5 key implications of the General Data Protection Regulation for startups and business marketing
by Startacus Admin
The General Data Protection Regulation (GDPR) comes into force in May 2018 and will impact businesses worldwide if they are dealing with personal data relating to EU residents. Elle Hosie, founder and CEO of her own startup Elletrepreneur and expert in data protection laws, summarises some key aspects of the new regulation and how this will affect startups and your business marketing activities.
Privacy Policies
"Under the new legislation individuals must be provided with specific information about organisations processing their personal data and how the data is processed. This information is best provided to customers and employees in the form of a privacy policy. This requirement is universal, but is particularly important for online businesses where you are likely to be collecting email addresses for mailing lists or information about customers making purchases on your site. Since it’s easy to search a website for its privacy policy, it will be equally easy for regulators to clamp down on you if you aren’t providing the correct information. If you already have privacy policies in place, make sure these are correctly updated to include the new requirements, for example to provide the name and contact information of the ‘data controller’. Because data processing activities vary across all businesses, it’s important to get your privacy policies drafted by a professional with expertise in this area so that the specific activities of your business are properly addressed. 
The rights of the data subject (i.e. the individuals whose data you process)
Data subjects, e.g. your customers and employees, have a right to request information about the personal data any organisation holds about them, correct any wrong information and to have their information deleted and not used for marketing purposes. Startups, particularly those using technology to process large quantities of data, will need to consider the technical requirements to enable them to comply with providing this information or amending/ deleting data.
Whilst the duty to comply with these rights is enhanced by the GDPR (and the penalties for not doing so) these rights actually already exist under the current laws. However, the GDPR brings in a new right to have your data ‘ported’ from one organisation to another. This could have big implications for startups, particularly those in or using marketing, because it effectively allows your competitors to incentivise your customers to have their data transferred to your competitor. There will also be a 30 day time limit on your ability to comply with such requests.
Sharing data with third parties and internationally
Data subjects have the right to be informed about who their personal data is shared with. Businesses will often say that they don’t ‘share’ data with anyone when in fact they probably don’t realise that they share data with multiple parties in order to provide the service or product that they provide. What this means for startups is that you will need to consider the data processing activities of any third party servers, CRM systems, data analytics and anyone else with whom you may share data as part of your contracts or service. You will also need to show that you have a process for asking appropriate questions when choosing a third party to process data on your behalf about how they will store the data securely etc.
To transfer data outside the EEA (which could be as simple as storing it on a server overseas), your business must have ‘appropriate measures’ in place unless it is to a country which the EEA has deemed to have as having adequate data laws in place. ‘Appropriate measures’ could include.
If you are unsure about whether the countries personal data may be transferred to, you should ask questions from the other party to find out whether there will be appropriate measures in place. It’s not sufficient to just say you weren’t aware or blame the other party - as a data controller you are responsible for the data. Plus with Brexit looming, businesses processing data in the UK or transferring data to the UK will need to monitor the laws closely on what measures will need to be in place to transfer data legally once the UK is no longer part of the EU. 
Records of processing
From May 2018 businesses processing personal data will be required to maintain ‘written records of processing’. This means that your business needs to have a clear written account of what data you process and how it is kept secure, who you share it with and which countries the data may move between. In some circumstances (depending on the size of your business and the volume and nature of personal data that you process), you may also be required to designate a data protection officer.
Fines and penalties
If you’re wondering whether you really need to worry about some new law coming in when you are a small/ fledgling business, then how about imagining a fine of 4% of your global annual turnover and what that would do to your business, least of all the reputational damage. It’s not just big corporations that the law is intended to clamp down on- ‘smaller’ organisations with fewer compliance processes in place are just as likely, if not more so, to process data illegally.
Elletrepreneur is a startup consultancy providing legal contracts and strategic business advice for startups and SMEs. If you are unsure with how your business needs to adapt in time for the new regulation, schedule a free 30 minute legal strategy session to discuss how to avoid being in breach."
Want more insight into GDPR? Read GDPR primer for startups and self-starters
Subscribe to our newsletter
If you would like to receive our startup themed newsletter, full of the latest startup opportunities, events, news, stories, tips and advice, then sign up here.
Natalie Lovett, Director of The Whitewed Directory chats about her business and how you can grow your start-up business from home.
Innovation in mobility for the visually impaired thanks to WeWALK, a revolutionary smart cane!
The innovative app that will help you track and improve your sleeping habits...
The online platform which “connects illustration professionals with the planet's best publishers, designers and Art Directors”.
Pukket is aiming to create word of mouth on a large scale, by putting a usable, redeemable value on people’s social media impact when they help to spread word of a brand.
Cracked It, is a social enterprise staffed by young ex-offenders and at-risk youths, teaching them marketable phone repair skills and providing the means and opportunity to make money.
Seedrs’ AutoInvest will allow investors to customise investment criteria from industry sector, stage of business and tax relief eligibility to automatically invest in equity crowdfunding campaigns.
Local SEO can become, one of, if not the most effective method of marketing your local business. Here's some handy tips care of Digital Next.
Enhance convenience and efficiency by giving your home a brain, care of Manchester-based startup Wondrwall, a smart home intelligence system that learns from your behaviour.
How do you make sure your employer brand knocks your competitors out of the park to attract talent to your startup? Dee Murphy, Organisational Psychologist & Head of Employer Branding at Jobbio has this to offer...
Published on: 16th August 2017
If you would like to enable commenting via your Startacus account, please enable Disqus functionality in your Account Settings.
- Trezeo looks to the crowd to target full UK launch 27th Jun 2018 Trezeo, a fintech startup focused on delivering financial stability to the self-employed, targets fully launching its income smoothing business account product in the UK.
- CliniShift awarded upSTART startup pitch title at Digital DNA 2018 21st Jun 2018 CliniShift wins the upSTART startup pitch title at Digital DNA for 2018, battling off against 24 other disruptive UK, NI and Irish startups.
- Launchpad, the award-winning incubator/accelerator building high tech startups in Cornwall 21st Jun 2018 Launchpad, an innovative, post-graduate incubation & acceleration programme developed by Falmouth University that aims to create new digital businesses to meet identified market demand in just 12 months.
- Lloyd's Lab begins global search for tech talent 21st Jun 2018 Over ten weeks, tech startups will be given the unique opportunity to work with Lloyd’s market experts to shape the next big innovation.
