Simon Jenner
Friday, 27 May 2022
We have been asked many times if one no-code platform or another is GDPR compliant that we put together this little Blog Post.
Posted in:
No-Code
Disclaimer
This is meant to be educational content to help give you an introduction to GDPR. It should in no way be construed as legal advice. We have only covered the basics of this detailed subject.
If you are concerned about GDPR appoint a qualified legal council to advise you on the specific needs of your business. GDPR is a complex law and its application differs case by case.
It’s Not that Simple
If you’re reading this you have almost certainly asked if [insert no-code platform here] is GDPR compliant and the answer is “it’s not that simple”.
You might also be labouring under the false misapprehension that you need to ensure that all your data stays in the European Union. You don’t. That’s wrong. Your data is already stored all over the world. Get over it.
We can’t give you a blanket answer to any of your questions because GDPR is complicated. We can build you a compliant application and you can immediately do something that massively contravenes GDPR.
You need to stop asking simple questions, read the regulations and get proper advice.
First of all what is GDPR and why should I worry about it?
General Data Protection Regulation, or GDPR to its friends, has been in force since 2018. It standardised the data privacy laws across all of the members countries of the European Union (EU) and bought the protections and rights to individuals up to date with current technology.
GDPR was also created to alter how businesses and other organisations can handle the information of those that interact with them. There's the potential for large fines and reputational damage for those found in breach of the rules.
GDPR applies to companies based in the EU or doing business in the EU. Almost every region has its own data privacy laws, but not all laws are applied in the same way.
The basic principles of GDPR are pretty simple to grasp (I’m paraphrasing Article 5 here law fans). If you’re going to collect personal data (data that identifies an individual) from customers for any commercial purpose you need to:
Do so lawfully, fairly and transparently;Only ask for the data you need and only use the data for the express purpose it was collected;Keep data accurate and up to date;Keep data only as long as your customer needs you to keep it to access your services;Process the data in a way that ensures it is secure and protected at all times.
It’s important to remember that the customer owns their own data, you don’t. So if a customer asks you to provide a copy of their data, or to delete their data, you absolutely have to.
Lingo
Before we get started we need to identify the key phrases that are used in the regulation, like :
Transferring Data: This is the terms that often confuses people. GDPR generally restricts transfers of data from the EU to countries outside of the EU unless certain assurances are made that the data is adequately and appropriately protected. Your job is to make sure that data is protected to the standards of GDPR in transit and at rest, no matter where it is transferred (EU or not).
Data Controller: A data controller is any entity which decides how and why personal data will be processed. If you’re reading this, this is likely to be you.
Data Processor: A data processor is an entity which processes personal data on behalf of the controller. These are all your suppliers (including your no-code platform provider) that you use to handle or store data as part of your service to customers.
Sub Processor: This is any entity that processes personal data for the data processor. A good example would be a no-code platform that offers data storage but uses a cloud service like AWS to provide that service. In this instance AWS would be a Sub-Processor.
When you collect and transfer personal data you must be aware of the entire ‘chain of custody’ that data will pass through and take appropriate measures to ensure that the protections offered to your customers by Processors and Sub-Processors meet the standards of EU regulation.
Your Duties
We’re aware that most people reading this will be startup founders trying to decide how best to apply the few pennies they have to launching their business and not starving to death.
Given that appointing a lawyer might be out of your financial reach, what can you do right now to try your best to comply with GDPR? Here’s my short list.
Do your homework! Make sure you understand how data will be transferred and stored between all your processors and sub-processors. Make a list of who they are, what they do and collect the evidence that they comply with GDPR (they will all have documents to that effect on their website).
Make sure that you tell your customer exactly what you are collecting data for, how you plan to use it and store it. Your customer should be in no doubt as to what data you have, where it is and what it’s being used for. Try to use simple and transparent language and make sure you ask your customers to consent to this approach.
Make every effort to ensure that the way you keep data is a secure as possible. Document how you have done this and make sure all of your staff keep to the same high standards that you set.
If someone asks for a copy of their data or for you to delete their data act on the request immediately.
If the worst happens and you become aware that you have leaked personal data, contact the relevant authorities immediately.
Don’t be bamboozled by shortcuts and non-sense. If you think keeping your data in the EU means that you don’t have to audit your data processor you’re an idiot. Having a cookie pop-up and a boiler plate privacy policy does not make you GDPR compliant. Do the work to make sure you protect your customers.
So is Your No-Code Platform GDPR compliant?
You cannot pass responsibility for ensuring that your data processor is compliant to a third party like Million Labs. You need to complete your own audit and make your own assessment of compliance.
Almost all Data Processors with a global client base will provide a Data Processor Agreement which sets out the controls that they have in place to ensure that data is protected to the standards of GDPR. They are likely to also provide evidence of the processes and procedures that they have in place on their website.
You need to read and assess the evidence provided by your suppliers (and their suppliers) whether they are based in the EU or not.
When is a Compliant Platform Not Compliant?You use a no-code platform to build an application. The platform itself can be GDPR compliant, but you can build an application that absolutely isn’t. How?
You don’t tell your customers how you plan to use their data or ask for any content.You scrape personal data from third party sources into your application. You don’t build in adequate security and access controls to your own application.You don’t provide or delete data when you are asked. You provide data you are storing to other companies so that they can use it without the consent of your customers.Etc. etc.
All of these activities involve your no-code platform acting as a data processor and yet they would all breach GDPR.
Getting Proper Advice
A good place to start is your local authority. In the UK thats the Information Commissioners Office (ICO). You can find their guidance here:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
They can help you to find qualified legal advice to assess your specific needs.
