How a lack of clarity leaves startups struggling with GDPR

GDPR first came into force over 7 years ago. At the time, it was one of the most revolutionary regulations to come out of the European Union. It changed data protection and privacy from a privilege into a right. But years later there is still a lack of clear guidance for people building apps, especially in the digital health space.

‍

Guidelines as clear as mud

The GDPR set a major precedent for data protection and citizen rights in the EU. Its 99 Articles and 173 Recitals cover every conceivable aspect of data protection, legality of processing, data subject rights, etc. But there’s a catch. Like most EU laws, the GDPR is an example of “case law”. And it places the concept of “reasonableness” at its heart.

This is (or should be) a good thing. When you are developing an app you should take the reasonable steps to protect personal data. That is meant to mean that small companies with minimal amounts of data don’t need the same strict controls as multinationals handling millions of records. However, there’s a major catch. What is “reasonable” is meant to be interpreted based on legal cases (this is how things work in the US and UK where things are governed by case law). But in practice, what is “reasonable” has been defined by the data protection authorities in each country.

The upshot has been a race to impose the strictest possible interpretation of reasonable measures, especially in the digital health space. This is doubly true in the DACH region, where data protection is especially important. So, by accident, the lack of clear guidelines has shifted the balance towards bigger companies that can afford expensive lawyers to manage risks and eventual legal challenges.

Four ways GDPR needs to be clarified

For startups, this lack of clarity imposes a huge burden. Often, tech teams are left with an impossible choice: build a completely locked down system to guarantee compliance, or build a system that can actually support the needs of the business.

So what are the key shortcomings in the way GDPR is defined?

• Security measures: specific security measures are not defined. For example, should encryption be within the database or at rest? What type of encryption is sufficient? Those things can’t be defined by a law, but they should be defined by implementation guidelines.
• Legitimate interest: there is a lack of a clear definition for what non-consented marketing and sales is. This means that large companies get away with abusing “legitimate interest” while startups struggle.
• Data retention periods: guidelines for how long data should be retained are vague and can differ significantly from country to country. They are often influenced by national laws like tax, labour, and consumer protection laws, which set specific retention periods.
• DPO requirements: the necessity of appointing a Data Protection Officer is often unclear. For example, GDPR mandates a DPO for companies involved in large-scale monitoring of individuals. However, what qualifies as "large scale" can vary by country, impacting whether you need a DPO or must conduct a Data Protection Impact Assessment (DPIA).

It’s not all doom and gloom

Fortunately, some problems are already being addressed (at least partially). But progress here is painfully slow.

• Cookie banners: The lack of clarity over these is meant to be solved by the ePrivacy regulation. This is in the works, but we are still waiting for it to be fully implemented.
• Legal basis for secondary data processing**: This was always envisaged as a use case under GDPR, especially for health data. Now finally, the European Health Data Space (EHDS) is taking the first steps towards this. But the timeline is measured in years!

So, what needs to be done about this?

GDPR has a lack of concrete and clear guidelines impacting small businesses and startups. To date, the EDPB (European Data Protection Board)  has taken a bottom up approach, asking people to submit certification schemes for approval. This simply hasn’t worked. The EDPB needs to step in and create an absolutely clear set of guidelines for compliance. This will then allow bodies like ISO to create more usable standards.

Furthermore, the European Commission needs to step in and stop countries from adding an ever-growing list of specific interpretations of GDPR. One of the biggest mistakes made with GDPR was to treat it as a minimum standard, and allow countries to impose additional regulatory and legal burdens. This has led to an absurd situation where companies can be completely legally compliant with GDPR and still not be allowed to operate in some EU countries because of data protection issues.

How can Chino.io help?

At Chino.io, we work tirelessly to bridge this gap, making GDPR compliance more accessible for all.

After almost 10 years, it's time for clearer, more practical regulations that support startup and companies in their innovation processes without compromising data privacy.

‍