5 key implications of the General Data Protection Regulation for startups and business marketing

by Startacus Admin

The General Data Protection Regulation (GDPR) comes into force in May 2018 and will impact businesses worldwide if they are dealing with personal data relating to EU residents. Elle Hosie, founder and CEO of her own startup Elletrepreneur and expert in data protection laws, summarises some key aspects of the new regulation and how this will affect startups and your business marketing activities.


Privacy Policies

"Under the new legislation individuals must be provided with specific information about organisations processing their personal data and how the data is processed. This information is best provided to customers and employees in the form of a privacy policy. This requirement is universal, but is particularly important for online businesses where you are likely to be collecting email addresses for mailing lists or information about customers making purchases on your site. Since it’s easy to search a website for its privacy policy, it will be equally easy for regulators to clamp down on you if you aren’t providing the correct information. If you already have privacy policies in place, make sure these are correctly updated to include the new requirements, for example to provide the name and contact information of the ‘data controller’. Because data processing activities vary across all businesses, it’s important to get your privacy policies drafted by a professional with expertise in this area so that the specific activities of your business are properly addressed. 




The rights of the data subject  (i.e. the individuals whose data you process) 

Data subjects, e.g. your customers and employees, have a right to request information about the personal data any organisation holds about them, correct any wrong information and to have their information deleted and not used for marketing purposes. Startups, particularly those using technology to process large quantities of data, will need to consider the technical requirements to enable them to comply with providing this information or amending/ deleting data. 

Whilst the duty to comply with these rights is enhanced by the GDPR (and the penalties for not doing so) these rights actually already exist under the current laws. However, the GDPR brings in a new right to have your data ‘ported’ from one organisation to another. This could have big implications for startups, particularly those in or using marketing, because it effectively allows your competitors to incentivise your customers to have their data transferred to your competitor. There will also be a 30 day time limit on your ability to comply with such requests.


Sharing data with third parties and internationally

Data subjects have the right to be informed about who their personal data is shared with. Businesses will often say that they don’t ‘share’ data with anyone when in fact they probably don’t realise that they share data with multiple parties in order to provide the service or product that they provide. What this means for startups is that you will need to consider the data processing activities of any third party servers, CRM systems, data analytics and anyone else with whom you may share data as part of your contracts or service. You will also need to show that you have a process for asking appropriate questions when choosing a third party to process data on your behalf about how they will store the data securely etc.

To transfer data outside the EEA (which could be as simple as storing it on a server overseas), your business must have ‘appropriate measures’ in place unless it is to a country which the EEA has deemed to have as having adequate data laws in place. ‘Appropriate measures’ could include.

If you are unsure about whether the countries personal data may be transferred to, you should ask questions from the other party to find out whether there will be appropriate measures in place. It’s not sufficient to just say you weren’t aware or blame the other party - as a data controller you are responsible for the data. Plus with Brexit looming, businesses processing data in the UK or transferring data to the UK will need to monitor the laws closely on what measures will need to be in place to transfer data legally once the UK is no longer part of the EU. 



Records of processing

From May 2018 businesses processing personal data will be required to maintain ‘written records of processing’. This means that your business needs to have a clear written account of what data you process and how it is kept secure, who you share it with and which countries the data may move between. In some circumstances (depending on the size of your business and the volume and nature of personal data that you process), you may also be required to designate a data protection officer. 


Fines and penalties

If you’re wondering whether you really need to worry about some new law coming in when you are a small/ fledgling business, then how about imagining a fine of 4% of your global annual turnover and what that would do to your business, least of all the reputational damage. It’s not just big corporations that the law is intended to clamp down on- ‘smaller’ organisations with fewer compliance processes in place are just as likely, if not more so, to process data illegally. 

Elletrepreneur is a startup consultancy providing legal contracts and strategic business advice for startups and SMEs. If you are unsure with how your business needs to adapt in time for the new regulation, schedule a free 30 minute legal strategy session to discuss how to avoid being in breach."

Want more insight into GDPR? Read GDPR primer for startups and self-starters

• #gdpr
• #regulation
• #marketing
• #general data protection regulation
• #data

Published on: 16th August 2017