Legal 101s - Privacy

Privacy Law Basics for the Start Up

by GLS GROUP May 20, 2020

Modern notebook computer with future technology media symbols


Regardless of whether you are running an online platform or mobile application, or offering an original service – one thing’s for sure – almost every company deals with personal data.

Companies collect and analyse data in order to continuously develop their products and services, and market them to consumers.

Consequently, businesses from an early stage of development should ensure that they comply with privacy laws.

Non-compliance with privacy laws could result in severe consequences for your business.

Think Disney – the epitome of “all things good” – which was fined US$3 million in 2011 for processing and sharing the personal data of children under the age of 13 without parental consent.

Non-compliance could not only result in companies being slapped with a hefty fine or sanction – it could also result in bad publicity which collectively, could have a thoroughly detrimental effect on your business.

In this article, we aim to equip you with 10 privacy law basics to kickstart your journey to proper and compliant use of personal data. While privacy laws may differ across jurisdictions, various general principles remain largely consistent.

Checklist - Purple


1) What is personal data?

Described as “one of the hottest commodities in 21st century commerce” on TodayOnline (a Singapore newspaper), personal data is defined widely under the laws of many jurisdictions to encompass data that can be used to identify an individual.

Accordingly, personal data potentially covers an extensive range of information – not just information such as names and contact details. The ambit of personal data could even include information such as a person’s bank account number.

Understanding what personal data constitutes will then equip you as founder, to note the depth of privacy law obligations that your start up is subjected to.

Close up of human hand holding key symbol

2) Know your privacy obligations

There has been a general proliferation of increasingly stringent privacy obligations amongst jurisdictions across the world. 

One pertinent example that has resulted in companies all over the world scrambling to update their privacy policies is the infamous General Data Protection Regime (GDPR).

This proliferation has followed hot off the heels of the growing pervasiveness of the internet in every aspect of our lives (think social media, e-commerce, internet banking etc).

In this regard, it is imperative for every business to understand its privacy obligations. Indeed, the privacy laws of certain jurisdictions may apply across borders and may even apply to businesses that do not operate in such jurisdictions.

Please do engage a lawyer to advise you on your privacy obligations – money spent to prevent liabilities that may arise from your failure to comply with your privacy obligations is money well spent.

Hand holding smartphone with media icons and symbol collection

3) Data collection

As a general rule of thumb, your company should collect no more personal data than is absolutely necessary, to operate your business.

In ensuring that your company’s actions are in line with the above, make sure you take some time to consider what data is essential to your organisation before taking steps to collect it.

Salesman shaking hands with client with contract on the coffee table

4) Data disclosure and usage – informing and obtaining consent

For some companies, data disclosure and usage are part and parcel of their business. Some examples include omnipresent social media sites like Facebook and LinkedIn.

While your start up may not necessarily fall within the ambit of the above-mentioned, data disclosure and usage can still happen. In fact, data disclosure and usage happens more often that you would expect.

In doing so, it is vital that you take note of the following (some might say, stringent) obligations:

● informing the individual of the company’s intended purpose for disclosing and/or using his/her personal data;

● obtaining the individual’s express consent to disclose and/or use his/her personal data for such purposes; and

● where the company intends to disclose and/or use the individual’s personal data, the company may do so solely for the purposes for which the individual has been informed and where the individual has provided his/her express consent.

businessman hand working with modern technology digital tablet computer and graphics layer effect as business strategy concept

5) Implement security measures

Even if you have been religiously compliant with the applicable privacy laws, data security breach can still be a problem.

A company is typically required to implement adequate measures to ensure the security of personal data in its possession. What constitutes as “adequate” would depend on a multitude of factors, such as:

● the nature of the personal data (e.g. how sensitive it is);

● whether the personal data is contained on your IT systems; and

● the volume of personal data in your possession.

Basic measures to protect personal data may include:

● ensuring that all virtual databases that contain personal data are password protected; and

● limiting access to databases that contain personal data to only a select group of people within your organisation.

