7 Strategies to Comply with GDPR (I)
The GDPR provisions, the General Data Protection Regulation regarding the personal data of the EU internet users came into effect on 25 May 2018. The main changes have to do with the access to and transfer of personal data, which will be more transparent, if the users so require. We have approached in detail what these provisions involve in the previously published article here and here.
As the exhaustive implementation of the new norms requires a complex system of unifying the internal applications and a well-defined strategy, many companies, both in Romania and in other countries, are still conducting GDPR campaigns. As all of us have probably noticed, the first step has been that all the institutions and companies have informed their clients in respect of the GDPR compliance, making the necessary changes to the legal documents, such as the confidentiality policy. The National Authority for the Supervision of Personal Data Processing (ANSPDCP) is in charge of the implementation of the new provisions. Its site, available at dataprotection.ro, includes a lot of information and normative acts regarding GDPR.
Apart from that, following are a few efficient strategies that a lot of enterprises have already applied, both in Romania and in the EU member countries or in the USA.
1. Resorting to a Specialized Legal Organization
Although the provisions of GDPR are effective and applicable to all companies, it is possible that a certain company should be subject to stricter rules or to a set of supplementary rules, according to the number of personal data processed or to the business profile. For this very reason, it is of essence that such companies should resort to a specialized firm and, in most cases, appoint an internal expert to supervise these processes. Currently, many companies in Romania have recruited or started to recruit for a position recently created on the employers market, namely Data Protection Officer.
2. Transparent Communication with the Employees
It is not only the legal or the marketing department that must be up to date with all the provisions of GDPR, but, in principle, all the other departments, in order to ensure a good operation of an inter-functional and agile team. In order for the employees to clearly understand the implications of these new regulations, it is recommended that these provisions should be made known and also that the information should be verified through inter-active activities or tests. As this European Directive introduces many new regulations, each company should establish a system under which the employees constantly revise the information acquired.
3. Correct Organization of Data
According to the new provisions, certain personal data (for instance information regarding religious faith, sexual orientation or biometric information) have a special classification and require a matching processing phase. Therefore, it is important that each company should organize the data of their users according to the purpose and sensitivity of such data. If the business specializes in data processing, then it would be advisable to appoint officers to separately supervise the existent data. Although this might seem a discouraging practice, as it requires a long time, in the long run this approach will allow a greater flexibility in processing and accessing data.
The second part of the article is available here.
Over the last decade, I've built my professional life as an investor, focusing on 3 key areas: financial services, real estate and tech startups. I’ve participated in the setup and development of two major fintechs, and after those two successful exits I’m now directing my resources into building a new enterprise in this area – the Key Way group.
I've started, participated in and developed companies in Romania, as well as Bulgaria, Hungary, Czech Republic, Germany, the UK, Mexico, Dubai and South East Asia. I'm constantly looking for new segments, new markets and new opportunities, and therefore I interact regularly with the regulator institutions and official agencies in various countries and markets.
The most recent example is the GCC area (Gulf Cooperation Council - Bahrain, Kuwait, Oman, Qatar and the United Arab Emirates, and Saudi Arabia). I started to research opportunities in that area at the end of 2018 - more specifically, the United Arab Emirates, which are establishing themselves as one of the most dynamic markets in the world.
The whole experience of working with the official institutions there was a great example of how to attract and encourage investors! ADGM, the Abu Dhabi Global Markets regulator, was established quite recently and I was absolutely impressed with their professionalism.
To start off, I researched the local market regulators online. The information was clear and easily available: I contacted them online, via their website and LinkedIn accounts. They responded promptly, and in only a few days, we set up a series of meetings with the financial markets regulators in both Abu Dhabi and Dubai!
The ADGM gave me full support and very clear, detailed information on what and how I need to do to obtain a trading licence in financial services in the UAE. I met with representatives from both the ADGM registration department (where all new businesses have to register before they acquire a licence for online trading) and from the FSRA (Financial Services Regulatory Authority).
They were very clear on the procedure, steps to follow and criteria we need to meet, which is a fantastic help for an investor on a new, highly regulated financial market.
In a few days I started the onboarding procedure - everything happens online, everything is digital, everything is set up for maximum ease and transparency.
They set investors up for success, but they make sure they vet them thoroughly as well! A "user friendly" approach does not mean lower standards, quite the opposite - they made sure I meet all commercial and business criteria, they assessed my financial, capital and business status and previous experience, and checked references from markets in which I operated previously.
We went through a process of very rigorous assessment and due diligence, and several meetings where I detailed our business plan and long term vision. Professional but friendly - you feel welcome, encouraged and supported as an investor.
Furthermore, their “enthusiasm”, or appetite for new business, equaled mine! They’re happy to welcome new businesses, they work hard to attract them and to set them up for success. I was very impressed that they genuinely appreciate the fact that investors, however big or small, choose their market to set up a company.
I’d love to see this same level of energy, hard work and appetite for business in my home country, Romania.
While other jurisdictions welcome investors and work hard to create the framework for development and success, I often feel that the Romanian regulators, for financial markets and not only, start from a default position of suspicion or, at best, indifference. Investors are regarded with thinly veiled (if at all veiled!) suspicion and distrust and sometimes downright hostility, you almost feel guilty or embarrassed to be successful financially.
I hope to see this mentality change in Romania, because I, as well as most Romanian entrepreneurs I know, really want to make our country a top choice for investments, not just in outsourcing and services. We want to make Romania known for its know how and creativity.
I think Romanian regulators should remember that their whole purpose of existence is to enable business, not hinder it. And as investors, especially once we see best practices from other jurisdictions, we need to remind them of this reality.
- Fintech OS - B2B services and TaaS enabling automation for financial services. The fact that this is a Romanian company that has achieved such rapid growth proves that (to paraphrase) geography is not destiny. Their experience is inspiring.
- Fagura - P2P Lending. Although Fagura is actually coming from Moldova, they are present in Romania. This is a friendly peer-to-peer platform, modelled on UK similar companies. I think it has good potential for success.
- Smart dreamers – a platform for recruitment marketing automation, they’re already in the UK, the US, and Singapore, with enterprise-ready software that helps companies reach and engage with potential candidates online.
- Medjobs – this is a platform for recruitment and jobs in the healthcare sector. I like their focus and the fact that they’ve honed in on this very specific opportunity, as it is a very dynamic niche and was generally very fragmented.
- Typing DNA – such an original idea! They’ve developed an app for typing biometrics authentication – recognizing people from the way they type, this is an AI-based solution for risk-based authentication and fraud prevention.
- Competitors.app – a very useful and comprehensive app for monitoring competitors’ marketing activity across online channels.
- Finqware – this was badly needed in Romania, since most companies and people have several bank accounts and they need a centralized dashboard for their finances.
- Keez – A user-friendly alternative to accounting, payroll, and ERP software.
- Teleport HQ - An AI powered platform and suite of open source tools which simplifies UI building and adds realtime optimisations by analysing user's intentions.
- Cyscale - a Multi-Cloud Platform, for all major providers like Amazon, Google and Microsoft, which handles Cloud Native Security, Threat management and Secure Cloud Design.