What startups need to know about GDPR

Here’s our no fluff guide to GDPR for startups. Plus, our essential tips to make GDPR easy so you can grow your business, hassle-free.

Dive straight in to the GDPR issues that matter to startups and discover the secrets the privacy pros use to be compliant and win big deals.

We’ve all heard about the GDPR. We know it means you need a privacy policy on your website and some other things. Or you can get fined, right?

But what are those other things and do you really need to worry about it?

Well, the other things are extensive and yes, if you handle personal information and you value your business, then you do need to worry about it.

GDPR 101 – GDPR for Startups

GDPR is the General Data Protection Regulations. A set of EU regulations adopted to tighten up the privacy and security of personal data throughout the EU and beyond.

In the UK, the EU regulation is enacted by the Data Protection Act 2018.

Will the GDPR still matter when the UK is out of the EU?

Yes. The Data Protection Act 2018 will endure for all organisations operating in the UK. All businesses that do business in the EU will want to ensure they comply with GDPR too.

GDPR. Does it apply to me?

If you manage personal data then it’s very likely that the GDPR does apply to your organisation.

Think about your staff as well as your suppliers and customers. If you handle personal data about any of them then the GDPR does apply to you.

What is meant by ‘personal data’?

At it’s simplest level, if you can work out from the data who the information relates to then it’s personal data. In GDPR terminology it’s often referred to as Personally Identifiable Information or PII.

GDPR for small businesses

The GDPR applies to businesses of all sizes. Even if you are an early-stage startup you still need to do the right things to comply with the regulations.

Why startups need to comply with GDPR

As a startup, if you want to work with large organisations or in regulated industries you will need to be GDPR compliant. Often you will be expected to contract on the basis that you comply and be able to demonstrate your systems and processes if requested.

It’s also likely that your directors and investors will expect you to be running your business legally and compliantly, so don’t let them down.

Registering with the ICO

As an organisation that handles personal data, you are likely to be required to register with the Information Commissioner’s Office and pay a fee. 

How much does it cost to register?

The ICO registration fee ranges between £40 and £2400. But don’t panic. For all but the largest organisations, the fee is either £40 or £60.

Should you register with the Regulator?

You can easily find out if you need to register by using the ICO self-assessment tool here.

The guiding principles of GDPR

Here’s a top tip. There’s an easy way to understand, at a high level, what you need to do to comply with GDPR.

First, it’s essential to understand that the GDPR is a principles-based regulation.

What does that mean? Well, being principles-based means that compliance cannot be achieved by simply following a set of prescriptive rules. Instead, it is about applying the GDPR principles to how your organisation uses personal data.

Use these principles to guide your organisation in all that you do with the personal information you control and you won’t go too far wrong.

  1. Lawfulness, fairness and transparency

Do as it says. Stick to the law, be fair and be open and transparent about everything you do with personal information.

  1. Purpose limitation

Be clear with people about what you intend to do with the personal data you collect and then don’t use it for any purposes beyond those you’ve communicated.

  1. Data minimisation

Only collect and use the minimum amount of data you need to fulfil your stated purposes. No more.

  1. Accuracy

As it says, you must ensure the personal data you manage is accurate and kept up to date.

  1. Storage limitation

Essentially, don’t keep any personal data for any longer than you need to.

  1. Integrity and confidentiality

It’s your responsibility to ensure that all personal information you manage is kept securely and out of harm’s way.

  1. Accountability

Simple. Take responsibility for what you do with personal data and how you comply with the other principles. Critically, you must also have appropriate measures and records in place to be able to demonstrate your compliance.

These high-level summaries of the GDPR lawful bases are for guidance. You can dive into the detail on the ICO website here.

Get to know the basic terminology

It’s a good idea to get familiar with the terminology from the start. You’ll need to understand these terms to understand what is required by the regulations.

  • Controller

A controller is the organisation or person who decides how and why to collect personal data.

  • Processor

A processor is a separate organisation or person who processes data on behalf of the controller and in accordance with their instructions.

  • Data Subject

This is the technical term used for the person that the data relates to.

  • Processing

Pretty much everything you do with data counts as processing. Including collecting, recording, storing, using, analysing, combining, disclosing or deleting it.

What is a lawful basis?

The GDPR sets out six lawful bases for processing personal data. At least one of these must apply for you to process personal information lawfully. It’s vital you select the lawful basis you are going to use and that you record it.

What are the six lawful bases of the GDPR?

You’ve probably heard of a few of these. At least one of these must apply whenever you process personal data.

If you are carrying out marketing activities, it’s very likely you will be attracted to rely on ‘consent’ as you lawful basis. But don’t decide before you have considered other options.

  • Consent

The individual has given clear consent for you to process their personal data for a specific purpose.

  • Contract

The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

  • Legal Obligation

The processing is necessary for you to comply with the law (not including contractual obligations).

  • Vital Interest

The processing is necessary to protect someone’s life.

  • Public Task

The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

  • Legitimate Interest

The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Legitimate interests is the most flexible of the six lawful bases. It’s not focused on a particular purpose and so it gives you more scope to potentially rely on it in many different circumstances.

It can be the most appropriate basis when:

  • the processing is not required by law (Legal Obligation) but is of a clear benefit to you or others;
  • there’s a limited privacy impact on the individual;
  • the individual should reasonably expect you to use their data in that way, and you cannot, or don’t want to, give the individual full upfront control or bother them with consent requests when they are unlikely to object to the processing.

If you think that ‘legitimate interest’ is the lawful basis best suited to your use of data, then it’s important to know that people can object to their data being used on this basis.

If objections happen you’ll want to be able to protect yourself. The key h ere is to undertake and record a Legitimate Interest Assessment (LIA). An LIA will give you the evidence to demonstrate your accountability for the decision you make if you are ever challenged or investigated.

The ICO offers more detail on lawful bases here.

What is a Legitimate Interest Assessment or LIA?

A Legitimate Interest Assessment is a kind of light touch risk assessment based on the specific context and circumstances of your intended data use. You only need to complete one if you are planning to rely on Legitimate Interest for your data processing.

What do I need to do to market to people?

To collect and use personal data for marketing purposes you will need to rely on either consent or legitimate interest as your basis for processing.

It’s the same whether you are marketing to individual consumers or employees of another organisation.

Top tip for GDPR marketing

The GDPR sets a high bar for gaining consent so here’s a top tip. Look for another lawful basis to rely on. The usual alternative is Legitimate Interest. As long as you can justify this by completing an LIA then this is an easier route to go.

By adopting Legitimate Interest as your lawful basis for processing personal data to undertake marketing you will need to do more work to be transparent in your communications. You’ll also need to clearly explain in your privacy policy what the legitimate interests of the processing are.

If you do choose to rely on consent then you will need to obtain explicit consent from the individual to use their data for marketing purposes.

Explicit consent requires a very clear and specific statement of consent. It requires a positive opt-in. Don’t be tempted to use pre-ticked boxes or any other method of default consent. You’ll only look bad for trying to mislead the people you would like to trust you.

Steps to GDPR compliance

Making your organisation GDPR compliant is so much easier if you start with a data map. The data map is documentation of all the personal data in your organisation. It’s your starting point. It will become the most important piece in your privacy compliance jigsaw.

Map the personal data in your organisation

It’s obvious that to manage the personal data in your organisation; first you need to know what information you have, where it is, what it’s used for and who it’s shared with.

The exercise of documenting this is generally called data mapping. It’s sometimes referred to as carrying out a data inventory or data audit. As the process documents the connections between the various data locations and entities, it is also sometimes called a data flow map.

It’s easy to think that you only have minimal data and that it will be simple. But once you get started it can be the stuff of spreadsheet nightmares unless you use a data mapping tool designed for the job.

