; (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or (c) a complaint has been lodged with that supervisory authority;

Cross-Border Processing definition

‘cross-border processing’ means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

Relevant and Reasoned Objection definition

‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;

Information Society Service definition

‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (1);

International Organisation definition

‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

When Does The GDPR Come Into Force?

GDPR will come into force on the 20th day post its publication in the Official Journal of the European Union.

The GPPR will take effect on May 25, 2018 after the two year transition since its approval and adoption by the European Union Parliament on April 14, 2016.

Whom Does The GDPR Affect?

Any company serving the EU citizens must comply with the GDPR directives. Whether an EU company or a non-EU company that deals with “controlling” or “processing” data of the EU data subjects must adhere to the implications of the GDPR. So if you’re based here in India and conducting any of the aforementioned with the personal data of the concerned natural persons; beware.

What If You Fail To Adhere To GDPR? or What Are The Penalties?

Organizations that do not comply with the GDPR directives by May 25th, 2018, could face penalties and be fined up to €20 million ($24 million) or 4% of global annual revenue, whichever is greater.

*What Measures Must Advertisers & Publishers Take?

An upside to the programmatic world in the GDPR era will be the trust factor between customers and brands; this is solely because customers will get to choose whom to share their personal data with, in promise of specific services. Advertisers and publishers have always had their way, because customers could only choose to “opt-out” of receiving specific ad notifications etc. But with the GDPR in place next year, ads targeting EU citizens will have to first get their consent i.e. wait for the target audience to “opt-in” for receiving various notifications/deals from the advertisers or publishers. 

How Does GDPR Affect Ad-Tech Companies?

Ad tech companies and other organizations like email service providers, CRM partners, eCommerce systems, circulation fulfillment companies must comply with the way they  gather, process, store and protect EU citizens’ personal data. First and foremost step will be to make sure the advertisers or publishers are GDPR compliant. It is  critical that the ad tech companies to explain to their respective customers, how their data will be tracked and the benefits that they will avail upon doing so and lastly they must also be informed that they can chose to have their “personal data” deleted from databases as well. This is the “right to be forgotten rule”. Should a user wish to have his/her personal data erased from the database, it must be granted.

What Are The Rights Of The EU Citizens (i.e. “data subjects”) Once GDPR Comes To Effect?

Breach Notification

In case of a breach, the controller must without undue delay inform the supervisory authority about the personal data breach in less than 72 hours after having become aware of it unless the breach is not likely to result in a risk to the rights and freedoms of natural persons (i.e. data subjects).

Right to Access

Data subjects can obtain confirmation from the data controller if their personal data is being processed, if so, where is it being processed and for what purpose.

Right to be Forgotten/Data Erasure

Data subjects can have the data controlled erase his/her personal data, stop any further dissemination of data and even cease third parties from processing the data.

Data Portability

Data subjects can receive personal data concerning them which they have provided to the controller in a structured, commonly used, machine-readable and interoperable format. Where it is technically feasible, the data subject should have the right to transmit personal data from one controller to another.

Privacy by Design

By default data protection must be included right from the onset of the designing of systems, rather than an addition later.

References: –

ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

12 Lessons From A Year As A Start-Up Entrepreneur

My first full year at BPRISE, the company I co-founded in mid-2016, has been very much like the opening lines of A Tale Of Two Cities. However eventful the journey so far, there has been a learning curve at every juncture. I thought I’d share some of those prickly lessons and pearls of wisdom with you, as we introspect on the year gone by and toast to the one to come…

1. Is The Market For Your Product, Desperate Enough?

Start-ups have been fashionably sprouting all over the global spectrum for years now. But only a few survive. Does your start-up satiate a thirst and hunger for a service or item? That should be the first logical question you ask yourself. Look for signs like customer acquisition costs going down, exponential demand and revenue growth (on a weekly basis) and the virality of word of mouth. If you don’t find a convincing enough justification, then you quite simply, have no business! Start off on the right foot, so that the journey ahead is on solid ground with real potential.

2. Do you have a problem?

I’ve always believed that solving a big problem is a bigger deal and leads to a huge business opportunity. Do your buyers have urgent needs that need to be addressed as soon as possible? Great! That means they are more likely to adopt your solution AND pay a premium for it. Put every idea you get through the test, of whether it solves a big conundrum or not. You can’t build a billion-dollar company without solving a billion-dollar problem or one that a hundred million people are willing to pay for. If Facebook today is almost a $500 billion company, it’s because it addresses one of the humans’ most urgent needs: The need to be Social, according to Maslow’s hierarchy of needs.

3. Start With Part-Time. Grow into Full-Time

Start-up initiation is mostly about having a smart, self-starter attitude. Most Hall-Of-Famers start out as garage bands. Every entrepreneur may not be able to work full time at a start-up from the get-go. Even a part-time commitment can be a decent beginning. Ideating, meeting with a bunch of potential users, building a testing version of the product, seeking user input – all of this can be done on the weekends or for a few hours every other day. Baby steps, till you’re able to walk with a full team and a structured venture is better than doing nothing. Have a clear target plan of what it will take to quit your current job to run the start-up full time. 10 paying customers or 200 active users? About $2000 in monthly revenue? Or A $10,000 investment? Work toward whatever the goals may be, so that even on a part-time basis, you can eventually turn the side-gig into your owned and operated outfit.

