The internet has completely changed how we live our lives, in particular how we go about our daily tasks. Nowadays we shop, communicate, work, bank and book appointments online. In fact, you could run almost all of your errands without having to leave the house! But in doing so we share a lot of our personal information with businesses via the internet and with cybercrime on the rise, this has made our sensitive information vulnerable. As a result, data protection has become increasingly important in recent years.
In 2018, the new General Data Protection Regulations (GDPR) were implemented in order to protect all EU citizens. This meant some big changes for businesses and the way they collected, stored and used this information. All businesses, no matter how big or small, must now be GDPR compliant or face a potentially huge fine. As a startup, you may be unsure how this new legislation affects you and how to make sure you're compliant - and we’re here to help.
This guide will take you through GDPR and what data protection means for your startup. It will also look at what constitutes sensitive/personal data and how you can ensure you're complying with these regulations right from the start.
GDPR is the basis for data protection in the UK and Europe. This legislation is designed to protect the sensitive information of all EU citizens and give them more control over their personal data. This means they can access their information whenever they want and hold the right to be forgotten. But what does this mean for your startup?
It means that your duty is to protect the personal data of your customers, clients or prospectives. In order to do this you must understand the rules and regulations set out in this legislation and have the correct security measures in place. What’s more, you must always get consent from individuals to use their data, you must then only use this information for the agreed upon purpose. If a customer or client asks to see the information you have collected on them you must be able to provide this. They can also request that you delete this data as well.
Worryingly, it can be a misconception that startups and smaller businesses do not have to abide by GDPR, but this is simply not the case. If you don’t follow the rules you could find yourself in hot water. Not only that, but it’s good practise to get the proper security measures and processes in place right away for when your business begins to grow. This stops any nasty surprises or a huge backlog of work further down the line.
According to GDPR, personal data is the information that relates to an individual and can identify who they are in any way. So this covers the obvious sensitive data such as bank details, but also information about their personal life. Below we’ve broken down this data into two sections to help you get a better understanding.
Sensitive data:
Personal life:
There are a number of important ways you can take data protection seriously and ensure that your business is GDPR compliant. Below we’ll look at the simplest ways to set security goals, map your data processes and gain consent from customers or clients.
To get started, the best thing to do is to set data protection and security goals for your startup. For example, these could outline which systems you’d like to put in place and when you’d like to achieve this by. Whatever your goals, make sure you share these with all your employees so they understand the importance of data protection for the success of your company.
As mentioned above, you need to be able to provide and delete sensitive data when asked. To help you keep things organised and to ensure you are able to find this information quickly when you need to, you should map out all your processes. What this means is making a note of where all data is collected, stored or shared, and keeping a record of how data is subsequently destroyed or deleted.
It’s good practise to put together a privacy policy which outlines how you collect data, how you use it and how you keep it secure. Keep this saved somewhere safe and you can also produce a condensed version to include as a pop up, or on a separate page on your website. This gives your users access to the privacy policy too so they know what you're doing to protect their personal information.
You need to make sure that you ask for explicit consent to collect and use data from your customers or users. You can do this through opt-in forms and pop ups, but you must make sure you specifically ask for consent. Tick boxes can be a helpful way to do this as the user is required to manually tick said box. This also includes your cookie policy. If you're building a website from scratch make sure to use cookies that are compliant with GDPR.
Finally, in the early stages of starting a business marketing can be very important, for example, trying to build a mailing list and growing your customer base. However, you need to make sure all your marketing efforts are GDPR compliant. In particular your email marketing strategy must stick to the rules, past tactics such as pre-ticked boxes and automated opt-ins are no longer legal, so it’s a good idea to get clued up before creating your marketing strategy.
