In today's episode, Patrick Massa from WH Partners answers some of the most frequently asked questions about the General Data Protection Regulation (GDPR).

As a start-up business, should I be GDPR compliant?

Any start-up business processing personal data throughout the course of its activities, be it personal data of its customers, employees or any other third parties, is legally bound by the provisions of the GDPR.

As a data controller, your business shoulders the highest level of compliance responsibility under the GDPR and should therefore be compliant with all data protection principles as well as other requirements. In doing so, and in order to demonstrate GDPR compliance, a data controller should have in place a set of data protection policies and procedures, which comprehensively set out the company's internal data privacy management. Amongst others, these should include a customer privacy notice, a data subject rights policy and a data retention policy.

Am I required to appoint a Data Protection Officer and who can take such a role?

Depends! A DPO should be appointed if the company's core business activities involve systematic processing of personal data on a large scale. In practice, this means that most customer facing companies, especially online based companies whose business model requires vast processing of their customer's personal data, should appoint a data protection officer. There are of course other instances whereby the GDPR requires the appointment of a DPO, that is in cases of public authorities and for companies which process sensitive personal data on a large scale.

A data protection officer can either be a direct employee of the company, who has expert knowledge of data protection law and practices, or an external consultant who would be able to advise the company on all GDPR compliance matters.

How should a personal data breach be handled?

Once a company detects a security incident, it should swiftly establish whether a personal data breach has also occurred and, if so, promptly take the necessary measures to address it.

It is therefore advisable for companies to implement an internal data breach reporting procedure, whereby specific details of the security incident are internally reported to the DPO. Such procedure shall enable the DPO to determine whether the data breach should be notified to the respective supervisory authority, and where necessary to the affected data subjects.

In this context, an efficient internal reporting system is key for a company to be able to report the data breach within the prescribed period of 72-hours from becoming aware of the breach.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.