We understand that GDPR can be a bit daunting – so as part of our Legal Sidekick GDPR series (click on GDPR in the Encyclawpedia to access), we have tried to distill it into 4 key areas below for you to follow through. Then, keeping these areas in mind, you can use our GDPR Compliance Framework to implement GDPR compliance for your startup:


1. TRANSPARENCY (GIVING INFORMATION) We need to inform individuals that we collect their personal information, and tell them about the specific information we collect and why.

Key point to note: This can be covered by having a GDPR compliant privacy policy on your site. Create your GDPR compliant privacy policy here.

2 – CONTROL AND CONSENT We should obtain consent of individuals to send them marketing communications (e.g. via tick boxes on sign-ups)? The rule generally is that product releases don’t require consent, but marketing communications do and you are entitled to use your judgment to decide which way the coin falls.

Key point to note: When someone signs up to your business, they are making a conscious decision to engage with you. Therefore, you are entitled to presume that anyone that gives you their email address is interested in your business and your offering! Therefore, when considering whether or not you can send an email, especially about a new product launch or feature, you should ask “am I doing something wrong if I tell people who have expressed an interest in my business about a new feature or product launch?”

3 – SECURITY We must ensure that the data we hold is safe and secure.

Key point to note: When you use cloud storage/well-known software providers to store data, then typically this will be enough. It is worth keeping a clear record though of which software providers you use for what information.

4 – CONTROL AND CONSENT (USER REQUESTS) We should be able to tell users what data we hold on them, be able to delete their data, or stop using it to target them, if they ask us to.

Key point to note: GDPR introduced a concept of a ‘data subject access request’ – i.e. each individual is the ‘subject’ of data held on them, and they can request access to that data or that you delete it. If you receive one, you have 1 month to respond, and you can also request an additional 2 months if struggling for time. Ultimately, although this right exists, you would be hard pressed to find a business which receives large quantities of these requests, and you almost certainly have bigger fish to fry than to commit time to this at an early stage.

Our advice? Put it to one side until you receive one and then deal with it then.


Also see Quick Guide to GDPR Compliance for Startups.

For GDPR support, contact us here or email hey@legalsidekick.com.


Legal Sidekick is a legal platform for startups specialising in GDPR and various other startup legal areas.  You can access our GDPR guides and other startup legal documents and guides via our platform. Search the Encyclawpedia for the resource you need. If we don’t have it – please request it!




Subscribe to get access to this resource

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors