Tech startups should all have some form of strategic data plan, or at least a deep understanding as to how they capture and use data both to operate and grow their businesses.  Optimally using first party data is one challenge and using third party data is another.  Many businesses deploy a data analytics solution or engage data scientists to enhance the business’ understanding of its customer base. This can allow businesses to create personalised experiences designed to leave customers feeling valued, loved and wanting more.  

However, using data in a commercially savvy way is not always restricted to ensuring customers receive the right type of marketing or making experiences personalised, but is also about using data to drive efficiencies within the workforce and supply chain.  

Navigating the data privacy minefield

Leveraging first and third-party data can pose real privacy challenges.  However, a well advised tech startup should, in general, be able to achieve its ambitious goals in a way that de-risks the data challenges and does not lead to regulatory issues, unhappy customers or the inability to raise third party additional funding. 

Some key things a tech startup should be thinking about when deploying personal data-driven solutions include:

• Am I a data controller or processor: this can cause much confusion - it is key first to work out in respect of which activities you are a controller and which you are a processor (and/or sub-processor!).  This is quite often not a binary choice.  Identify and position yourself correctly from the start and save yourself many headaches later on.  And remember that the GDPR and the DPA 2018 apply directly to processors as well as controllers.   
• I don’t process personal data: time and again, we see tech start-ups who say ‘we don’t process data’ because ‘our data is pseudonymised’ or ‘we don’t touch the data’ – first  of all, ‘personal data’ is very broad - it means any information relating to an identified or identifiable natural person, and someone can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, or an online identifier (think IP address). Your data set alone may not identify someone, but it may do so in conjunction with another dataset. Second, the fact that you ‘pseudonymise’ data may help fulfil your security obligations but does not mean that you don’t process personal data. Third, if you host data (or use a third party such as AWS, Azure, Google or another third party to do so), you process personal data. 
• Data protection by design and by default: you should integrate data protection concerns into every aspect of your data processing activities. Unsurprisingly, the “by design” element means you should consider privacy and data protection issues at the design phase of any system, service, product or process as well as throughout the lifecycle.  And via a joined-up way across all stakeholders. The “by default” element ensures that you only process the data that is necessary to achieve your specific purpose(s). 
• Transparency & control: you may hear this time and time again, but it really is a cornerstone of data privacy compliance  - ensure that if you are using an individual’s personal data, that individual is clear, among other things, on what personal data is being processed, with whom it is shared, and why it is being the processed. Granularity is key. Individuals should be given control over how their data is used and have a clear understanding of their rights. 
• Lawful basis: it is also key to ensure as a controller, you have a lawful basis to carry out the data processing activity and consider if the individual’s consent is required. Note that there are other grounds on which to rely and consent can be revoked. If consent is needed, you need to ensure the manner of data capture and the form of consent complies with data protection law.
• Security: the more personal data that a startup holds or processes, the higher their risk profile becomes, and so the more important it is to have security measures in place. Most ICO fines have related to security breaches. Ensure you have in place robust internal data security measures such as access controls, regular patching, encryption and pseudonymisation measures to reduce the risk of a personal data breach. Undertake pen testing on all solutions (or ask to see vendor pen test reports and due diligence on all third party solutions). This is especially true if the data is to be transferred outside the UK or EEA
• Data Privacy Impact Assessment (DPIA): where the processing of personal data is considered high risk (e.g. profiling of consumers on a large scale to understand their interests and provide a personalised experience), it is likely that you need to carry out a DPIA to identify risks associated with the processing and ensure measures are in place to mitigate against those risks
• Use of third-party data brokers: a hot topic for data regulators. The ICO carried out an investigation into three major data brokers. Although use of data brokers is not in itself unlawful, businesses should act with great care. In particular, if you use a data broker to enrich data sets, ensure you carry out an appropriate level of due diligence on these data brokers before they are onboarded to ensure the personal data received from them: a) has been lawfully obtained; and b) can be lawfully used by the business going forward. The ICO has made clear that simply accepting a data broker’s assurances that the data they are supplying is compliant is not enough. Data broking is under scrutiny at present, so it is worth keeping a close eye on what is going on if you use data brokers to enhance your data sets.

Set off with confidence…

We’d encourage tech startups to be neither complacent nor scared of data privacy challenges. This is a complex area, but we can help you to build the optimal data privacy foundations for the future.