The GDPR sets the worldwide highest standards in terms of data protection for every company reaching customers in the EU. As cornerstone of a digitally prepared European Union the regulation shall provide protection for personal data but also provide a single market and free flow of data therein. The law has been fought over like no other and while written with giant global companies in mind, it applies to everyone from a bakery to Microsoft.
Startups have landed in the blind spot of the regulation since their legal teams are similar to those of a bakery but their creativity to build data-driven products of the future easily challenges those of the world’s largest companies. The GRDP does not allow for ‘lean’ product and service cycles and Europe’s great entrepreneurial minds might get poached by other markets where such barriers don’t exist.
Can we recognise the GDPR as opportunity and through it actually improve the competitiveness of startups in Europe? Startups in Europe not only want to respect the legal framework we have but help strengthening its roots by educating Europeans to tech savvy users of trusted and innovative products and services?
At the Startup Nations Policy Hack in Estonia, we will work toward this goal by developing a lean way to approach GDPR compliance, engage with data protection authorities, self-assess risk, show advantages of engaging with authorities early and offer ideas to hack some of the most burdensome parts of the regulation.
The hack aims at developing a to-do-list for companies that want to move fast without breaking too many things, a list of actions that shows DPAs that startups are serious about privacy. It's not a compliance list written by auditors and lawyers but it's a list of good intention for those that cannot afford to wait!
The high-five list will give startups a hint of
- The five most important steps before launching a product
- Transparency, when do I have to engage with my Data Protection Authority (DPA)?
- Benefits of making a first move towards your DPA
- Help them to self-assess the risk
- Show their good intention to become “as compliant as it gets”
Where and why we need a regulatory sandbox?
Data Protection legislation does not allow for much flexibility, either you’re compliant or not. But on a road where compliance costs months of work and thousands of Euros and non compliance might mean the end of a company - the risk for young, innovative and fast moving companies to stay in Europe is sometimes too high. Our policy hack aims at showing DPAs that startups are serious about data protection and help to initiate a dialogue rather than fines and lawsuits. “Don’t shoot, high five.”