4. Put the Pro in Prototype

A prototype is a functional or visual example of what you envision building in the future. Potential customers, Investors and/or Team Members are who you would typically build one for. When potential buyers see how a product might look (visual prototype) or work (functional prototype), it becomes easier for them to believe in its value. A prototype could make ideating and brainstorm with your team much easier and possibly, even get you funded.

Personally, I didn’t need to spend money producing many units of the actual product, just to sell my idea. I gave presentations to a couple of big banks and heads of large agencies armed with just a laptop and something that looked like a full-size motherboard sprouting wires from every end. Not a pretty sight, but it helped me confidently prove my point and notice what exactly the customer appreciated it.

5. You And What Army?

Just because you’ve started up with a gem of an idea, frame-worthy vision and unshakable passion to build the next big thing, doesn’t mean that it’s a sure slam dunk just yet. Human Capital is what drives every success story. Investors and accelerators always judge a founder by the company he or she keeps, quite literally. So, while it may seem obvious to hire key talent who are aptly qualified for various positions, they should share your parental passion for the start-up and express vows for the long haul. Make it a priority to be very selective about your hires, so that partners, potential VCs, and clients recognize this value and seek to join the club.

6. Hi, I’m Jack. Of All Trades.

Sure, founding team members each have unique designations and departments on their business cards. But the reality is that all their cups runneth over. Sometimes, a business development or marketing professional might be M.I.A, so the founding members need to step in and multi-task. Teething issues and responsibilities like programming, recruiting, customer service, cheerleading, and designing need to be shouldered by the founders, over and over again. Now granted, you might not necessarily be a trained programmer yourself, but that doesn’t absolve you of your duties. Having a basic understanding of new technologies and knowing a little bit of everything will only help you propose viable solutions, evaluate teamwork and hire the best. This can be painful since you might not be spending much time perfecting the craft you love. But along the way, you will pick up complementary skills that will only boost your core talent. Once your start-up grows to a position where it can afford to build a bigger team with leaner KRAs, then you can go back to be the Master of One. Just like your card says!

 

7. Don’t Be A Big Fish In A Puddle

The modern-day Confucius – Jack Ma advises to ‘hire people with superior technical skills than yours”. He couldn’t be righter. You can win a running race by outsmarting peers who are not as good as you. But, if you train with the best of the best, even if you are placed last in the race, you’ll have timed better. High levels of competence in a company only help soar efficiency rates and speeds progress by default. So, hire smart people and then listen to them.

8. Are They Positive?

It’s not enough to stay hungry and foolish. You’ve got to stay positive too! I had a major falling out with an employee, only because of their negative attitude. I’ve come to realize that you can always train people to carry out certain tasks and handle certain machines, but professionalism and positivity are character traits that come inbuilt for the most part. Your quarterback may “Show You The Money”, but if he is a big sourpuss, then his vibe might bring the rest of the team down and cost you that Super Bowl. Headhunt people with enthusiasm and a sporting spirit.

9. All Aboard?

Airbnb’s Brian Chesky, like many other entrepreneurs, had to deal with quite the Catch 22. At the start of the journey, no travelers would come to the Airbnb website without accommodation listings and no homeowners would list their space without legitimate travelers on the site. Chesky said that he had to build the business, literally one home at a time, block by block, street by street and city by city. We too, at BPRISE, find it tricky with publishers and advertisers being our proverbial chicken and egg. This period of setting up meetings with clients and time flying by as we wait for early deals to culminate is stressful, to say the least. The ship can only start to sail once you have those initial clients and partners on board. Our unwavering faith, zen-like patience, and persistence are what will see us through the painfully quiet work days.

10. Plans Change. So Should You.

Most start-ups end up charting a course that’s different from the one that was initially sketched. This is normal and typically has little to do with having industry knowledge or experience in the line of work. There are many factors that could spoil your ideas and carefully planned projections. Don’t be too precious about them. Everything happens for a reason and change should be embraced as chances for better ideas and directions to present themselves.

Remember that the battle plan is the first casualty of the war. As soon as the first bullet is fired, the plan goes right out the window.

11. Draw A Budget & Pinch Pennies

In the business world, especially for start-up entrepreneurs, financial prudence plays a crucial role in the sustainability and transition from a small-scale boutique business to medium or large-scale organization. The initial euphoria of a newly established venture distracts entrepreneurs from keeping an eye on the cash flow statement. Many start-ups fail because of overspending. So, restrict withdrawals to adhere to a strict budget and regularly review it with discipline.

Don’t be ashamed to hunt for bargain deals online and at nearby stores. Strict financial discipline is a habit. Unnecessary spending leads to business failure.

12. Sales. Duh!

No matter what kind of company you run, the mission statement is one and the same across the board: ‘Decrease Overheads, Increase Revenue’. It’s very easy to lose yourself in the day to day affairs of operating a company, creating systems, corresponding to emails and updating social media pages. But do you have your eye on the prize? Are you acquiring new customers and improving sales? Isn’t that what you work for? Make sure you are staying productive and profitable with everything you and your team do. Segregate tasks into billable and non-billable jobs, evaluate the time spent on different accounts and make every action and person accountable for the bottom line objective. Because without customers and sales, what you have is not a business, but an expensive hobby!

To sum it up…

 

The start-up race is started by tens of thousands, but only half of them take the first steps. A mere hundred emerge from failures and even fewer make it to their first ‘ka-ching’! The ones who survive are living proof of perseverance and competitiveness. That’s what sets apart the dreamers and thinkers from the doers. It’s the survival of the fittest out there, so strap on your best-armoured suit and don’t forget to take notes while you battle on.