5 key implications of the General Data Protection Regulation for startups and business marketing
by Startacus Admin
The General Data Protection Regulation (GDPR) comes into force in May 2018 and will impact businesses worldwide if they are dealing with personal data relating to EU residents. Elle Hosie, founder and CEO of her own startup Elletrepreneur and expert in data protection laws, summarises some key aspects of the new regulation and how this will affect startups and your business marketing activities.
Privacy Policies
"Under the new legislation individuals must be provided with specific information about organisations processing their personal data and how the data is processed. This information is best provided to customers and employees in the form of a privacy policy. This requirement is universal, but is particularly important for online businesses where you are likely to be collecting email addresses for mailing lists or information about customers making purchases on your site. Since it’s easy to search a website for its privacy policy, it will be equally easy for regulators to clamp down on you if you aren’t providing the correct information. If you already have privacy policies in place, make sure these are correctly updated to include the new requirements, for example to provide the name and contact information of the ‘data controller’. Because data processing activities vary across all businesses, it’s important to get your privacy policies drafted by a professional with expertise in this area so that the specific activities of your business are properly addressed. 
The rights of the data subject (i.e. the individuals whose data you process)
Data subjects, e.g. your customers and employees, have a right to request information about the personal data any organisation holds about them, correct any wrong information and to have their information deleted and not used for marketing purposes. Startups, particularly those using technology to process large quantities of data, will need to consider the technical requirements to enable them to comply with providing this information or amending/ deleting data.
Whilst the duty to comply with these rights is enhanced by the GDPR (and the penalties for not doing so) these rights actually already exist under the current laws. However, the GDPR brings in a new right to have your data ‘ported’ from one organisation to another. This could have big implications for startups, particularly those in or using marketing, because it effectively allows your competitors to incentivise your customers to have their data transferred to your competitor. There will also be a 30 day time limit on your ability to comply with such requests.
Sharing data with third parties and internationally
Data subjects have the right to be informed about who their personal data is shared with. Businesses will often say that they don’t ‘share’ data with anyone when in fact they probably don’t realise that they share data with multiple parties in order to provide the service or product that they provide. What this means for startups is that you will need to consider the data processing activities of any third party servers, CRM systems, data analytics and anyone else with whom you may share data as part of your contracts or service. You will also need to show that you have a process for asking appropriate questions when choosing a third party to process data on your behalf about how they will store the data securely etc.
To transfer data outside the EEA (which could be as simple as storing it on a server overseas), your business must have ‘appropriate measures’ in place unless it is to a country which the EEA has deemed to have as having adequate data laws in place. ‘Appropriate measures’ could include.
If you are unsure about whether the countries personal data may be transferred to, you should ask questions from the other party to find out whether there will be appropriate measures in place. It’s not sufficient to just say you weren’t aware or blame the other party - as a data controller you are responsible for the data. Plus with Brexit looming, businesses processing data in the UK or transferring data to the UK will need to monitor the laws closely on what measures will need to be in place to transfer data legally once the UK is no longer part of the EU. 
Records of processing
From May 2018 businesses processing personal data will be required to maintain ‘written records of processing’. This means that your business needs to have a clear written account of what data you process and how it is kept secure, who you share it with and which countries the data may move between. In some circumstances (depending on the size of your business and the volume and nature of personal data that you process), you may also be required to designate a data protection officer.
Fines and penalties
If you’re wondering whether you really need to worry about some new law coming in when you are a small/ fledgling business, then how about imagining a fine of 4% of your global annual turnover and what that would do to your business, least of all the reputational damage. It’s not just big corporations that the law is intended to clamp down on- ‘smaller’ organisations with fewer compliance processes in place are just as likely, if not more so, to process data illegally.
Elletrepreneur is a startup consultancy providing legal contracts and strategic business advice for startups and SMEs. If you are unsure with how your business needs to adapt in time for the new regulation, schedule a free 30 minute legal strategy session to discuss how to avoid being in breach."
Want more insight into GDPR? Read GDPR primer for startups and self-starters
Subscribe to our newsletter
If you would like to receive our startup themed newsletter, full of the latest startup opportunities, events, news, stories, tips and advice, then sign up here.
Thortful - The startup that's providing a creative card marketplace for designers, illustrators and photographers...
We are liking the sound of Feels FM, an emoji-powered jukebox using music as a positive coping strategy, & to find new ways to talk about mental health.
Innovative startups and businesses designed and focused on empowering and embracing female consumers.
P2P investment aggregator Orca raises £500K on equity crowdfunding platform, Seedrs within two days.
British logistics company Wincanton is looking for tech startups to pitch their solutions for industry specific challenges, as part of their returning W2 Labs innovation programme.
Portugal-based startup Magikbee secures a further $250k round of funding to continue its mission to reimagine kids’ learning and screen time.
Perlego - billed as the 'Spotify for textbooks' - has closed a $4.8m venture round, signalling a new chapter for the growing company on a mission to make textbooks more accessible.
Startup Hubbite has been launched with the aim of putting the trust back into online reviews.
20 aspiring early stage NI technology startups pitched for the chance to win a cash prize for their businesses, closing Ignite NI’s first Propel Pre-Accelerator programme.
Product Guru is a product discovery platform that's helping buyers from consumer goods & gift companies to discover unique & innovative new products.
Published on: 16th August 2017
If you would like to enable commenting via your Startacus account, please enable Disqus functionality in your Account Settings.
- Irish startups invited to pitch at Innovation Nation 2018 19th Aug 2018 Startacus has teamed up with the inaugural Innovation Nation 2018 to deliver Ascend, an all-Ireland tech startup pitch competition.
- North East entrepreneurs sought for new Ignite Accelerator in Newcastle 17th Aug 2018 Ignite returns to Newcastle, home to its inaugural accelerator programme, to launch a 3-month funded, pre-accelerator programme for up to 20 early-stage businesses.
- Urban Massage raises over £2.5m via Seedrs 13th Aug 2018 Urban Massage announces new on-demand wellness services and immediately raises over £2.5m in investment via equity crowdfunding platform, Seedrs.
- Seedrs expands into investor automation with AutoInvest 17th Jul 2018 Seedrs’ AutoInvest will allow investors to customise investment criteria from industry sector, stage of business and tax relief eligibility to automatically invest in equity crowdfunding campaigns.
