Startups processing personal data as part of their services are legally bound to comply with the General Data Protection Regulation, or ‘GDPR’.
Almost two years after the coming into force of the regulation back in May 2018, the European Parliament has concluded that based on recent studies and surveys worldwide many companies are still non-GDPR compliant. In fact, only 28% of those surveyed have complied with the GDPR, being UK and Germany the European countries, which have the highest rate of compliance. Main reasons for non-compliance are the cost of implementing the regulatory framework, difficulties in terms of infrastructure and the complexity of the GDPR requirements.
The GDPR attempts to create a regulatory framework to allow the free flow of data between the member states and within the European Union, and to address the challenges that big IT companies pose to the protection of personal data, imposing for this purpose strict and complex requirements. However, the regulation misses providing a realistic and proper framework for startups and SME’s in terms of GDPR compliance.
Navigating the specific requirements of the regulation is not an easy task. Too many complex rules and concepts (like “privacy by design”, “privacy by defect”, “privacy impact assessment”), with no guidance for startups as to how to implement them considering their differences and specific needs, has made GDPR compliance a real challenge in terms of time and costs. However, don’t be too put off by the complex requirements – startup compliance is feasible if conducted in line with your scope and infrastructure as a small company.
Based on the above, how startups should think about the GDPR?
- Going legal and avoiding risks
The reality is that the regulation is out there to be enforced and companies of all kinds, including startups, are bound to comply with it in a proactive manner based on the proactive responsibility principle proclaimed under the regulation. We can no longer wait until a security breach occurs to comply with the regulation, as we only have 72 hours to notify the regulator and in some instances the data subject, of such breach. Additionally, the regulation imposes high penalties in case of breach of such laws, which possess a risk for any company, big and small, in case of non-compliance.
Startups need to start seeing GDPR compliance as an opportunity to assess the risks in the processing of data, also if any changes are needed in its business model to align with the requirements and avoid unwanted contingencies, which may affect its economic results.
2. Attracting investors
GDPR has a profound impact on how most organizations operate and has radically changed how startups receive investment.
Investors want to find out if the premises of the startup breaches GDPR, and, crucially, if GDPR will impact customer behaviour considering the startup’s business model and affect its viability. With the right to be forgotten and right of data portability, for instance, customers will gain power in the handling and sharing of data, making free monetization of such data more difficult.
Investors consider not only the level of compliance of the startup with the GDPR but also if the business development strategy that it uses is viable in a post-GDPR environment.
Startups must see GDPR compliance as part of their business strategy and a way of generating trust with investors in their business models to attract further investment.
3. Protection of individual rights and better services
One of the purposes of the GDPR is to provide assurance to individuals regarding protection of their personal data and their right to privacy.
Implementing transparent security measures for customers to exercise their individual rights (such as the right to be informed, the right of access, the right to be forgotten, to name a few) will definitely help in creating trust among consumers. This will in turn increase the sharing of data as individuals will confidently grant access to it, through consent and portability.
Data sharing will enable startups and business to innovate greater personalized services. The more data is shared based on trust and consent, the better services will be created from a customer point of view, as they will address one of the individual’s main concerns which is the control and protection of their personal data.
4. Security for your business
Under the GDPR companies have to implement appropriate measures and safeguards for the security of personal data.
Cybersecurity attacks have grown exponentially posing a real threat to business. Startups are not exempt from this scenario and could be greatly impacted in case of a cyberattack. Unprotected wifi networks, malware, encrypted emails and data, weak passwords, and untrained employees could all pose a risk to data security.
Startups should manage their GDPR compliance to avoid data being compromised, which may affect the continuance of their business.
5. Working with trusted partners and protecting reputation
Startups always think big, therefore, it’s time to look after their reputation to that end.
The GDPR requires companies to share the personal data of their customers with trusted partners, so called, data processors. These companies provide services to companies which entails having access to their personal data, for instance cloud storage services. To be a trusted partner, they need to comply with the GDPR and prove it.
Market reputation can be damaged in case of a security breach, cyber attack or in case of non-GDPR compliance, either by the startup or any company that provides services to it. At the end, they are an extension of the services provided by your startup. If that happens, customers may be discontent as you may need to notify them, and competitors may use it to their gain. Dealing with trusted partners that meet GDPR requirements helps to build a better reputation and gives startups a competitive advantage.
Convinced? Next steps
Based on the above, it is time for startups to think differently about GDPR compliance and make it part of their business strategy and daily operations, to gain a better position in the market. To start, you could try coming up with areas of your business where you store or handle the data of your customers: website cookies, newsletter subscribers, product purchase information, event registrations, etc.
The European Data Protection Board has some resources on applying the GDPR on a general level, which are useful to read but can be quite long. For more succinct information, each country has its own data privacy agency that will provide information and guidance on GDPR compliance, for example the Spanish data privacy agency. You may want to check out their websites for specific guidance in your language.