Every company operating within the EU has a legal obligation to comply with General Data Protection (GDPR) laws. This applies to large corporations as much as it does small businesses and start-ups. But while some organizations will find it easier to make the required adjustments, how do those just starting out fare when it comes to ensuring compliance? Below we discuss how small start-ups deal with GDPR as they prepare to trade.
What is GDPR?
GDPR came into effect on May 25, 2018. It is a legal requirement for all organizations operating within the EU to protect the privacy and personal data of EU citizens for any transactions that take place within the 28 member states. The data could be anything from an individual’s name, to an online username or IP address.
It was created in 2016 and replaced the existing Data Protection Directive that stood from 1995. In addition, any data exported outside of EU borders is also regulated by GDPR. EU members were allowed to make small changes to suit the needs of their country, which saw the UK create the Data Protection Act (2018), replacing the 1998 Data Protection Act.
It is also important to note that during the Brexit transition period GDPR laws still apply to UK firms. At the time of writing it is still to be confirmed as a deal between the UK government and the EU is pending, but it is expected that a ‘UK GDPR’ law will be introduced. However, this may still include some alterations made that have yet to be confirmed.
How start-ups deal with GDPR
Create more transparency
GDPR not only gives EU citizens more control over their personal data, it also requires businesses to be more transparent. Where some existing organizations will have to go through a lot of reorganization to ensure their processes are more transparent, it presents an opportunity for start-ups to operate that way from the very start.
Taking a proactive approach to data protection allows start-ups to assess any possible risks that come with the processing of data. Where any changes to the business model are required they can be implemented at an early stage, so they are less likely to fall foul of any regulatory breaches. The fines for Failure to comply with GDPR can see large fines imposed, which would be disastrous not only in financial terms, but the damage to brand reputation would also be very costly.
Improved security measures
An important part of being GDPR compliant is ensuring there are robust security measures in place that can protect any personal data stored on servers.
Cybersecurity is a fundamental component of every online organization has to pay increased attention to. The rates of cybercrimes have increased as more businesses move into the digital world and there are real threats posed to organizations of all sizes.
Start-ups can perhaps be the most vulnerable if left exposed to online data attacks. This means ensuring Wi-Fi networks are secure, strong malware protection is in place and relevant training is given to staff members. Websites should also be HTTPS certified, which means data travelling from the web server to the user’s browser is encrypted and secure, making it more difficult for third parties to intercept. Google will also look more favorably on sites that use HTTPS than those who do not.
Streamline data retention
From customer names and addresses, to staff employment records and dates of birth, data comes in a number of different forms. It relates to customers, staff and supplier records. Start-ups need to identify how much data they need to retain before they can implement measures on how best to manage and process it.
After all, GDPR dictates that data can only be held for the shortest time possible. This means retaining large databases of data is going to breach GDPR regulations. Holding onto necessary data should be the limit of what is held by a start-up, making the process leaner and simpler to manage. Organizations like Rightly can also be a great help, working with start-ups to manage the removal of customer data when requests are received.
Special attention should also be paid to personal information relating to sexual orientation, religious beliefs, ethnic or racial origin, political affiliation and trade union membership, which are defined by GDPR as ‘special categories’. This data could be used to discriminate against an individual and requires explicit consent before it can be stored.
Learn from larger companies
There’s already enough to deal with when starting up a new business such as ensuring you have a strong enough foothold in your relevant industry often taking precedence. Resources are limited, with much of it allocated towards creating the infrastructures needed for sustained success. This means start-ups may struggle to find the capabilities to construct a coherent GDPR plan.
However, start-ups can learn how to be GDPR compliant by taking some cues from larger companies, scaling down the processes to match the size of their operation. Bigger organizations will have larger legal teams able to address GDPR requirements and are likely to implement robust new measures in accordance with the law.
The likes of LinkedIn and Google have previously published their GDPR methods, as have Facebook. Where applicable, start-ups can use these as a way to build their own compliant-ready policies, making their workload lighter in the process.
Check that suppliers are also compliant
It’s one thing for start-ups to ensure their internal processes are GDPR compliant, but they also need to check suppliers and contractors meet the standard too. Article 30 of GDPR states that businesses with less than 250 employees are exempt from keeping records of their partners processing activities, whether as a processor or a controller although they still need to personally comply with GDPR. But if you are working with a company that has more than that number of employees you must ensure the supplier/contractor/partner is compliant.
Start-ups can simply ask the company if they are GDPR compliant or send a checklist for them to confirm. Contracts will also have to refer to the external company being GDPR compliant. This should also include the right to carry out an audit if needed so their data processing can be assessed.
Final thoughts
From the very outset start-ups need to integrate GDPR thinking into their strategy and daily operations. Not only will it ensure they remain compliant with current requirements, but that customers, staff and suppliers have faith in your ability to process and manage personal data to the expected standard.
The management and processing of personal data is an ongoing process and not a one-time only procedure. Reviews should regularly be conducted to ensure current processes are being correctly used and that they remain secure enough to protect the data.