The General Data Protection Regulation (GDPR) has been adopted in April 2016 and will be applicable in May 2018. This new Regulation, while strengthening existing principles and extending their scope, adopts new concepts as well. Moreover, it brings a full harmonization of the legal framework since it will directly replace the current national rules implementing the Data Protection Directive 95/46/EC.
The European data protection regime, as it is maturing today, is guided by important principles and obligations for processing personal data of individuals such as:
- The purpose limitation principle: personal data should be collected for specified, explicit and legitimate purpose and the collection thereof should be limited to what is necessary to achieve that purpose ;
- The consent of the individual: most of the time, the collection of personal data requires the consent of the data subject, except in such cases where the processing is necessary for the performance of a contract to which the data subject is party or is necessary for compliance with legal obligations for example ;
- The transparency principle: extensive information should be provided including the identity of the person collecting the data, the purposes of the processing, the recipient of the personal data collected and the period for which the data will be stored ;
- Rights of data subject: to request access, rectification or erasure of individuals’ personal data, but also a right to data portability and to object to profiling
- Integrity and confidentiality: personal data should be processed according to a high level of security ;
- Accountability: a new obligation resulting from the adoption of the new Regulation is the obligation of keeping records of the processing activities and therefore of maintaining a certain documentation ;
- Privacy by design and by default: Privacy should be considered from the very beginning of the design of a new service and should, by default, be given a high level of protection.
Many startups offer data-based services (data analytics services or services in which data analytics are integrated) and often personal data are among the data analysed. This means that the start-up has to take into consideration the protection of personal data of (potential) customers, users or even non-users. The purpose of the new Regulation is to enhance the individuals’ trust in new technologies and new innovations. In a time when some serious concerns are raised about the multiple and obscure uses of personal data, users will supposedly favour services which are transparent and trustworthy in relation to the protection of their personal data.