If you are not a whiz at IT and prefer not to deal with technical jargon like “databases” and the like, it may be prudent to enlist the services of a privacy consultant to ascertain the measures that your company should implement, and how such measures should be implemented.

Goalkeeper catches the ball . At the stadium, in the spotlight.

6) Responding to data breaches

Whilst prevention is certainly better than cure, the possibility of data breaches can never be completely eradicated.

In this regard, it is important to implement adequate measures to ensure that any data breaches are swiftly and adequately dealt with, so that any damage is limited as much as possible.

Basic measures that a company may adopt to facilitate a swift response to data breaches include:

● requiring all employees to make a report to a designated person immediately upon discovering a data breach; and

● implementing measures to communicate the occurrence of any data breaches to all your its personnel as quickly as possible.

businessman hand show book of word policy on texture background as concept-1

7) Have a privacy policy in place

To ensure that you and your company’s personnel adopt a uniform approach towards the handling of personal data, it is crucial to formulate an organisation-wide privacy policy.

Such privacy policy serves various important functions, including:

● setting the tone across your company with respect to how seriously privacy obligations are taken; and

● communicating your company’s protocols with respect to dealing with personal data and handling personal data breaches.

The provisions of such privacy policy may be made legally binding, if they are incorporated into the terms of your personnel’s employment contract/service agreement.

Back view of businessman reading documents in hand-1

8) Have robust data protection clauses in your contracts

With the prominent international hotel group Marriott being fined nearly US$123 million following a data breach where the personal data of 399 million guests was breached, it is clear that the liability arising from personal data breaches could potentially be very high.

With that in mind, your company’s contracts should contain robust data protection clauses to ensure adequate protection.

At the barest minimum, these clauses should set out clearly:

● each party’s rights and obligations with respect to personal data; and

● the consequences of each party’s failure to comply with its privacy obligations.

Rear View of Young Office Workers in Casual Outfits Listening to a Top Manager Explaining Something Using Illustrations.

9) Train your personnel

One of the biggest causes of data breaches is human error. Your company can have the most innovative policies and the most advanced computer programmes with respect to data protection.

Yet, a chain is only as strong as its weakest link, and the weakest link in the chain of personal data protection is often the humans behind the system.

In this regard, it is vital that you keep your personnel updated, reminded and adequately trained on your company’s data protection practices and platforms.

Midsection of businesswoman with binders at office

10) Organise personal data

In certain jurisdictions, companies are required, upon request, to provide each individual with his/her personal data in an accurate manner.

In this regard, it is good practice for your company to keep organised records of all personal data that has been collected, so that personal data can be easily accessed and accurately disseminated.


Enegotiation - Purple

Introducing GLS Total Legal Support

We hope that this article has been helpful to you as a start -up trying to navigate the minefield of privacy laws.

To aid in your quest to mitigate legal risk, GLS offers a Total Legal Support solution which provides you with all business-critical templates for the price of what most pay for coffee each month.

Needless to say, our solution comes with a 24/7/365 helpline whereby one of our legal professionals can assist you with any queries that you may have.

Check it out here.

The End written on rural road


If you liked this topic, you might also like 10 common mistakes made by start-ups.

*The above content does not constitute, nor is it offered as, legal advice of any kind. GLS Solutions Pte Ltd is not a law firm and any support provided pursuant to this entity is not regulated legal advice or legal opinion.  


GLS Group - Nominated by Financial Times as the:
"Most Innovative Law Firm - Asia Pacific"
Innovation through Technology 
The Middle East Legal Awards 2020

Avoiding co-founder disputes : Legal 101s

a list of steps you should take to help mitigate or avoid entirely the possibility and risks of co-founders disputes ... Continue reading

What should you include in your invoice? :5 key items that should be inside

In this article, we examine 5 key items that should go into an invoice ... Continue reading

What are the risks associated with collecting personal data? :5 key risks to remember

5 key risks of associated with collecting personal data and how you can manage ... Continue reading

What is a supply of goods and services agreement? :10 key points to help you understand

We examine the top 10 issues to look out for in a Supply of Goods & Services Agreement ... Continue reading