Practical GDPR advice for start-ups

May 25 is the enforcement day for GDPR – the General Data Protection Regulation – the EU-wide privacy law approved that will forever change the way companies handle customer information. But how ready are you?


The GDPR is an attempt to strengthen, harmonise, and modernise EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right.


As May 25 gets closer, there are still lots of businesses out there that aren’t clear on what they need to do in readiness for the deadline. While there’s plenty of warnings and information out there about the impending GDPR there doesn’t seem to be much guidance on what this actually means for startups and scale-ups.


While GDPR encompasses all aspects of the handling of consumer data, its effect on company mailing lists and people giving consent through ‘opt-in’ check boxes has been the topic most widely discussed with regards to small businesses and start-ups.


Many firm’s will have gone through this process before as they built up lists of people that have already opted in. However, under the new rules, everyone will need to put everyone back through the sign up process as the format will need changing to become GDPR compliant.


As an example, Manchester United has requested its email subscribers for consent in order to continue receiving one-to-one marketing from the club. Their opt-in campaign is titled ‘Stay United’ and uses the clubs top players to explain the benefits of consenting to receive marketing.


In an effort to encourage people to check their marketing preferences, an incentive was included in the campaign. If supporters decided to opt-in or opt-out by December 31 2017 then they were entered into a prize draw with a chance to win one of 10 signed shirts.


Michael Piddock, founder of Glisser, an event technology product that helps engage audiences and gather data in a GDPR-ready way, says: “I’ve heard of businesses halving their mailing lists in one fell swoop, and some others even starting from scratch. However, we’re seeing our own website visitors opting IN for (useful) content, rather that out, at a ratio of ten to one. So if you’re providing great content, rather than just spam, you ought to be able to maintain or build up a solid, and willing, database.”


While companies shouldn’t attempt to fool their customers, they can be imaginative about combining opt-ins with promotions.


Michael adds: “It has to be a proactive opt in – so no sneaky pre-filled tick boxes in reams of Terms & Conditions. It’s much harder to ‘game’, so those companies which people like, admire, respect or find useful will find it easier than those that have relied on accidental opt-ins.


“Saying that, however, sometimes email marketing works because you receive something at the right time, despite ignoring the thousand similar emails before that one. I guess the job of the marketer here is to convince me to stay on the list, just in case. My recommendation is to combine the opt-in with something of value – a useful report, special offer, etc. But just don’t make the valuable thing dependent on me signing up!”


The new GDPR is arguably the most significant change in global privacy law in a generation and businesses must shore up their cyber-security processes and procedures to avoid facing financial penalties.


Every organisation that processes personal data will need to make sure that this data is properly safeguarded against loss, theft, unauthorised access, etc.


Using double opt-in in email marketing is a good way to ensure compliance regarding consent under GDPR. This means individuals need to confirm their email address before being added to your email list and receive email communication from you. It is the double confirmation of their subscription to your newsletter or any services needing their email details.


Arvi Virdee, co-founder of Fileom, which helps organisations reach GDPR compliance with a range of services including a compliance ‘gap analysis’, staff training and technology impact analyses, says GDPR cannot be treated as a ‘box ticking’ exercise like some staff think of health and safety and diversity.


GDPR is truly transformational for businesses of all sizes, and every department, business unit or branch within an organisation will be impacted.


GDPR is not just for the legal team, or the tech team – it’s for everyone in the organisation. Here is some practical advice that every small business and start-ups should take into account as May 25 draws in…


Changes in administration and HR

Administrators will have to update all their policies and procedures to reflect GDPR requirements, as well as create new policies, such as, Data Subject Access Rights Procedure, Data Retention Policy, Data Breach Escalation and Checklist etc.


Arvi says: “It is well publicised that employment contracts have to be updated to meet GDPR requirements, but administrators also have the responsibility to train all staff on GDPR and update staff induction plans.


“In addition, they need keep records of all staff training and provide refresher training, as GDPR evolves over time. An obvious practical question comes to mind – who is going to carry out the training?”


Updates in sales and marketing

Organisations that use direct email marketing tools need to consider a number of factors, according to Arvi.


  • Where did they get their data from (eg., was it bought)? Has the data been collected over many years, and consist of many unresponsive contacts?
  • Either way, do they have consent to contact the data subjects on the database? After May 25 consent is required before marketing contact can be made, though different rules apply if the data is B2B or B2C. Also, any contact you make has to be specific to the interests expressed by the data subject – that is, if a data subject enquires about Product A, you have to careful about sending them marketing about Service C. A similar thing applies to business cards – they should be used for the purposes requested / discussed on receipt of the card.


How does GDPR impact operations?

“When dealing with suppliers (or for clients and suppliers) with whom PII data is exchanged, operations teams have to become familiar with the concept of ‘controllers’, ‘processors’ and ‘sub-processors’ within a given supply chain,” Arvi notes.


“This is important because GDPR had introduced the concept of joint liability – that is if a data breach takes place, anywhere along the supply chain, each ‘link’ in the chain may be liable. This is why organisations should only work with others that are GDPR compliant.


“The way of ensuring this is to have strict contract clauses between any two parties that exchange personal data. Additional rules apply if data is to be transferred outside of the EEA countries into so called ‘third countries’.”


For the technology team

Different IT teams will have different responsibilities to GDPR. For example, the network team will need to ensure security of data is paramount; the development team may need to carry out a Data Protection Impact Assessments (DPIA) for ongoing projects; the applications team will have to deliver on ‘right to information’ or ‘right to be forgotten’ requests from data subjects.


Small and medium sized enterprises (SME’s) that don’t have their own technology are not exempt, according to Arvi. Instead, they need to audit all the systems they use (cloud or on premise based office software, CRM, marketing tool, social media platforms, back office system, payroll, etc.) and understand the flow of personal data.


All staff: listen up!

Everyone in every firm needs to be aware of the transfer of files. It is common to send contracts, guest lists and employee reports, for example, to third parties as attachments by email, Arvi states.


When it comes to GDPR everyone in every firm needs to be aware of the transfer of files. Click To Tweet


However, standard email systems like Outlook and Gmail do not send files securely (i.e., encrypted) and can be read like a postcard, Virdee warns.


“While it’s fine to transfer large graphics and photos via tools such as Dropbox and WeTransfer, these tool do not require the control and audit tracking required in the transfer of personal data under GDPR.”


Arvi adds: “Businesses should look for a secure file transfer system if they send personal data via email on a regular basis.


“GDPR is happening – don’t be in denial. Think of it as an opportunity that can give you a competitive advantage. Start with a full audit of your personal data, such as client, customer, employee and associate, and ask yourself where it comes from and what you do with it. There are many ‘checklists’ on the internet – find one that works for you and follow it… or seek professional support.”


Disclaimer: GDPR is a complex beast and can have a significant impact on the future of a small business or start-up. At GrowthMinds, we aim to give you some practical guidance, but it’s always worth seeking professional advice.