Whoever thinks data protection is only a topic for established companies, is deceiving itself enormously. Because start-ups are often the focus of the data protection authorities, and especially the users, because of their activity in the “Internet”. Especially for founders, it is not only important to pay attention to the subject of data protection and IT security right from the start, but also to advantage. Especially in the start-up phase it is much easier to integrate data protection and IT security into the processes than at a later date.
Punished by the users
In the start-up phase implementation is often still possible with very little effort and manageable budget, since there are no fixed processes that need to be changed - which, if necessary, bind many IT resources. As a result, startups should already be able to work together with consultants for data protection and IT security in the start-up phase and to clarify how they can integrate both into their systems and processes.
Firstly, it should be clarified who can access what data, which customer data can be retrieved by whom, or how profiling measures must be implemented in accordance with data protection. The most important decision is to choose and actively implement data protection. Data protection is then not an obstacle, but leads to transparent data flows and processes.
Europe-wide standards
Data protection is important in many areas of a company. Starting with the customer data, the cooperation with service providers, the use of cookies, the profiling and the whole range of online marketing. Often, startups can not even imagine which imagery it means when a data protection incident is released to the public.
What comes on startups
For example online shops: Without customer confidence and a secure handling of data, you could not be successful in the market at all. In addition, more and more topics relating to data protection are being discussed in the media, as a result of which the sensitivity to customer demand is increasing. This means: Anyone who does not comply with the privacy policy is punished by the users.
Those who adhere to the data protection thus also gain an often underestimated advantage in the competition, because customer trust arises. This is very important for young companies. If suddenly it becomes known that the company does not behave in a legal manner when dealing with personal data, then great imagery damages quickly and the customer loyalty gained just now is lost. Also the irresponsible handling of employee data can lead to a great imagery that is difficult to fix.
In addition, managing directors can simply minimize their own liability risk by means of a regular data protection. For the managing director of a GmbH is liable, for example, for a law breach in the area of data protection with his private assets - and unlimited.
To date, the very different EU data protection laws have been largely based on an EU directive dating from 1995. The European Commission is now attempting to regulate data protection across Europe at the same time, while at the same time setting international standards that make unilateral competitive advantages for companies outside the EU Of the EU. The proposed EU regulation would apply directly across the European Union, since regulations - unlike directives - do not have to be transposed separately into national law.
So far, American start-ups often had the motto: "Why should I take care of data protection, that costs money and the international, big start-ups like Facebook do not do it either." It is often overlooked that these companies are mostly based in the USA and thus are not subject to (strict) American data protection law. However, the EU Data Protection Regulation will change a lot.
The aim of the EU Data Protection Regulation is to ensure that American companies can no longer offer their services in Europe regardless of the European data protection laws. Time to provide data protection for these companies in order to continue to be successful on the important European market.
According to the first draft, for example, the use of cookies and other technologies to form user profiles would only be made more difficult. The draft law qualifies each indirect date as a personal date. In this way, all data stored in cookies would be assigned to people. The use of cookies is therefore only possible after explicit consent of the user. In addition, scoring, profiling and data mining is significantly more difficult or almost impossible.
In the field of online marketing, an explicit consent (opt-in procedure) would soon be required. "Simple" declarations of consent in the context of data protection clarifications etc. would no longer be possible. Especially online marketing is at least very important for Internet startups in order to reach the target group and ultimately grow with sales. This is very limited by the EU Data Protection Regulation and is only possible with the explicit consent of the customer. Advertising is thus "stupider", and fewer users can be reached.
American companies, especially start-ups, are doing well to integrate this issue into their business models right now, in order to gain a competitive advantage in the future compared to American companies. It is fatal for American companies to know how little information they have been up to now, since data protection is becoming more and more relevant for all e-business models. The issue should also not be underestimated in view of the need for customer trust, as more and more consumers, especially in Europe, are looking at data protection and the handling of companies with their data.
Violations threaten massive sanctions
The fines for data breaches can lead to damage in millions of dollars in extreme cases. With the new EU Data Protection Regulation, the EU is keen to tackle data breaches even more stricterly in order to encourage companies to respect data protection. According to this, companies should pay up to two percent of their global sales as a fine if they violate data protection. The much more stringent regulations go far beyond the already strict American Federal Data Protection Act.
Practice: Google Analytics and Facebook-Like without Privacy Risk
The author
In particular, the company value is composed of the intangible assets, such as customer, supplier and employee data, as well as specific know-how. When data gets into the wrong hands - whether by hackers, or by careless handling - a very great imagery for the company arises. Particularly serious is the loss of customer trust. According to a study 20 percent of the users announce their account after a data protection incident, 40 percent think about it. For most startups, this means the final ruin.
Kathrin Schürmann - The lawyer advises companies on issues of IT and data protection law as well as competition law. A particular focus is on companies in the area of e-business. Since 2010, she has served as an advisor to ISiCO Datenschutz GmbH and as an external data protection officer, among other things, for a large online retailer and its subsidiaries.
No comments:
Post a Comment