A guide for startups and small businesses on what GDPR means for them and what they should do to comply both now and into the future.
- Ensure that you understand what personal data you are collecting about individuals and why
- Develop robust practices to protect data and handle it properly
- Put processes in place to ensure compliance into the future
The European Union’s General Data Protection Regulation (GDPR) is far-reaching legislation affecting how:
(i) companies based in the EU (and UK post Brexit) collect, process and store personal data of data subjects based globally; or
(ii) global companies collect, process and store personal data of data subjects based in the EU.
This step-by-step guide explains why GDPR is important and what startups and small businesses should do to ensure they comply and don’t put themselves at risk of fines. This guide covers the high level requirements and should not be taken to be a comprehensive set of requirements.
Step 1: Understand GDPR
In 2018 the EU brought in new rules to tighten up how companies deal with personal data. This was in response to the evolving ways in which companies wanted to make use of personal data, concerns about the security of customer personal data and practices such as selling individuals’ information to third parties.
GDPR sets a framework for limiting companies’ use of personal data and attempts to give people more control over what’s done with their personal data. It aims to ensure businesses do not use, share or retain personal data beyond the purpose for which it was collected and that it is kept secure.
The GDPR sets out seven key principles which must be kept in mind whenever personal data is to be processed:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Breaches can lead to fines of up to €20 million or, if it’s greater, four percent of gross annual turnover.
- What data is included
Myriad types of data – personal data is any data which alone or combined with other data points to an individual. It does not have to identify them by name. This may include bank account details, email addresses, employment records, photos and much more. There are also “special categories” of data, like a person’s ethnicity, biometric data used for identification or religious views, which may create a particular risk to a data subject and requires additional considerations prior to their collection, use or storage.
- Decide if it applies to you
GDPR applies to all companies that collect, store and process the personal data of people in the EU. It affects global companies because many have EU customers, suppliers or employees. GDPR has been incorporated into UK Law by the UK Government and it will remain in place post-Brexit.
- GDPR and small businesses
Contrary to what is sometimes thought, startups and small businesses with fewer than 250 employees are not exempt from GDPR requirements, except in limited circumstances related to a small number of requirements. GDPR applies to personal data wherever it is kept in an organised manner, whether that’s in an email, on spreadsheets, in the cloud, in hard copy or anywhere else.
Step 2: Ensure compliance
Central to GDPR is the requirement for businesses, of whatever size, to ensure they only process personal data where they have a lawful basis to do so.
- Transparency of processing
Startups and small businesses should tell individuals what data they will collect and how they will use it along with additional information mandated by GDPR. In addition to this information, the business must also have a lawful basis of processing. If a company is relying on consent, it is advisable that they keep a record of the permissions they have received, in case it is later challenged. They must also give individuals the ability to opt out at any time.
- Protect data and report breaches
GDPR requires that personal data is held securely, so security (including cybersecurity) should be prioritised. As well as ensuring they have appropriate and up-to-date security software, startups and small businesses need to consider policies on, for example, how tablets, laptops and other devices containing personal data are secured or any physical security considerations for premises. Ideally, personal data stored electronically should be encrypted.
- Report breaches
Should a personal data breach happen, it’s important to act fast to stop continuing personal data loss, (including corruption or unauthorised use) and report what’s taken place to the UK’s Information Commissioner’s Office (ICO), ideally within 72 hours of discovery of the breach. The ICO will want to know how the breach took place. The type of data lost, the type of data subject (for example, customers, suppliers, etc), the number of people affected and the steps being taken to put things right and mitigate risks to the data subjects. Ensuring compliance will require the training of relevant staff so they can identify when a personal data breach has happened.
- Make it someone’s responsibility
Typically, only companies with more than 250 staff are required to appoint a dedicated “Data Protection Officer”, but it may make sense for startups and other small businesses to put someone in charge of GDPR compliance.
- Check your suppliers and contractors are compliant too
Startups and small businesses not only have to comply with GDPR themselves, they have to ensure that suppliers and contractors with whom they share personal data do so too. One way is to ask them to complete a detailed GDPR compliance checklist and to specify compliance requirements in contracts. It is also important to have safeguards in place when transferring data to Third parties outside of Europe or jurisdictions not offering adequate protections (as determined by the European Commission).
Step 3: Comply within the rules over time
Adhering to GDPR is not a one-time event. Instead, startups and small businesses have to maintain good practice over time and consider how long they retain data and when they should delete information. o
- Respect individuals’ rights
Individuals have a number of rights under the GDPR. These include the right to ask for information about the personal data held about them, the “right to be forgotten”, or for the processing of their data to be restricted or the right to object to processing altogether unless the information is needed for another compatible purpose such as for example, complying with tax obligations.
- Don’t keep data without good reason
Companies are required to keep personal data only for as long as necessary, so the best thing is to delete it as soon as it’s no longer needed. As well as auditing what personal data they have, small businesses and startups are advised to put in place policies on how long they keep personal data and it is a requirement of GDPR to advise individuals of retention periods at the point of collecting personal data.