Demystifying GDPR: A Startup's Guide to Compliance
Why does the General Data Protection Regulation (GDPR) apply to you?
Are you aware of the General Data Protection Regulation (GDPR), and do you know if it is relevant to your business? Regardless of your field, if you collect personal data from EU citizens, then you must comply with the requirements specified in the GDPR. It is essential therefore to be aware of its implications and requirements.
What is the GDPR?
GDPR came into place in May 2018. Although it is a term frequently used in many areas, we are not always familiar with what it actually means. The law governs the processing of personal data and protects the privacy of everyone in the UK. The purpose of GDPR is transparency - ensuring that you effectively communicate any and all information regarding your client’s data to them.
The Data Protection Act 2018 (DPA 2018) was put in place to protect the rights of UK citizens after the previous EU Act (The General Data Protection Regulation (GDPR) Regulation (EU) 2016/679) would cease to hold much power after Brexit. The Act sets out seven key principles which aim to guarantee “fair and proper use of personal information”:
lawfulness
fairness and transparency
purpose limitation
data minimisation
accuracy
storage limitation
integrity and confidentiality
accountability
Personal data relates to anything which can identify a given individual, from address to cookie identifiers. As a business, it is your responsibility to protect any data you collect under the DPA 2018.
GDPR and startups
Businesses with less than 250 employees are not required to keep a data inventory or a record of data processing unless the processing: jeopardises people's rights; is not infrequent; or, contains specified data categories, such as gender or ethnicity. Although it may not be essential for your startup to record data in its early stages, as your business develops and expands, GDPR guidelines are important to bear in mind.
It is critical for a startup to comprehend the data it collects. Knowing the various sorts of personal data is, thus, the first step. In the GDPR standards established by the EU, personal data is defined as "any information relating to an identified or identifiable natural person." This might include anything from personal information like addresses, phone numbers and images, to more broad information like ethnicity. Businesses must obtain consent before collecting any personal data. This can be done through terms and conditions, which must be made clear to consumers.
What can you do to comply?
The first step may be to implement a privacy policy - please refer to the Catalegal Privacy Policy article for more information.
The privacy policy will aid in compliance with the GDPR, namely:
Allowing you to have a good understanding of the data that you require and collect, enough to express this information to your client/customer;
Ensuring the data collected is secure and safely stored and how this process works, enough that you are able to communicate this with the data owner; and
By having a privacy policy, a customer can accept/reject the conditions, complying with the requirement of obtaining permission before collecting data.
Additional information you must keep in mind is that under data protection, all users have the right to request access to their information. They can also request that this be deleted, so be prepared for both access and deletion requests.
- Authors: Tanisha Shah, Rita Almazuri and Sofia Martiello
- Authors: Tanisha Shah, Rita Almazuri and Sofia Martiello
In partnership with:
DISCLAIMER
This article has been written by law students for the sole purpose of providing informative insight. The information in this article is intended for educational purposes only and does not constitute legal advice, nor should the information be used for the purpose of advising clients. You should seek independent legal advice before relying on any of the information provided in this article.
Sources
Cooke S, ‘A Startup’s Guide to Data Protection & GDPR’ (Fleximize22 November 2019) <https://fleximize.com/articles/016628/startup-data-protection-gdpr> accessed 25 June 2022
CookieYes, ‘GDPR Compliance for Startups: A Checklist’ (CookieYes29 March 2021) <https://www.cookieyes.com/blog/gdpr-compliance-for-startups/> accessed 25 June 2022
Kalache S, ‘What Do Startups Need to Know about GDPR and Data Privacy? | Sifted’ (sifted.eu20 April 2022) <https://sifted.eu/articles/startups-gdpr-compliance/> accessed 25 June 2022
McKenna M, ‘5 Facts Startups Need to Know about the GDPR’ (Founder Shield28 February 2018) <https://foundershield.com/blog/5-facts-startups-need-know-gdpr/> accessed 25 June 2022
StartupResources, ‘GDPR Guide for Startups and Small Business - Simple Startup Resources’ (Startup Resources27 April 2018) <https://startupresources.io/gdpr-small-business-startup-guide/> accessed 25 June 2022
UserCentrics, ‘GDPR Compliance for Startups: 10 Point Checklist’ (Consent Management Platform (CMP) Usercentrics6 September 2021) <https://usercentrics.com/knowledge-hub/gdpr-compliance-for-startups/> accessed 25 June 2022