Here is a quick GDPR guide for startups which we’re writing to try and summarise the things which a startup/entrepreneur should actually know about it when it comes to data privacy.
GDPR = the general data protection regulation = an EU level law which applies directly to EU citizens and is aimed at protecting people’s personal information* and stopping businesses abusing it. Whether or not we stay in the EU, it is also effectively a part of UK law now too under the Data Protection Act 2018.
*Personal information = any data which can be used to personally identify an individual.
The Rationale for implementing these rules
1 – Transparency – companies shouldn’t be able to buy and sell and generally share people’s personal information without their consent.
2 – Control and Consent – people should be able to have control over how their own personal information is used.
3 – Security – if you are going to collect personal information, you need to make sure it is held securely.
4 – Uniformity– in a globalised, online world, it makes sense to have one uniform set of rules which transcend borders so that international businesses clearly know their requirements.
Where is the ‘line’ of what is acceptable and what is not?
Whilst there are fixed rules (e.g. not selling or sharing Personal Data with an individual’s consent), the exact method of compliance by each business may look a little different, meaning there isn’t always an exact line. For example, a large business may need a detailed set of policies in place for staff to manage how they control customer data internally to ensure that data is held and retained securely. That business may need a whole suite of policies to be properly communicated throughout the organisation.
Does this mean that your new startup needs to do the same? Absolutely not. If hiring any staff, it may just be that you are clear with them in an email and/or in their contract with you (e.g. consultancy agreement or employment contract) that they will treat all customer data as confidential and keep all passwords safe to files where information is stored.
The lack of an exact line is a good thing for you ultimately – it means that smaller startups do not actually need to be overburdened by GDPR unnecessarily.
What do startups actually need to do?
You should approach GDPR matters with the above ‘Rationale’ in mind – if things which you are told you need do not seem at all relevant for you, then they likely are not relevant for you! Try and take a logical approach to GDPR.
Your starting point should first be listing out the personal information of users/members/customers (whatever you choose to call them!) and staff which you collect and hold. This will put the whole GDPR piece in context.
Then, we have set out a GDPR compliance framework which will set you on the path to doing that. Download it here (membership required).
For more information, see GDPR – What Do We Actually Need To Do?
GDPR COMPLIANCE FRAMEWORK
You can download our Legal Sidekick: GDPR Compliance Framework here. See above – the main 5 headings are relevant for all businesses, but feel free to only implement each line item if it is actually relevant for your business.
Once you are comfortable with the GDPR Compliance Framework, then you should be in a very good position to be a GDPR compliant business. Simple!
Naturally, there are other questions which can come up, but hopefully this very short guide gives you a clear framework for what you actually need to do to be compliant. Remember that GDPR is more about stopping businesses abusing personal information – so if you feel you are being reasonable and diligent, the odds are you pass the abusiveness test.
If you need GDPR support, please let us know.
Legal Sidekick is a legal platform for startups specialising in GDPR and various other startup legal areas. You can access our GDPR guides and other startup legal documents and guides via our platform. Search the Encyclawpedia for the resource you need. If we don’t have it – please request it!