The importance of an accurate data map

The data map is key to your business privacy compliance because it becomes the hub for all the rest of your privacy compliance activities. It must be accurate and kept up to date.

The ‘data map’ becomes central to your data management system as it determines many other factors. For example, your privacy notice should include details of the other businesses you share data with.

It can be an arduous task to put all the details together. Get organised before you start. You will need to have a way to document your data and understand who in your organisation you will have to collaborate with.

Policies and notices

In addition to your privacy notice it’s a good idea to have a staff privacy notice. This will guide you colleagues to understand how your organisation uses their personal information.

Privacy Notice

Everyone knows they need a privacy policy on their website. Many businesses simply find a free template privacy policy or copy one and tweak it to suit their business. It’s basic and it works, until it comes under scrutiny.

What’s wrong with copying someone else’s privacy policy? Well, a lot actually.

Your privacy notice should accurately reflect how your organisation deals with personal information. It should reflect the details that are specific to your business. It should be yours. After all, it’s your audience who are going to be reading it and trusting in the details it provides.

Data Protection Impact Assessments or DPIAs

If you are planning to do anything with personal data that may potentially be high risk to the data and privacy of individuals then you need to carry out a Data Protection Impact Assessment (DPIA).

It’s also a good idea to carry out a DPIA if you are doing any major project involving large amounts of personal data.

If you think you might need to do a DPIA you can learn more on the ICO website here.

Individual Rights

The GDPR empowers people to make requests of organisations in relation to the information held about them. These rights are core to the GDPR as they encourage individuals to trust that their data will be respected and protected.

The GDPR rights for individuals are:

  • Right to be informed

Individuals have the right to be informed about the collection and use of their personal data.

  • Right of access

Individuals have the right to access and receive a copy of their personal data, and other supplementary information.

  • Right of rectification

Individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete.

  • Right of erasure

Individuals have a right to have their data erased. This is also called the right to be forgotten.

  • Right to restrict processing

Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, you can store the personal data, but not use it.

  • Right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

  • Right to object

The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing.

  • Rights related to automated decision making and profiling

If you use automated decision making or profiling then you must give individuals information about the processing activity and simple ways for them to request human intervention or challenge a decision.

What are Subject Access Requests?

Subject Access Requests (SARs) are the actions taken by a person when they make a request of an organisation based on exercising one of their rights.

How to deal with Subject Access Requests?

It’s critical that you respond to any requests within 30 days of receiving that request. The first request you receive will immediately test your data mapping of your organisation.

Whether it’s a request for erasure or an objection to the processing of their data, you will need to know where all the data is that relates to the request. This is one of the reasons it’s so important to stay on top of your data map.

For more details as to how to respond to requests you can find details on the ICO website here

What are the risks of GDPR non-compliance for small businesses?

The real risk for startups is not the fines that the ICO can issue or the prosecutions they press. It’s not even the many measures the ICO can take to investigate misdemeanours and restrict your use of personal data.

The real risk is to your reputation and your ability to successfully do business with larger organisations if you are not compliant.

For the most serious offences there are punishing fines that would hurt even the largest of organisations. For this reason large enterprises often demand the businesses they work with are GDPR compliant.

If your are going to be processing personal data provided by another organisation you will also need to be enter into a data processing agreement (DPA). This is a legally binding agreement that sets out the rights and obligations upon which your organisation will process personal data.

Review your privacy compliance regularly

Things change and the way you communicate your privacy and the records you keep need to change to reflect the reality of your operations.

The best way to do this is to ensure you review your data map on a regular basis. We recommend that you do this at least once a quarter. You can then check that your privacy notice and other policies all accurately reflect your data processing activities.

Staff training

The GDPR is one of the very few regulations that affect every person in your organisation. Whether they are customer-facing or purely internal, it’s important to ensure that they are all trained in the basics of GDPR.