Start-ups aren’t much different than any other organisation, so there’s no special way they should prepare for the EU General Data Protection Regulation (GDPR). However, start-ups typically don’t have the experience that comes with an established company, which has led to many of them expressing uncertainty about how to implement the Regulation’s requirements.
To help start-ups understand how they can prepare for the GDPR, we’ve collated some first-hand advice from senior staff at several start-ups.
Understand what you’re doing with personal data
James Clark, a data protection and privacy lawyer at DLA Piper, told Tech North: “You need to understand what you’re doing with personal data, so you need to some kind of data-mapping exercise. Look at activities across the business – both internal and customer-facing. Look at what data you collect, how you’re using data, and who has access to it.
“Once you understand that, you can look for weak spots. For example, there might be areas where you collect more data than you need.”
He added: “Look at what data you collect, draft effective notices, and look at your data security and access rights. These are good, common sense things you can do for yourself.”
Implement other cyber security frameworks
Ben Gateley, the co-founder and chief operating officer (COO) of CharlieHR, told TechWorld: “We’re lucky in the sense that we’ve been on a bit of a journey over the last year and a half with regards to general data security and information security.
“We have done our Cyber Essentials, we’ve done our IASME Gold and we’ve finished off by doing our ISO 27001 and the beauty of those three standards and the controls […] is that from my perspective that’s meant that just at the starting gates we’re probably 60–70 percent compliant with regards to GDPR. It’s meant that from our point of view it’s not been the most laborious task doing the rest of it.”
Perform internal audits
Juan Lagrange, the co-founder of Sunlight, a UK-based start-up that offers employee learning and development platforms, said: “One of the things that GDPR introduces is that you are responsible for the data and all the time that is being used and who you send it to. So part of the process has been not only doing an internal audit ourselves, but also having to audit each of our providers.”
Sunlight uses Amazon Web Services to run its infrastructure, SendGrid for its emails and several other companies for its analytics. These companies all need to process Sunlight’s data appropriately and fulfil any relevant data subject rights, such as deleting or moving personal data.
Want to learn more about implementing the GDPR?
Our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course is the perfect introduction to the GDPR and the requirements you need to meet.
This one-day course is delivered by an experienced data protection practitioner, and is suitable for directors or managers who want to understand how the GDPR affects their organisation, employees who are responsible for GDPR compliance and those with a basic knowledge of data protection who want to develop their career.