About GDPR

The new EU data protection regime extends the scope of the EU data protection law to all EU and foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier also for non-European companies to comply with these regulations.
  • Effective since May 25, 2018
  • Regulation applies to any organization, public and private alike, that processes or stores the personal data of EU residents
  • Affects organizations that reside and operate within the EU
  • Also all international organizations whose customers reside within the EU
  • Whether you have one or one million customers residing within the EU
  • Unlike a directive, it does not require any enabling legislation to be passed by national governments and is thus directly binding and applicable
  • Organizations that fail to achieve compliance could be fined up to 4% of annual revenue or €20,000,000 (whichever is greater)

In Startup Ecosystem Context

For context, GDPR applies to
  • all government digital services that are handling individuals data (EU citizens), including students, talent, entrepreneurs, investors, mentors, speakers etc. 
  • all support service functions and organizations digital services recording user data and users transactions, like; CRM's, event systems, job boards, discussion forums, productivity tools, investor networks, application processes, social networks, etc.
  • all existing companies, new companies and startups providing or building digital services for individual users
"The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify regulations for international businesses by unifying the requirements for data protection across the EU."

​Under EU rules, you have the following rights or obligations:

​As an Individual:
  • Your data may be collected and used only under strict conditions and you must always be informed about the intention to collect and use your data.
  • Data controllers must respect your rights while processing personal data entrusted to them.
  • You have the right to know the name of the controller, what the processing is going to be used for, to whom your data may be transferred;
  • You have the right to receive this information whether the data was obtained directly or indirectly, unless this information proves impossible or too difficult to obtain, or is legally protected;
  • You are entitled to ask the data controller if he or she is processing personal data about you;
  • You have the right to receive a copy of this data in intelligible form;
  • You have the right to ask for the deletion, blocking or erasing of the data.
  • Decisions that can significantly affect your life, such as granting loans or insurance, are sometimes taken on the sole basis of automated data processing, data controllers must adopt suitable safeguards, such as giving you the opportunity to discuss the thinking behind the processing of the data or to contest decisions based on inaccurate data.
  • If you believe your data protection rights have been breached, you may also submit an official complaint.
As a Data Controller:
  • Each data controller must respect the following rules as set out in the Directive:
  • Personal Data must be processed legally and fairly;
  • It must be collected for explicit and legitimate purposes and used accordingly;
  • It must be adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed;
  • It must be accurate, and updated where necessary;
  • Data controllers must ensure that data subjects can rectify, remove or block incorrect data about themselves;
  • Data that identifies individuals (personal data) must not be kept any longer than strictly necessary;
  • Data controllers must protect personal data against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks. They shall implement the appropriate security measures;
  • These protection measures must ensure a level of protection appropriate to the data.
  • If a data subject is of the view that his/her data has been compromised, he/she can send a complaint to the data controller. If the data controller's handling of a complaint is not satisfactory, the data subject can file a complaint to the national supervisory data protection authority.
  • Every EU country must provide one or more independent supervisory authorities to monitor its application, all data controllers must notify their supervisory authorities when they process personal data.
"According to the European Commission, by 2020 the value of personalized data will be 1 trillion euros, almost 8% of the EU’s GDP. Global data economy is predicted at 3 trillion."

​GDPR In Practise

  • The spirit of the GDPR is to enable users to have better practical rights to control their data. To have their data for them, to have it removed, make it portable between services and more.
  • However users need tools to be able to do so AND there needs to be connections between services and these tools build OR it will not be very practical for user or services, and therefore benefits would be very limited
  • With good tools and connectivity, the data management, control and flow can be real time, automated and multidirectional between services, while also being GDPR compliant and really enforcing the spit of the regulation
A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. Both data that has been 'provided' by the data subject, and data that has been 'observed' — such as about their behaviour — is within scope. The data must be provided by the controller in a structured and commonly used Open Standard electronic format. 

Benefits of GDPR

What are the benefits of GDPR related to entrepreneurship, innovation & startup ecosystems.

A lot to do? - Not much time...

Effective since 25 May 2018, unlike a directive, it does not require any enabling legislation to be passed by national governments and is thus directly binding and applicable. A single set of rules will apply to all EU member states.

"Organizations that fail to achieve compliance could be fined up to 4% of annual revenue or €20,000,000 (whichever is greater)"


​​Sources: European Commission 2018 reform of EU data protection rules,  Data protection and Wikipedia
"We believe that the model of how digital services are build today with multiple barely maintained user accounts with poor data in various systems, will need to change into user-centric "User Accounts As A Service" with quality data & API connections between users and their preferred services."