5 key implications of the General Data Protection Regulation for startups and business marketing
by Startacus Admin
The General Data Protection Regulation (GDPR) comes into force in May 2018 and will impact businesses worldwide if they are dealing with personal data relating to EU residents. Elle Hosie, founder and CEO of her own startup Elletrepreneur and expert in data protection laws, summarises some key aspects of the new regulation and how this will affect startups and your business marketing activities.
Privacy Policies
"Under the new legislation individuals must be provided with specific information about organisations processing their personal data and how the data is processed. This information is best provided to customers and employees in the form of a privacy policy. This requirement is universal, but is particularly important for online businesses where you are likely to be collecting email addresses for mailing lists or information about customers making purchases on your site. Since it’s easy to search a website for its privacy policy, it will be equally easy for regulators to clamp down on you if you aren’t providing the correct information. If you already have privacy policies in place, make sure these are correctly updated to include the new requirements, for example to provide the name and contact information of the ‘data controller’. Because data processing activities vary across all businesses, it’s important to get your privacy policies drafted by a professional with expertise in this area so that the specific activities of your business are properly addressed. 
The rights of the data subject (i.e. the individuals whose data you process)
Data subjects, e.g. your customers and employees, have a right to request information about the personal data any organisation holds about them, correct any wrong information and to have their information deleted and not used for marketing purposes. Startups, particularly those using technology to process large quantities of data, will need to consider the technical requirements to enable them to comply with providing this information or amending/ deleting data.
Whilst the duty to comply with these rights is enhanced by the GDPR (and the penalties for not doing so) these rights actually already exist under the current laws. However, the GDPR brings in a new right to have your data ‘ported’ from one organisation to another. This could have big implications for startups, particularly those in or using marketing, because it effectively allows your competitors to incentivise your customers to have their data transferred to your competitor. There will also be a 30 day time limit on your ability to comply with such requests.
Sharing data with third parties and internationally
Data subjects have the right to be informed about who their personal data is shared with. Businesses will often say that they don’t ‘share’ data with anyone when in fact they probably don’t realise that they share data with multiple parties in order to provide the service or product that they provide. What this means for startups is that you will need to consider the data processing activities of any third party servers, CRM systems, data analytics and anyone else with whom you may share data as part of your contracts or service. You will also need to show that you have a process for asking appropriate questions when choosing a third party to process data on your behalf about how they will store the data securely etc.
To transfer data outside the EEA (which could be as simple as storing it on a server overseas), your business must have ‘appropriate measures’ in place unless it is to a country which the EEA has deemed to have as having adequate data laws in place. ‘Appropriate measures’ could include.
If you are unsure about whether the countries personal data may be transferred to, you should ask questions from the other party to find out whether there will be appropriate measures in place. It’s not sufficient to just say you weren’t aware or blame the other party - as a data controller you are responsible for the data. Plus with Brexit looming, businesses processing data in the UK or transferring data to the UK will need to monitor the laws closely on what measures will need to be in place to transfer data legally once the UK is no longer part of the EU. 
Records of processing
From May 2018 businesses processing personal data will be required to maintain ‘written records of processing’. This means that your business needs to have a clear written account of what data you process and how it is kept secure, who you share it with and which countries the data may move between. In some circumstances (depending on the size of your business and the volume and nature of personal data that you process), you may also be required to designate a data protection officer.
Fines and penalties
If you’re wondering whether you really need to worry about some new law coming in when you are a small/ fledgling business, then how about imagining a fine of 4% of your global annual turnover and what that would do to your business, least of all the reputational damage. It’s not just big corporations that the law is intended to clamp down on- ‘smaller’ organisations with fewer compliance processes in place are just as likely, if not more so, to process data illegally.
Elletrepreneur is a startup consultancy providing legal contracts and strategic business advice for startups and SMEs. If you are unsure with how your business needs to adapt in time for the new regulation, schedule a free 30 minute legal strategy session to discuss how to avoid being in breach."
Want more insight into GDPR? Read GDPR primer for startups and self-starters
Subscribe to our newsletter
If you would like to receive our startup themed newsletter, full of the latest startup opportunities, events, news, stories, tips and advice, then sign up here.
London startup Soldo, is aiming to streamline the entire business expense cycle –from payment to reconciliation.
Don’t worry if your business died. You just got a step closer to entrepreneurial heaven says Richard Myers, Commercial Director at Transmit Start-Ups.
SupplyCompass, a design-to-delivery sourcing platform that provides an efficient and sustainable solution for global supply chains, agrees a £1.5m seed fund deal.
Apprenticeship startup WhiteHat raises $16m Series A led by Index Ventures and prepares to expand its alternative to university.
How can women effectively challenge gender bias in the workplace? Hayley Mackenzie from Boiler Guide, shares here thoughts and experience.
The app that's aiming to help us to take the first step in reversing climate change...
The startup that's providing Nursing Home residents with additional meaningful social interactions provided by local people!
Some easy and inexpensive ways to make your start-up more secure.
The vidiCREW app is on a mission to show your wedding through the eyes of your loved ones. How does it work?
The Startup Leadership Program continues to grow, inviting applications for its 9th London cohort to join the six-month program.
Published on: 16th August 2017
If you would like to enable commenting via your Startacus account, please enable Disqus functionality in your Account Settings.
- Startup Leadership Program invites applications for its 9th London cohort 12th Jul 2019 The Startup Leadership Program continues to grow, inviting applications for its 9th London cohort to join the six-month program.
- Latest Zinc Company Builder Programme to transform the quality of later life 9th Jul 2019 Do you want to build a new purpose-driven startup with support from a world-class network of experts?
- HealthTech startups sought for Greater Manchester Future of Health Challenge 4th Jul 2019 The Greater Manchester Future of Health Challenge is on the hunt for innovative healthtech startups and scaleups...
- Seedrs FMCG Accelerator Programme to help 10 UK-based FMCG businesses 3rd Jul 2019 Seedrs have launched their first FMCG Accelerator Programme dedicated to helping up to 10 UK-based FMCG businesses raise capital.
