Lifecycle of a tech startup series: Data Protection

In episode 11 of our lifecycle of a tech startup series, KNow Wear Limited entered into a contract with a manufacturer to produce the initial batch of their wearable wellbeing device. In advance of trialling the product with a test group of 100 consumers you, Sarah and Chris are now turning your attention to compliance with data protection legislation, given that the trial phase will mark the commencement of the company processing a significant volume of consumer personal data. Users will need to provide their personal details in order to register an account with KNow Wear and reap the full benefits of the wellbeing wearable via the web-based platform which works alongside it.

Sarah is aware that failure to comply with the UK GDPR can come at a high price. She attended a data protection training session ran by a former employer during which she learnt that the maximum fine chargeable by the Information Commissioners’ Office (ICO) for a breach of the legislation is the higher of: (i) £17.5m; and (ii) 4% of the total annual worldwide turnover of the infringing organisation in the financial year preceding the breach.

Our founders are pragmatic and realise that full compliance with data protection legislation will be a lengthy journey, however they’re keen to get moving and so focus on a handful of initial material actions.

REGISTER WITH THE ICO

Under the UK GDPR, a data controller is an organisation which collects and determines the purposes for which the personal data of an individual is processed. KNow Wear is a controller in respect of the data that it collects from its users and the staff data that it processes. Save in the case of a handful of exemptions, data controllers must register with the ICO and pay a yearly fee (typically no more than £40). After using the ICO’s registration self-assessment tool, you are satisfied that KNow Wear needs to register with the ICO and you do so online.

PRIVACY NOTICE

One of the seven key principles which underpins the GDPR is ‘lawfulness, fairness and transparency’. One of the ways in which this principle is reflected in the legislation is the obligation for data controllers to provide certain information to individuals when they collect personal data from them. This includes (but is not limited to):

• The name and contact details of the controller. 
• The purpose and lawful basis for processing the data. 
• How long the personal data will be retained by the controller.
• The rights the individual has in relation to their personal data under the GDPR, such as rights to access, rectification and erasure.

This information is to be set out in a privacy notice and so you produce two versions for KNow Wear: one aimed primarily at the consumers who will purchase KNow Wear’s wearable device; and another which is to be provided to KNow Wear’s employees and which focusses on how their data is processed by the company.

CONTRACTS WITH DATA PROCESSORS

Under the UK GDPR a data processor is defined as an organisation which processes personal data on behalf of a controller. When a controller engages a processor the UK GDPR states that the parties must enter into a written agreement setting out specific terms which collectively bind the processor to processing the data in accordance with UK GDPR standards. Details of the mandatory provisions to be included in the contract are set out here on the ICO’s website, and include obligations upon the processor to only process personal data in accordance with the controller’s written instructions (unless required to do so by law) and to implement appropriate IT security measures in respect of the data processed.

KNow Wear’s cloud-based platform (which complements its wearable) is hosted by Amazon Web Services (AWS) and so, as a result of storing the consumer data captured by the platform on behalf of KNow Wear, you identify that AWS is engaged by KNow Wear as a data processor. Fortunately, AWS’ standard terms of service include a data processing addendum (DPA) containing all of the mandatory provisions referred to above. However, you’re mindful that once consumers start to use the wearable, technical support will be provided to them by a third-party IT consultancy engaged by KNow Wear. As data protection was not covered in the consultancy agreement the parties have entered into, you put in place a DPA to sit alongside it given that KNow Wear’s consultants will be processing personal data on behalf of the company.

MARKETING

Email marketing is a key element of KNow Wear’s marketing strategy and the company’s website includes an invite for consumers to sign-up for email updates on the release of the wearable prior to its launch. Marketing emails to consumers are governed both by the UK GDPR and accompanying e-privacy regulations (The Privacy and Electronic Communications Regulations aka ‘PECR’). Under PECR, the default position is that consumers must provide prior, clear and specific consent to email marketing communications. As a result, you update the website at the point of data capture to include a short written message making it clear that by submitting their name and email address and ticking a consent box, consumers are consenting to the receipt of marketing communications from KNow Wear Limited relating to its products. A link to KNow Wear’s privacy notice is also set out in this message to provide full transparency as to how the business processes consumer data.  

The default position above isn’t the only means by which marketing emails can be sent to consumers. PECR also includes soft opt-in rules which allow marketing emails to be sent to consumers who have bought your wearable and did not opt out of marketing messages at the time of the purchase. In such circumstances, you may send email marketing messages to those consumers both about the wearable and similar products or services even if they haven’t consented, provided that they are given a clear chance to opt-out of the receipt of marketing messages, both when their contact details were first collected and in every subsequent marketing message which is sent to them. Given that position, in advance of taking online orders for the wearable, you update the beta e-commerce pages of KNow Wear’s website to include a clear message asking if purchasers would like to opt-out of the receipt of marketing emails from the company in the future and you ensure that all of the company’s marketing emails contain a link within them to a simple online means of unsubscribing from further marketing emails.

CROSS-BORDER DATA TRANSFERS

Under the UK GDPR a transfer of personal data to a country outside of the UK is considered a ‘restricted transfer’. Subject to where the data is being sent, certain safeguards may need to be put in place before it can be sent. The UK has ‘adequacy regulations’ in place in relation to certain jurisdictions and no special safeguards need to be put in place when data is sent to those countries. The jurisdictions covered by adequacy decisions are all European Economic Area countries, Gibraltar, Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, New Zealand, Switzerland, Uruguay, Japan and Canada.

However, the IT consultancy referenced above (which KNow Wear has engaged to provide technical support in respect of its wearable) has technical personnel based in India who will receive UK consumer personal data. As a result, such transfers are deemed restricted transfers under the UK GDPR and you will need to put in place an appropriate safeguard before making them. The easiest way of complying with that obligation, in order to facilitate an ongoing flow of personal data to the IT consultancy, is to put in place an International Data Transfer Agreement (IDTA) with them. An IDTA is a largely template contract which has been approved by the ICO and which contractually binds an organisation based in a jurisdiction which is not subject to an adequacy decision to processing the personal data it receives in accordance with UK GDPR standards. You therefore ensure that KNow Wear Limited and the IT consultancy sign an IDTA in order to safeguard the transfer of KNow Wear customer data to India.

The steps out above do not constitute an exhaustive list of the steps KNow Wear needs to take in order to achieve full compliance with the UK GDPR, but is certainly a strong start in that direction. In addition to that set out above, you, Sarah and Chris decide to draw up a plan toward full compliance with the UK GDPR and you consult both with the ICO’s hub for SMEs and KNow Wear’s lawyers for guidance in that regard.

Meanwhile, you, Sarah and Chris push on with the testing of the wearable in preparation for taking it to market and start to consider whether more funding is needed for the company in advance of launching the product.