{"id":8593,"date":"2021-10-26T08:55:04","date_gmt":"2021-10-26T08:55:04","guid":{"rendered":"http:\/\/TheNextWeb=1371121"},"modified":"2021-10-26T08:55:04","modified_gmt":"2021-10-26T08:55:04","slug":"your-startup-isnt-ready-for-europes-privacy-shake-up-but-heres-how-it-can-be","status":"publish","type":"post","link":"https:\/\/www.londonchiropracter.com\/?p=8593","title":{"rendered":"Your startup isn\u2019t ready for Europe\u2019s privacy shake-up \u2014 but here\u2019s how it can be"},"content":{"rendered":"\n
<\/div>\n

For decades, people have proclaimed the now-common refrain that \u201cprivacy is dead.\u201d I often think back to Scott McNealy, then CEO at Sun Microsystems, claiming in 1999 that \u201cyou have zero privacy anyway\u2026 get over it.\u201d<\/span><\/p>\n

I wouldn\u2019t go as far as saying that leaders at startups hold such a strong disregard for privacy, but I do find many taking the stance that the world\u2019s strictest data privacy laws don\u2019t apply to them. If you fall into this category, you ought to know that privacy isn\u2019t dead, and a new era of privacy is being quietly ushered in across Europe.<\/span><\/p>\n

Earlier this year the European Commission (EC) issued its long-awaited update to<\/span> \u2018Standard Contractual Clauses\u2019<\/span><\/a> (SCCs), which represents the most frequently used mechanism to transfer your customers\u2019 personal data out of the EU, including to the US.<\/span><\/p>\n

If you\u2019re a business that operates in or with Europe, these new updates \u2013 and the constantly shifting privacy landscape more generally \u2013 matter. If followed incorrectly or not taken seriously at all, it can be extremely costly. <\/span><\/p>\n

So, let\u2019s look at some of these new privacy updates in more detail and I\u2019ll then share some lessons I learned while working on privacy issues at a startup that processes vast amounts of user data.<\/span><\/p>\n

A new era of privacy, and the fine print you probably missed<\/b><\/h2>\n

The question of where your data exists and who has access to it is becoming one of the most complex and significant questions in startup land.<\/span><\/p>\n

On the one hand, the booming SaaS startup ecosystem means that we are now more reliant than ever on the cloud, where servers often reside abroad. On the other, there are ever-changing regional data rights as different jurisdictions embrace data sovereignty and privacy rights for users.<\/span><\/p>\n

This friction has now made its way to the courts, and just last year the EU issued a <\/span>ruling<\/span><\/a>(dubbed \u2018Schrems II\u2019) that invalidated the \u2018<\/span>Privacy Shield<\/span><\/a>,\u2019 or the mechanism that was being used to get data out of Europe and into American data centers for processing. Then came the update to the SSCs. <\/span><\/p>\n

The basic premise of this update was to bring in new SCCs to govern the transfer of personal data from the EU to third countries, designed to better protect Europeans from mass surveillance, specifically a concern with regard to the US.<\/span><\/p>\n

If you\u2019re operating in or doing business with European residents, international data flows are probably an essential part of your business in an increasingly digital global economy. You might not even be aware that your digital product relies on microservices from a partner that sees user data processed in a third country.<\/span><\/p>\n

Let\u2019s take for example our product at Mixpanel. We provide SaaS-based product analytics technology, which by its nature, tracks user behavior within apps so product experts can improve the user experience. <\/span><\/p>\n

If you use our product, until recently you\u2019d have been sending data to us that was processed in the US, perhaps without fully realizing the implications. We\u2019ve now got full EU data residency to overcome this issue, but we\u2019re very much in the minority.<\/span><\/p>\n

And this should be the number one issue concerning startups. Has our surface area for liability and risk just been hugely expanded? If I put this in simpler terms: you\u2019re a fintech that has contracts with seven companies providing services via APIs. Those seven companies also contract with a further 10 companies each, which now means your risk surface has expanded from seven companies to 70.<\/span><\/p>\n

So, what can busy startups do to reduce their risk and ensure they\u2019re delivering on privacy obligations for the people that use their services? <\/span><\/p>\n

In my view, there are three golden rules that can help a startup navigate this complexity.<\/span><\/p>\n

    \n
  1. Locate user data in Europe whenever possib<\/b>le<\/strong>:<\/strong> Depending on your infrastructure and ability to invest, you\u2019ll need to form a judgment as to whether you can ensure your user\u2019s data is stored and processed exclusively in Europe.  <\/span><\/li>\n
  2. Always maintain a \u2018data ma<\/b>p\u2019<\/strong>:<\/strong> It is vital to take an \u201caudit\u201d of the microservices and ancillary support services that underpin your main products. In doing so, you can better understand that data ecosystem and your risk surface across third-party suppliers.<\/span><\/li>\n
  3. Seek European legal entities as partne<\/b>rs<\/strong>:<\/strong> It\u2019s possible authorities in the US could access data that was in the Netherlands, but was operated by a US-based company. The contracting party matters, so it\u2019s important to partner with legal entities across different regional operations based in the EU. <\/span><\/li>\n<\/ol>\n

    There\u2019s simply no avoiding this issue in the long term. People increasingly care about data privacy and with the changes to the SCCs the EU has further signaled the importance it attaches to data residency. With local regulators soon to release their guidance and interpretation within member states, now is the time to act. <\/span><\/p>\n

    The movement for improved privacy isn\u2019t dead, it\u2019s just getting started.  <\/span><\/p>\n

    Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    For decades, people have proclaimed the now-common refrain that \u201cprivacy is dead.\u201d I often think back to Scott McNealy, then CEO at Sun Microsystems, claiming in 1999 that \u201cyou have zero privacy…<\/p>\n","protected":false},"author":1,"featured_media":8594,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/posts\/8593"}],"collection":[{"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8593"}],"version-history":[{"count":0,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/posts\/8593\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=\/wp\/v2\/media\/8594"}],"wp:attachment":[{"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.londonchiropracter.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}