On january 1st 2016, a new law ‘meldplicht datalekken’ comes into effect. It forces all companies in The Netherlands to disclose any data breaches, or risk hefty fines. The law has serious implications for startups, especially if they work with sensitive data: edtech, fintech, healthcare, quantified self and internet of things.
The ‘meldplicht datalekken’ (obligation to disclose data breaches) is an extension to the already existing Dutch data privacy law. The idea behind the law is to protect personal privacy: something that is needed now that technology has generated a lot more sensitive information. There is European legislation in the making (the European privacy directive, in the making since 2012) but the Dutch government has decided to update the law ahead of the EU changes. The law improves security indirectly: the law forces company to reveal their mistakes and security mishaps. Hopefully this motivates companies to take security and privacy more serious.
Privacy law is especially import for startups. First of all because startups often need personal data to optimize their service: think personal recommendations or location-aware services. Secondly because startups do more business model changes, which means that they risk using data in ways they do not have permission for. It is therefore important for startups to know Dutch privacy laws and how to apply them to their processes. At least one Dutch education startup was investigated last year by the privacy authority (College Bescherming Persoonsgegevens – CBP).
Privacy law summary for startups
Here is the gist of the updated privacy law, with a focus on startups:
- Any data point that can be related to a person is personal data. This includes fingerprints, phone numbers, bank accounts, car details, sleep patterns and IP addresses.
- Startups must have reasonable security measures in place to protect personal data.
- Sensitive personal data (health, religion and a few other categories) must be protected even more strongly.
- Startups need explicit permission for the purpose of any personal data processing. Data collected for one purpose (e.g. service) cannot be reused for another purpose (e.g. marketing)
- (new) If any personal data is leaked through a security incident, this must be reported immediately to the privacy authority and to the people involved
- (new) Any company not complying to the rules can get a fine of up to 810.000 euros. For google-sized companies higher fines are also available, based on percentage of revenue.
Many companies see privacy laws as a legal issue, and solve it by having terms and conditions in place. As you can see from the list above, legal measures alone are not enough: startups need to actually design and run their business with privacy and security in mind. Note that the law also applies to B2B startups: if your customer is a one-person company, it has a right to privacy.
Just being a victim of data theft is not a crime per se, and will not automatically lead to a fine. Things become awkward if you break more than one rule: if data is stolen from you that you are not supposed to have, and that you used for the wrong purpose, you have a problem. In the past, companies decided to keep such incidents secret. This will be clearly illegal and the fines are high to discourage this kind of behaviour. We do not recommend any startup to break the rules, but we do encourage startups that are bending the rules to drastically improve their IT security before January 1st.
Avoiding the rules
There is some good news and loopholes, especially for early stage startups. The rules only apply to automatic data processing. If your food delivery service has fewer than 10 customers and you process data by hand, you are allowed to play around with the data. The privacy law also mentions that there are fewer restrictions if you use data for journalistic or literary purposes. So you more room to experiment with data if you keep it small and personal. As soon as it becomes a business, you need to have permission and security in place.
To help companies comply with data privacy laws, there is a workshop ‘personal data protection’, organized by the author via SoftwareZaken. Next dates are August 27 or sept 15. The workshop normally costs € 125 (buy normal ticket here), but there are a few free spaces available for startups. Drop a mail to sieuwert @ startupjuncture.com for a free spot or check out the website (Dutch).
Also if you have startup specific experience or recommendations for privacy law, let us know in the comments.