Where is your clients’ data going – could your business be in breach of Data Protection Regulations?
Global interconnectivity is at the core of many businesses' operations. If your business is not mapping its data flows, you could find that your business is in breach of the transfer rules.
Any business, based in the UK, which is collecting or processing any type of data which may identify an individual, such as the names, addresses or other such personal information (‘Personal Data’), will be subject to UK General Data Protection Regulations (‘GDPR’) and the business must ensure it has the appropriate safeguards when storing and processing any such Personal Data.
The Penalties
The Information Commissioner’s Office (‘ICO’) has in recent years taken a less forgiving approach when evaluating breaches to GDPR, with 2022 seeing the number of fines issued triple in comparison to the years prior. Whilst the most famous enforcement action is usually in relation to much larger companies, for example, most recently, against TikTok Information Technologies UK Limited and TikTok Inc, actions have been brought for accidental breaches against much smaller companies. Founders of early-stage start-ups must therefore be vigilant in ensuring that they act in accordance with data protection legislation, as even an accidental breach can amount to an infringement of GDPR.
Areas of Risks
An area where early-stage start-ups are at significant risk of infringement of data protection legislation occurs during the back-end development of their websites, applications and other online capacities. For example, the construction and use of any application programming interface which enables the website or application to access databases to provide the user with search results. This risk arises where there is a transfer of Personal Data during the process of back-end development to receivers (being a separate controller or processor, which is legally distinct from the entity making the transfer) located outside the UK. This is known as a restricted transfer.
Even a business which has complied with GDPR and implemented the appropriate safeguards, to mitigate potential data breaches when processing data within the UK, may be subject to enforcement action by the ICO, if during the process of backend development, a restricted transfer occurs. This is particularly likely to happen where a business has developers, databases, servers, and applications that are located outside the UK and a transfer of Personal Data occurs. For example, where a developer based outside the UK extracts Personal Data during the testing process of the website, application, or other online interface. For this reason, particular attention must be paid to backend development and more specifically to where Personal Data is being stored and processed in the relevant database, server and/or application.
Safeguards Measures
Where restricted transfers occur during back-end development, there are ‘adequacy regulations’ and lists of certain transfer mechanisms and exemptions within GDPR which may be relied on to ensure the data processing and international transfers are GDPR compliant. However, as good practice, businesses should always ensure they integrate a comprehensive data protection policy and relevant data protection clauses into any third-party agreements.
The Legal Incubator is designed to assist founders in balancing the need to save costs and extend their cash runway, with the need to ensure the complete regulatory compliance of their business. Please get in contact with us if you think we can assist in making sure that your business is GDPR compliant.
