Besides seeking investors, building your customer base, and perfecting your product, your startup needs to consider data protection.

Every business operating in the EU must prioritize GDPR compliance. Customers, investors, and business partners need to see that your privacy and security practices align with the law.

In this article, we'll be looking at the key steps your startup must take towards GDPR compliance.



Conduct a Personal Data Audit

Your first step towards GDPR compliance should be to map out all the personal data your business controls. You must ensure you have a comprehensive understanding of what personal data you collect and handle.

The GDPR has an expansive definition of "personal data." Any information that relates to an "identifiable person" can be personal data. Personal data can include:

  • Your customers' names, email addresses, mailing addresses, etc.
  • Information collected by your website or mobile app, such as cookie IDs, IP addresses, usage data
  • Information about your employees, including their contact details, salaries, and emails (whether to, from, or about them)

You should also note whether you process any "special category data" about people's:

  • Racial or ethnicity
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetics
  • Biometrics
  • Heath
  • Sex life or orientation

Special category data requires particularly careful treatment under the GDPR. For more information, see our article: Sensitive Personal Data and the GDPR.

Consider how personal data flows into your business, where it is stored, and with whom you share it. For more information, see our article: Conducting a GDPR Data Audit.

Understand the Principles of Data Processing

Understand the Principles of Data Processing

A fundamental part of GDPR compliance is understanding and implementing the GDPR's principles of data processing. These six principles must underpin all your data processing activities.

Lawfulness, Fairness, and Transparency

The principle of "lawfulness, fairness, and transparency" requires that you:

Purpose Limitation

"Purpose limitation" means only using personal data for the purpose for which you collected it.

A simple example: If you collect a customers' email addresses to confirm their order, don't also provide your customers' email addresses to a third-party marketing firm.

There are exceptions. For example, you can use personal data for new purposes that are "compatible with the original purpose." Or you can get consent to use personal data for a new purpose.

Data Minimization

The principle of "data minimization" requires that you must only process the minimum personal data that you need for a specified purpose.

You need a customer's shipping address to send them a product they've ordered. You probably don't need their date of birth. You need a customer's email address to send them your newsletter. You don't need their phone number.

Everybody wins when you minimize the amount of personal data you collect. You can save resources on data storage and security, you won't need to provide access to data you don't have, and you're less likely to suffer a data breach.

Accuracy

The GDPR states that "every reasonable step must be taken to ensure that personal data that are inaccurate... are erased or rectified without delay."

This requires that you take a careful and organized approach to administering personal data. Disasters can result when people mix up customers' records or misspell customers' names.

It also requires that you take reasonable steps to keep your records up to date. This includes providing a way for your customers to update their contact details.

Storage Limitation

"Storage limitation" means not keeping personal data for longer than you need it.

How long do you "need" to store personal data? This depends on the context. You may need to retain customer data for several years for accounting purposes. Or you may be able to delete it as soon as a customer closes their account.

The GDPR states that personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary." This means that you may be able to keep data for longer than "necessary," but you'll have to anonymize it.

Integrity and Confidentiality (Security)

Under the principle of integrity and confidentiality, you must restrict access to personal data and ensure that it is not lost or damaged. You can do this by implementing technical security measures and training your staff in data protection.

We'll be looking at how to secure your customers' secure personal data below.

Accountability

You are accountable under the GDPR, and you must be able to demonstrate your accountability. This includes:

  • Keeping records of your decisions and activities
  • Ensuring you can justify your uses of personal data
  • Cooperating with your Data Protection Authority, where required

Determine Your Lawful Basis for Processing

Determine Your Lawful Basis for Processing

The GDPR only allows personal data to be processed on one of six "lawful bases." You can think of the lawful bases as valid, legal reasons for which you may process personal data.

A crucial step towards GDPR compliance is determining your lawful basis for processing each type of personal data in your control. Don't collect or use any personal data unless you have a lawful basis for doing so.

Consent is the best lawful basis to use whenever you can offer people a genuine, free choice about how you use their personal data.

Some types of data processing require consent by default. For example:

  • Asking someone who has no existing relationship with your company to sign up to marketing communications
  • Using advertising or analytics cookies
  • Accessing a person's device location or camera

The GDPR has a very strict standard of consent. If you're going to ask someone for their consent, you must ask them in the right way, and you must respect their answer.

Here's how the GDPR defines "consent":

EUR-Lex GDPR: Article 4 - Definition of Consent

The key elements of this definition are:

  • Freely given: Don't make consent a pre-condition of using your service
  • Specific: A consent request must relate to a single, specific act of data processing
  • Informed: Provide all the necessary information before making your request (including your Privacy Policy)
  • Unambiguous: Make sure you have a clear indication of the individual's consent
  • Given via a clear, affirmative action: Don't use pre-ticked boxes or other opt-out mechanisms

Consent must also be easy to withdraw. Make it easy for your customers to change their minds.

