Simplifying Data Protection
Data protection law, such as the GDPR, imposes a host of obligations on you if you use personal data. It can be complex, time-consuming, expensive, and risky, to manage all of those obligations.
If you’re a small business, or have limited resources, it can get very tricky. You might not have the headspace or capacity to get it under control, but getting it wrong can mean damage to your reputation, legal fees, fines, and a whole lot of work.
What’s the answer? In this situation, there are a few things you can do. We’ll often recommend aiming for low-hanging fruit. We can help you identify the biggest risks to deal with using the least resources.
However, once you’ve started down certain paths, compliance risk is unavoidable unless you change the way your business or products work. If you need to avoid risk and compliance work as far as possible, the best thing you can do is deal with it at the source, and minimise or eliminate the activities giving rise to risk in the first place.
This table isn’t comprehensive, but if you avoid (where possible) doing things in the left-hand column, you’ll be well on your way to reducing data protection risks, and the work (and costs) you’ll need to deal with to address them.
| Themes | How it helps |
| Collecting data Obvious, perhaps. Still, before you decide to collect any personal data, think about why you want it. If your product or business works without it, and you can skip collecting it, then you’ll have less to worry about. | Less use of personal data means: (i) fewer and shorter privacy notices; (ii) less time assessing whether you’re legally entitled to use personal data and justifying it; (iii) less time spent trying to keep it secure; (iv) less time spent dealing with requests from data subjects about their data, and developing processes to give people access to their data. |
| Working with kids Children are more vulnerable and get special protection under data protection law. If you must work with children, then by minimising the information you collect about them, you may be able to avoid a range of compliance hurdles. | If your services don’t involve children or their data, you won’t need to give as much thought to: (i) verifiable parental consent; (ii) child-specific rules like COPPA or the Age Appropriate Design Code; (iii) removing features which aren’t appropriate for children. |
| Cookies & profiles Everyone loves cookies (more info: Cookies, analytics and regulation) but, along with profiling, they mean extra legal work. If you avoid profiles, cookies & similar tech (e.g. local object storage, scripts, SDKs) apart from what’s strictly necessary to provide your service, it means less risk, fewer consent pop-ups, and a smoother experience. | Cookies and similar tech require consent, unless they’re strictly necessary. Analytics, targeting, traffic and behaviour analysis, are not normally strictly necessary. If you can avoid using cookies for this kind of activity, and do away with profiling, fingerprinting, and gathering additional information about users and visitors, it will help you reduce the range of notices and consent pop-ups you show, and the legal assessments you need to carry out. |
| Going global Data protection law varies around the world. If you’re operating in the UK or Europe, there are restrictions which limit how you can send data abroad to other countries where the law might not protect it in the same way. | Transfers to countries which aren’t deemed to have “adequate” protection for personal data are restricted. This means you’ll normally need to put in place additional safeguards, for example more extensive contracts. You’ll also need to assess whether the steps you take are enough to keep that personal data safe, which can be a difficult exercise. |
| Collaborating Sharing is caring, but not always. If you share personal data with suppliers, partners, contractors and others, you increase the risk to that data. Finding ways to limit data sharing will help reduce the work you need to do to protect it. | When suppliers work with your personal data, you’ll typically need an additional data processing agreement with them. If you share data with others for their own purposes, you will need to assess whether you are joint, or independent data controllers, and consider things like the Data Sharing Code of Practice, and joint controllership arrangements. |
| Getting Personal Some data is special. Information about racial or ethnic origin, philosophical beliefs, health, sexual orientation, criminal offences, and other sensitive matters, gets extra protection under data protection law. If you’re going to use any of this, be prepared to put in extra work to make sure you can do so lawfully. If you can avoid getting your hands on this kind of information, it’s going to make things easier for you. | If you don’t use “special category” data or data relating to criminal offences, then you won’t need to find extra justifications for using that data (such as explicit consent and other tough criteria under Article 9 GDPR). You can also skip preparing additional documentation and policies – for example, if you don’t use this kind of data, you are less likely to need an “Appropriate Policy Document.” |
