/ Insights / New data privacy law and the consequences for startups

New data privacy law and the consequences for startups

On january 1st 2016, a new law ‘meldplicht datalekken’ comes into effect. It forces all companies in The Netherlands to disclose any data breaches, or risk hefty fines. The law has serious implications for startups, especially if they work with sensitive data: edtech, fintech, healthcare, quantified self and internet of things.

The ‘meldplicht datalekken’ (obligation to disclose data breaches) is an extension to the already existing Dutch data privacy law. The idea behind the law is to protect personal privacy: something that is needed now that technology has generated a lot more sensitive information.  There is European legislation in the making (the European privacy directive, in the making since 2012) but the Dutch government has decided to update the law ahead of the EU changes. The law improves security indirectly: the law forces company to reveal their mistakes and security mishaps. Hopefully this motivates companies to take security and privacy more serious.

Privacy law is especially import for startups. First of all because startups often need personal data to optimize their service: think personal recommendations or location-aware services. Secondly because startups do more business model changes, which means that they risk using data in ways they do not have permission for. It is therefore important for startups to know Dutch privacy laws and how to apply them to their processes. At least one Dutch education startup was investigated last year by the privacy authority (College Bescherming Persoonsgegevens – CBP).

Privacy law summary for startups

Here is the gist of the updated privacy law, with a focus on startups:

Many companies see privacy laws as a legal issue, and solve it by having terms and conditions in place. As you can see from the list above, legal measures alone are not enough: startups need to actually design and run their business with privacy and security in mind. Note that the law also applies to B2B startups: if your customer is a one-person company, it has a right to privacy.

Maximum fines

Just being a victim of data theft is not a crime per se, and will not automatically lead to a fine. Things become awkward if you break more than one rule: if data is stolen from you that you are not supposed to have, and that you used for the wrong purpose, you have a problem. In the past, companies decided to keep such incidents secret. This will be clearly illegal and the fines are high to discourage this kind of behaviour. We do not recommend any startup to break the rules, but we do encourage startups that are bending the rules to drastically improve their IT security before January 1st.

Avoiding the rules

There is some good news and loopholes, especially for early stage startups. The rules only apply to automatic data processing. If your food delivery service has fewer than 10 customers and you process data by hand, you are allowed to play around with the data. The privacy law also mentions that there are fewer restrictions if you use data for journalistic or literary purposes. So you more room to experiment with data if you keep it small and personal. As soon as it becomes a business, you need to have permission and security in place.

More information

To help companies comply with data privacy laws, there is a workshop ‘personal data protection’, organized by the author via SoftwareZaken. Next dates are August 27 or sept 15. The workshop normally costs € 125 (buy normal ticket here), but there are a few free spaces available for startups. Drop a mail to sieuwert @ startupjuncture.com for a free spot or check out the website (Dutch).

Also if you have startup specific experience or recommendations for privacy law, let us know in the comments.

Photo by Seán Ó Domhnaill (creative commons via Flickr)

Sieuwert van Otterloo
Sieuwert van Otterloo is IT expert by day and startup enthusiast by night. IT expert via Softwarezaken | innovation expert via Node1 | editor and cofounder of StartupJuncture | member of StartupDelta | startup investor. Reach out to Sieuwert via otterloo @ gmail .com

Leave a Reply

Your email address will not be published.

Read on