5 key implications of the General Data Protection Regulation for startups and business marketing

by Startacus Admin
The General Data Protection Regulation (GDPR) comes into force in May 2018 and will impact businesses worldwide if they are dealing with personal data relating to EU residents. Elle Hosie, founder and CEO of her own startup Elletrepreneur and expert in data protection laws, summarises some key aspects of the new regulation and how this will affect startups and your business marketing activities.

Privacy Policies
"Under the new legislation individuals must be provided with specific information about organisations processing their personal data and how the data is processed. This information is best provided to customers and employees in the form of a privacy policy. This requirement is universal, but is particularly important for online businesses where you are likely to be collecting email addresses for mailing lists or information about customers making purchases on your site. Since it’s easy to search a website for its privacy policy, it will be equally easy for regulators to clamp down on you if you aren’t providing the correct information. If you already have privacy policies in place, make sure these are correctly updated to include the new requirements, for example to provide the name and contact information of the ‘data controller’. Because data processing activities vary across all businesses, it’s important to get your privacy policies drafted by a professional with expertise in this area so that the specific activities of your business are properly addressed.
The rights of the data subject (i.e. the individuals whose data you process)
Data subjects, e.g. your customers and employees, have a right to request information about the personal data any organisation holds about them, correct any wrong information and to have their information deleted and not used for marketing purposes. Startups, particularly those using technology to process large quantities of data, will need to consider the technical requirements to enable them to comply with providing this information or amending/ deleting data.
Whilst the duty to comply with these rights is enhanced by the GDPR (and the penalties for not doing so) these rights actually already exist under the current laws. However, the GDPR brings in a new right to have your data ‘ported’ from one organisation to another. This could have big implications for startups, particularly those in or using marketing, because it effectively allows your competitors to incentivise your customers to have their data transferred to your competitor. There will also be a 30 day time limit on your ability to comply with such requests.
Sharing data with third parties and internationally
Data subjects have the right to be informed about who their personal data is shared with. Businesses will often say that they don’t ‘share’ data with anyone when in fact they probably don’t realise that they share data with multiple parties in order to provide the service or product that they provide. What this means for startups is that you will need to consider the data processing activities of any third party servers, CRM systems, data analytics and anyone else with whom you may share data as part of your contracts or service. You will also need to show that you have a process for asking appropriate questions when choosing a third party to process data on your behalf about how they will store the data securely etc.
To transfer data outside the EEA (which could be as simple as storing it on a server overseas), your business must have ‘appropriate measures’ in place unless it is to a country which the EEA has deemed to have as having adequate data laws in place. ‘Appropriate measures’ could include.
If you are unsure about whether the countries personal data may be transferred to, you should ask questions from the other party to find out whether there will be appropriate measures in place. It’s not sufficient to just say you weren’t aware or blame the other party - as a data controller you are responsible for the data. Plus with Brexit looming, businesses processing data in the UK or transferring data to the UK will need to monitor the laws closely on what measures will need to be in place to transfer data legally once the UK is no longer part of the EU.
Records of processing
From May 2018 businesses processing personal data will be required to maintain ‘written records of processing’. This means that your business needs to have a clear written account of what data you process and how it is kept secure, who you share it with and which countries the data may move between. In some circumstances (depending on the size of your business and the volume and nature of personal data that you process), you may also be required to designate a data protection officer.
Fines and penalties
If you’re wondering whether you really need to worry about some new law coming in when you are a small/ fledgling business, then how about imagining a fine of 4% of your global annual turnover and what that would do to your business, least of all the reputational damage. It’s not just big corporations that the law is intended to clamp down on- ‘smaller’ organisations with fewer compliance processes in place are just as likely, if not more so, to process data illegally.
Elletrepreneur is a startup consultancy providing legal contracts and strategic business advice for startups and SMEs. If you are unsure with how your business needs to adapt in time for the new regulation, schedule a free 30 minute legal strategy session to discuss how to avoid being in breach."
Want more insight into GDPR? Read GDPR primer for startups and self-starters
Subscribe to our newsletter
If you would like to receive our startup themed newsletter, full of the latest startup opportunities, events, news, stories, tips and advice, then sign up here.
Glasgow-based This is Milk seeks investment for Neve Learning, its cloud-based Ed-Tech platform that has inclusivity and accessibility at its core.

With the UK facing a clear digital skills gap, Amy Caton, Digital Talent and Impact Senior Manager at BT Group shares some insights on what businesses should do to close that divide.

The lowdown on Berlin-based Beazy and its innovative solution that helps teams to plan, produce and deliver creative content and helps businesses to connect with talented content creators.

Huckletree's new Web3 HQ aims to put London’s West End at the forefront of Britain’s tech superpower ambitions.

Leading sports marketing platform, OpenSponsorship announces move into music sector, the first new vertical industry for the trans-Atlantic martech business.

Kingussie High School scoops first place for Junior and Senior categories at this year’s Growing Future Assets Competition.

The lowdown on Manchester-based Arctic Shores and its innovative recruitment solution to help candidate potential count as much as skills and experience.

With the demand for tattoo removal now greater than ever, specialist NAAMA Studios makes a bid for a further £11m in funding.

By combining machine-learning with zero-party data, new tool launched by MarTech startup Qudo ends the ‘era of assumption’ for marketers.

Want to be your own boss and earn some money whilst travelling? Here are a few ways to do just that...
Published on: 16th August 2017
If you would like to enable commenting via your Startacus account, please enable Disqus functionality in your Account Settings.







- Neurodiverse learning and training platform Neve shares major six-figure investment opportunity 22nd Mar 2023 Glasgow-based This is Milk seeks investment for Neve Learning, its cloud-based Ed-Tech platform that has inclusivity and accessibility at its core.
- Huckletree opens new London hub for tech companies pioneering Web3 solutions 16th Mar 2023 Huckletree's new Web3 HQ aims to put London’s West End at the forefront of Britain’s tech superpower ambitions.
- OpenSponsorship making its move into the music sector 16th Mar 2023 Leading sports marketing platform, OpenSponsorship announces move into music sector, the first new vertical industry for the trans-Atlantic martech business.
- Scottish Highlands Home to the Next Generation of Future Female Investors 15th Mar 2023 Kingussie High School scoops first place for Junior and Senior categories at this year’s Growing Future Assets Competition.