Contract

The lawful basis of "contract" is suitable where you need to process personal data:

  • To fulfill your contractual obligations
  • To enable a person to fulfill their contractual obligations to you
  • To enter into a contract with a person

For example, if a customer orders a product from your website, you're contractually obligated to send them the product. You need to process their mailing address for this. They're contractually obligated to pay you. You need to process their credit card data for this.

You can also rely on the lawful basis of "contract" to provide quotes or enter into negotiations that might lead to a contract being formed.

Businesses are legally obligated to process personal data for certain purposes.

For example, you need to process your employees' income data for the purposes of paying their taxes. You may need to store your customers' purchase details for accounting purposes. You may also receive a court order requiring you to share some personal data with the court.

For more information, see our article: GDPR Lawful Basis: Legal Obligation.

Vital Interests

If you ever need to process personal data to save someone's life or protect their health, you can do so under the lawful basis of "vital interests."

Public Task

"Public task" is for companies processing personal data under public authority or for public bodies processing personal data in the public interest.

Legitimate Interests

The lawful basis of "legitimate interests" is useful for situations where:

  • Getting consent might not be possible or appropriate
  • The data processing is unintrusive and the personal data is non-sensitive
  • People would reasonably expect you to process their personal data in this way

An example is where you want to send marketing communications to your existing customers. You don't necessarily need to get their consent for this, as long as you offer them the opportunity to opt out. You might be able to rely on "legitimate interests" instead.

For more information, see our article: Three-Part Test for Legitimate Interests.

Create a Privacy Policy

Create a Privacy Policy

Creating a Privacy Policy is a core obligation under the GDPR (and most other privacy laws). Your Privacy Policy tells people how and why you process personal data, and how they can exercise choices over your processing of their personal data.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

At a minimum, your Privacy Policy must:

  1. Provide your company's contact details
  2. List the categories of personal information you process (e.g. name, email address, IP address)
  3. Explain your purposes for processing personal information (e.g. "email address: to send you marketing information")
  4. List the categories of third parties with which you share personal information (e.g. analytics providers, mail carriers, marketing companies)
  5. Explain your lawful basis for processing each category of personal information
  6. If you transfer personal data outside of the EU, explain your international data transfer safeguards
  7. Explain how individuals can exercise their GDPR data rights
  8. Provide contact details for your Data Protection Authority

Your Privacy Policy is a live document that you must update as necessary. You must ensure it is available on your website, and you should link to it whenever you collect personal data.

Register With Your Data Protection Authority

The GDPR is enforced by Data Protection Authorities: independent privacy regulators that can give businesses data protection advice, and are responsible for issuing fines for GDPR violations.

You may need to register with your Data Protection Authority and pay an annual fee. For example, the UK's Data Protection Authority, the Information Commissioner's Office (ICO), charges annual fees between £40 and £2,900.

If your business is based in the EU, you'll need to register with the Data Protection Authority in the country in which you are based. If you're based outside of the EU, your Data Protection Authority will be the one based in the country in which you conduct most of your operations.

Secure Your Customers' Personal Data

Secure Your Customers' Personal Data

The GDPR requires that you apply appropriate security measures to ensure that your personal data is not compromised or subject to unauthorized access.

Data breaches are a major cause of fines under the GDPR, so it is in your interest to make sure you protect your customers' data.

Some of the measures you should take to protect personal data in your business include:

Appoint a Data Protection Officer (If You Need One)

The GDPR requires certain companies to designate a Data Protection Officer (DPO). A DPO holds general responsibility for your company's GDPR compliance.

You'll need to appoint a DPO if:

  • Processing personal data is one of your "core activities" (for example, you operate a social media platform)
  • You process personal data on a large scale (for example, if you have lots of customers)
  • You engage in "regular or systematic monitoring" (for example, you provide health and fitness tracking)
  • You process a lot of special category data or data about people's criminal convictions

You can appoint a DPO from among your existing employees, or you can hire a third-party contractor.

Set Up Data Processing Agreements

Set Up Data Processing Agreements

Under the GDPR, a person or organization that "determines the purposes and means of the processing of personal data" (decides how and why data is processed) is a "data controller." Most businesses are data controllers.

But you probably work with "data processors," companies that process personal data on your behalf. Data processors can include email marketing companies, analytics providers, and customer service providers.

Before you transfer any personal data to a data processor, you must ensure that you have a Data Processing Agreement. This is a contract that determines the scope of your data-sharing arrangements and ensures that the data processor takes good care of all personal data it receives from your company.

For more information, see our article: GDPR Data Processing Agreement.

GDPR Compliance Checklist for Startups

  • Conduct a personal data audit
  • Understand the principles of data processing
  • Determine your lawful basis for processing
  • Create a Privacy Policy
  • Register with your Data Protection Authority
  • Secure your customers' personal data
  • Appoint a Data Protection Officer
  • Set up Data Processing Agreements