The GDPR.

You’ve heard of it. You know it has something to do with “personal data”.You know it’s important and is wide-reaching. But you don’t know where to begin to comply with it.

The General Data Protection Regulation (known simply as the “GDPR” in the European Union and the “UK GDPR” in the UK) is a fairly new data protection law that all startups, regardless of their size, should be aware of and take steps to comply with.

Customers expect startups to use their data in a responsible way. Breaching UK GDPR obligations risks large fines, investigations and inspections by regulators, enforcement notices, legal claims by affected customers, and (potentially worst of all) irreversible reputational damage to branding. No startup wants their brand in the headlines coupled with words “data breach” and customers very quickly lose sympathy for startups who are reckless when it comes to protecting data.

Get on top of data protection compliance with our “ABCs of the UK GDPR” below:

1. Map your data flows

The first step to any data protection compliance is understanding what data you collect and where it goes.

Start by determining what data you collect and why, where you send it and who you share it with. This will help to inform decisions about your “legal basis” for processing the data.

To do this you should conduct a data-mapping exercise, a process that shows how data from one information system transfers to another, and an audit. Audits assess your data protection practices by looking at whether you have effective policies and procedures in place, whether you are following them, and identifying where improvements could be made. Think of an audit as an opportunity to find “gaps” in your UK GDPR compliance.

2. Can your service providers be trusted?

Startups need to ensure that the right contractual guarantees are in place with service providers who have access to personal data. You need to conduct due diligence on service providers to satisfy yourself that the personal data entrusted to them will be protected and that they have sufficient security arrangements in place. Ultimately, you are responsible for the data that you send from your systems. Make sure you keep a record of all your efforts.

3. Sending data overseas

Personal data must not be sent outside of the European Economic Area or UK unless safeguards are in place. This might mean putting in place the new Standard Contractual Clauses which impose obligations on the overseas recipient to protect personal data. You will also be required to assess the recipient and the laws of the recipient country and implement additional measures (such as encryption) to protect the data to an adequate standard.

4. Do you need to appoint a data protection officer?

If your startup’s core activities consist of regular and systematic monitoring of data subjects on a large scale (e.g. behavioural tracking) or large-scale processing of special categories of data (e.g. health data), then you might need to appoint a data protection officer (“DPO”). Some European countries have specific rules about when a DPO must be appointed.

Even if you are not required to appoint a data protection officer, you should appoint somebody within the startup to lead on data protection strategy and monitor compliance.

5. Customer “consent” is not always a silver bullet

UK GDPR standard “consent” is difficult to achieve. Consent must be actively and freely given to be a valid basis for data processing – silence or inactivity do not count. The UK GDPR also states that where consent is given in a written declaration that also deals with other matters, the request for consent must be clearly distinguishable from those other matters and in an intelligible and accessible form. It must be as easy to withdraw consent as it is to give it, and if there is a clear imbalance between the parties, such as in an employment relationship, consent is presumed not to be freely given.

Fortunately, consent is only one of several valid conditions for processing personal data. Conducting an audit will enable you to identify the various types of personal data you need to process while running your startup and assist you to determine the most appropriate lawful basis.

Sometimes, consent is the only valid basis for processing. For example, you need UK GDPR standard consent to send e-mail marketing to your customers or to track visitors to your website via cookies (see our comments on the rules on electronic communications further below).

6. Publish your privacy notice and keep it up to date

Your customers have a right to receive information about their data and how it is handled by your startup.This includes information about who has access to the data, why, how long it will be held for, and their rights. Your privacy notice should evolve with your business as it grows.

7. …and on the subject of data rights

Data subjects have a range of rights that they can exercise by contacting you and you will need to respond without undue delay and in any event within 30 days. Rights include the right to access data, rectify inaccurate data, erase data (known as the “right be forgotten”), and the right not to be subjected to automated decision making and profiling. There are also other rights including the right to object to processing (such as when a customer asks you to stop sending them e-mail marketing) and a right to data potability. The rights are usually not “absolute” rights and conditions generally need to be met depending on which right is being exercised.

Responding to rights requests is often complex and you should train your staff on how to recognise and handle them and to apply consistent principles when responding to them.

Startups should build their systems with “rights requests” in mind:

• Will you be able to quickly and easily retrieve and compile personal data in response to an “access” request?
• How will you ensure that personal data is deleted from multiple systems in response to an “erasure” request?
• If you rely on “consent” to process data, what will you do when a customer withdraws their consent?

8. Privacy by design and default

Building an app or offering a new type of product or service? You should be considering data protection early in the design stage and embedding privacy protection into it. When you offer privacy settings or options to your customers, in most cases these should be set to the most private setting by default.

The UK GDPR requires startups to minimise the data they process by collecting only the data necessary for their purposes and only retaining that data for the period that they need it for and then deleting it. These data protection principles should be core to the design of new apps, products or services on offer.

9. Security and handling data breaches

Startups must notify data breaches to the supervisory authority within 72 hours where the breach results in a risk to data subjects. You should give very careful thought to breach prevention and security and ensure that any breaches are handled in a speedy but careful way. Startups should raise awareness of data handling issues, train their staff on appropriate behaviour and ensure that staff know what they need to do in the event of a data breach and who to report security incidents to.

10. Training your staff

Data protection compliance needs your whole team on board. Train management and the rest of your workforce on key topics such as data awareness, data security, subject access requests, and direct marketing rules.

The GDPR is not the end of the story…

The Privacy and Electronic Communications Regulations (“PECR”) sit alongside the GDPR and provide specific rules relating to electronic communications and the use of cookies or similar technologies. PECR are important to be aware of because startups of all shapes and sizes are likely to rely on electronic marketing to communicate with their customers and cookies are now entrenched in advertising and in consumer analytics. Familiarising yourself with the rules under PECR can avoid hefty fines as direct marketing breaches and unlawful behavioural profiling are frequently the target of data protection regulators.

Set yourself apart from your competition by protecting privacy

The world is turning its attention to data protection and privacy and your customers will be too. Those interested in investing in your business may also insist that you have your house in order when it comes to data protection compliance.

Show off and be proud of your privacy credentials and make them a core part of your startup.