Million Labs is registered by the ICO, cert ref number: ZB040853
This is meant to be educational content to help give you an introduction to GDPR. It should in no way be construed as legal advice. We have only covered the basics of this detailed subject.
If you are concerned about GDPR appoint a qualified legal council to advise you on the specific needs of your business. GDPR is a complex law and its application differs case by case.
It’s Not that Simple
If you’re reading this you have almost certainly asked if [insert no-code platform here] is GDPR compliant and the answer is “it’s not that simple”.
You might also be labouring under the false misapprehension that you need to ensure that all your data stays in the European Union. You don’t. That’s wrong. Your data is already stored all over the world. Get over it.
We can’t give you a blanket answer to any of your questions because GDPR is complicated. We can build you a compliant application and you can immediately do something that massively contravenes GDPR.
You need to stop asking simple questions, read the regulations and get proper advice.
First of all what is GDPR and why should I worry about it?
General Data Protection Regulation, or GDPR to its friends, has been in force since 2018. It standardised the data privacy laws across all of the members countries of the European Union (EU) and bought the protections and rights to individuals up to date with current technology.
GDPR was also created to alter how businesses and other organisations can handle the information of those that interact with them. There's the potential for large fines and reputational damage for those found in breach of the rules.
GDPR applies to companies based in the EU or doing business in the EU. Almost every region has its own data privacy laws, but not all laws are applied in the same way.
The basic principles of GDPR are pretty simple to grasp (I’m paraphrasing Article 5 here law fans). If you’re going to collect personal data (data that identifies an individual) from customers for any commercial purpose you need to:
Do so lawfully, fairly and transparently;Only ask for the data you need and only use the data for the express purpose it was collected;Keep data accurate and up to date;Keep data only as long as your customer needs you to keep it to access your services;Process the data in a way that ensures it is secure and protected at all times.
It’s important to remember that the customer owns their own data, you don’t. So if a customer asks you to provide a copy of their data, or to delete their data, you absolutely have to.
Lingo
Before we get started we need to identify the key phrases that are used in the regulation, like :
Transferring Data: This is the terms that often confuses people. GDPR generally restricts transfers of data from the EU to countries outside of the EU unless certain assurances are made that the data is adequately and appropriately protected. Your job is to make sure that data is protected to the standards of GDPR in transit and at rest, no matter where it is transferred (EU or not).
Data Controller: A data controller is any entity which decides how and why personal data will be processed. If you’re reading this, this is likely to be you.
Data Processor: A data processor is an entity which processes personal data on behalf of the controller. These are all your suppliers (including your no-code platform provider) that you use to handle or store data as part of your service to customers.
Sub Processor: This is any entity that processes personal data for the data processor. A good example would be a no-code platform that offers data storage but uses a cloud service like AWS to provide that service. In this instance AWS would be a Sub-Processor.
When you collect and transfer personal data you must be aware of the entire ‘chain of custody’ that data will pass through and take appropriate measures to ensure that the protections offered to your customers by Processors and Sub-Processors meet the standards of EU regulation.
Your Duties
We’re aware that most people reading this will be startup founders trying to decide how best to apply the few pennies they have to launching their business and not starving to death.
Given that appointing a lawyer might be out of your financial reach, what can you do right now to try your best to comply with GDPR? Here’s my short list.
Do your homework! Make sure you understand how data will be transferred and stored between all your processors and sub-processors. Make a list of who they are, what they do and collect the evidence that they comply with GDPR (they will all have documents to that effect on their website).
Make sure that you tell your customer exactly what you are collecting data for, how you plan to use it and store it. Your customer should be in no doubt as to what data you have, where it is and what it’s being used for. Try to use simple and transparent language and make sure you ask your customers to consent to this approach.
Make every effort to ensure that the way you keep data is a secure as possible. Document how you have done this and make sure all of your staff keep to the same high standards that you set.
If someone asks for a copy of their data or for you to delete their data act on the request immediately.
If the worst happens and you become aware that you have leaked personal data, contact the relevant authorities immediately.
Don’t be bamboozled by shortcuts and non-sense. If you think keeping your data in the EU means that you don’t have to audit your data processor you’re an idiot. Having a cookie pop-up and a boiler plate privacy policy does not make you GDPR compliant. Do the work to make sure you protect your customers.
So is Your No-Code Platform GDPR compliant?
You cannot pass responsibility for ensuring that your data processor is compliant to a third party like Million Labs. You need to complete your own audit and make your own assessment of compliance.
Almost all Data Processors with a global client base will provide a Data Processor Agreement which sets out the controls that they have in place to ensure that data is protected to the standards of GDPR. They are likely to also provide evidence of the processes and procedures that they have in place on their website.
You need to read and assess the evidence provided by your suppliers (and their suppliers) whether they are based in the EU or not.
When is a Compliant Platform Not Compliant?You use a no-code platform to build an application. The platform itself can be GDPR compliant, but you can build an application that absolutely isn’t. How?
You don’t tell your customers how you plan to use their data or ask for any content.You scrape personal data from third party sources into your application. You don’t build in adequate security and access controls to your own application.You don’t provide or delete data when you are asked. You provide data you are storing to other companies so that they can use it without the consent of your customers.Etc. etc.
All of these activities involve your no-code platform acting as a data processor and yet they would all breach GDPR.
Getting Proper Advice
A good place to start is your local authority. In the UK thats the Information Commissioners Office (ICO). You can find their guidance here:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
They can help you to find qualified legal advice to assess your specific needs.
Million Labs is registered by the ICO, cert ref number: ZB040853
Launch Your Startup Fast and Affordably! Our no-code approach is perfect for non-tech founders. With a simple 3-step process: START, LAUNCH, GROW, join over 1400 startups we've successfully launched. Start your journey today!
Join