A Startup's Guide to Data Protection & GDPR

A Startup's Guide to Data Protection & GDPR

Stuart Cook of data protection services provider Evalian shares his guide to data protection and GDPR for startups, including managing personal data and compliance

By Stuart Cooke

Shopping, banking, working, communicating - these are just some of the things we do online nowadays and some of the ways in which we share our personal information. We conduct a huge amount of our lives online, and even when we do things face-to-face, we’re still usually sharing data for one reason or another. 

Because of this, we’ve become more susceptible to crimes involving our personal data; whether that’s cybercrime or data misuse. This means businesses need to be more clued up on data protection, particularly when it comes to GDPR compliance and the regulations that came into effect last year. This guide will look at five things your startup needs to know about data protection

What is GDPR?

Firstly, let’s take a look at what GDPR is, as this is the basis for data protection in the UK and for any company dealing with EU residents (so pretty much all businesses will be affected by GDPR in one way or another). GDPR stands for General Data Protection Regulations and these are the regulations set out by the EU parliament last year to protect the personal information of EU citizens. It means that all citizens have the right to access their data and ask for it to be removed from a company’s database.

Does GDPR affect your startup?

If your startup operates in, does business with or collects data from citizens in the EU, then you must comply with GDPR. It’s a common misconception that smaller businesses or those working as an individual do not have to abide by these rules. This is simply not the case. If you work in any way with the personal data of EU citizens you need to make sure you comply, even if you're not located in the EU yourself.

So, in a nutshell, yes GDPR does affect your startup. While the regulating bodies tend to be more lenient towards smaller businesses with less data on their systems, should there be a problem, you can still face a penalty. So it’s best as a startup to ensure you follow the guidelines set out and start complying with GDPR right from the start. This helps to avoid any complications or nasty surprises down the line.

What’s more, if your startup works with other companies or vendors, it’s a good idea to ensure they are also GDPR compliant. This also helps to safeguard your business from backlash as a result of another company. It’s not a requirement but it’s best practice to check when working with others.

What is considered personal data?

In the GDPR guidelines set out by the EU, personal data is defined as “any information relating to an identified or identifiable natural person”. It’s easy to think in the first instance that personal data encompasses only the information businesses often ask for and the information that citizens regularly share such as email addresses, names, photos, addresses and social media posts.

In reality, personal data covers this and much more sensitive information. As a startup (or business of any size really) it’s best to assume that anything that can be deemed personal should be protected. This means not just the data you’ve personally asked for or that has been used during a transaction, but instead any information you can gather from someone’s online presence. This includes details about their personal life such as sexual orientation or religion. Below is a list of what constitutes personal data:

How can my startup comply with GDPR?

There are a number of steps you can take to make sure your startup is GDPR compliant. Firstly, you need to know your own data. You need to have a good understanding of what you're collecting and why you’re collecting it. Being clued up helps you to ensure you're meeting all regulations. Then, for your existing customers you can put together a ‘fair processing notice’ which outlines to them how their data is being used and gives them a chance to get in touch with any queries they may have.

You should also ask for consent before collecting any new data. This can be done through your online sign up form or through your terms and conditions. You just need to make sure your terms are clearly laid out for everyone to understand. Be sure you have security measures in place to protect all the data you have on your system. As part of the GDPR regulations you must report any breaches of security within 72 hours, so be sure to have a plan in place to make this happen.

Finally, be prepared for data requests. As part of data protection all users have the right to request their information and you must provide them with an online copy of all the personal data you have about them. They can also request this be deleted, so you need to be prepared for any access and deletion requests.

What if my startup doesn't comply with regulations?

If you do not comply with GDPR you could face a penalty. As previously stated, smaller businesses are often treated with more leniency, but they can still face a pretty hefty fine. The last thing you want is to have to pay up because of a simple mistake, so it’s a good idea to get clued up on GDPR and ensure you’re doing all you can to follow the rules.

What’s more, if your business collects and processes the data of customers or clients, you also risk losing business if you aren't GDPR compliant. After all, people want to know that their sensitive information is safe and that it’s not being misused. Businesses and startups that are challenged about their compliance could find they lose the trust of their customers and end up losing business. If you want a detailed guide about how to rectify non-compliance, then take a look at this guide which covers steps to take if you suspect non-compliance. 

About the Author

Stuart Cooke works for Evalian, a data protection services provider. The business specializes in data protection, GDPR, ISO 27001 & Information Security. The Evalian team work with organisations of all sizes and across multiple sectors, with their largest clients operating globally with offices in multiple countries.