That Light Bulb Moment: Start-ups and GDPR: what you need to know
Tight budgets and creative focus mean that start-ups sometimes bury their head in the sand when it comes to data privacy law. But the law applies to businesses of all sizes and nature: start-ups are not exempt.
The main source of data privacy law is the GDPR. This applies in both the EU and the UK – Brexit does not change this. Under the GDPR, protection of personal data is a fundamental right. Organisations need to treat personal data with the same importance they treat taxes and employee rights.
In short, your start-up must comply with the GDPR. So what do you need to know?
What is personal data?
In brief, any information from which a living person can be identified. This is a broad definition, and covers a lot of modern business-critical and valuable information, for example:
- names, emails and phone numbers;
- photos, video and audio;
- social media accounts, profiles and activities;
- user preferences and commercial habits;
- IP addresses and device identifiers;
- information collected by cookies; and
- bank / payment card / account information.
Do you use it?
It’s such a broad definition that it’s impossible to do modern business without it. Personal data may also have specific marketable value to start-ups, especially when trying to build a customer base.
What does that mean for you?
You have to comply with rules set out in the GDPR and other data privacy law.
What are those rules?
|Lawful use||Having a GDPR-recognised justification to collect and use personal data.|
|Use limits||Using the minimum personal data needed to carry out your lawful uses.|
|Transparency||Telling people when, how and why you use their personal data.|
|Sensitive data||Putting in place additional safeguards to use more private information.|
|Individual rights||Complying when people exercise statutory choices.|
|Data security||Taking physical and IT security measures to protect data in our hands.|
|Security breaches||Knowing how to recognise, and react to, an incident.|
|Prior assessments||Conducting additional documentary compliance for some riskier uses.|
|Data sharing||Specific terms need to be agreed depending on the type of recipient.|
|International transfers||Transferring personal data outside the EEA requires additional action.|
|Marketing||Email and phone marketing is not possible without prior consent.|
|Cookies||You need website users’ consent and must give them precise information.|
|Governance||Appointing an individual / team with sufficient expertise and influence.|
How do we comply with the rules?
Primarily through a combination of specific compliance documents, template contracts, organisational training and smart governance. It is important to acknowledge that you are bound under the GDPR to comply with these rules proactively.
What happens if we break the rules?
The consequences include:
- fines (up to the higher of 4% annual worldwide turnover or €20m);
- lengthy business / operational interruption;
- individual/group court claims;
- loss of consumer confidence in a young brand; and
- avoidable legal expenditure.
What should we do?
The reality is that the GDPR and other data privacy law applies to your start-up. Take early and proactive steps to try and comply. European regulators look more favourably on organisations which have had a go at compliance but got it wrong compared to those which have not tried at all. This can be the difference between a written warning and a damaging fine.
Remember in particular: compliance with GDPR and the viability of business development in a post-GDPR world are two important points that prospective investors now check as standard.
How can Greenwoods GRM help?
We have designed a series of advice products which help organisations of all sizes, financial resource and ages, such as:
- a short and lay user-friendly “playbook” which explains the rules, identifies applicable compliance measures, explains when to use them and provides templates;
- an outsourced in-house governance service (if nobody internal has the expertise or time resources required); and
- a data privacy “health check” which assesses the level of your compliance and suggests remedial actions.
This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. This update relates to the prevailing circumstances at the date of its original publication and may not have been updated to reflect subsequent developments. If you have general queries about our updates, please email: firstname.lastname@example.org