Tight budgets and creative focus mean that start-ups sometimes bury their head in the sand when it comes to data privacy law. But the law applies to businesses of all sizes and nature: start-ups are not exempt.
The main source of data privacy law is the GDPR. This applies in both the EU and the UK – Brexit does not change this. Under the GDPR, protection of personal data is a fundamental right. Organisations need to treat personal data with the same importance they treat taxes and employee rights.
In short, your start-up must comply with the GDPR. So what do you need to know?
What is personal data?
In brief, any information from which a living person can be identified. This is a broad definition, and covers a lot of modern business-critical and valuable information, for example:
Do you use it?
It’s such a broad definition that it’s impossible to do modern business without it. Personal data may also have specific marketable value to start-ups, especially when trying to build a customer base.
What does that mean for you?
You have to comply with rules set out in the GDPR and other data privacy law.
What are those rules?
Rule | Comment |
Lawful use | Having a GDPR-recognised justification to collect and use personal data. |
Use limits | Using the minimum personal data needed to carry out your lawful uses. |
Transparency | Telling people when, how and why you use their personal data. |
Sensitive data | Putting in place additional safeguards to use more private information. |
Individual rights | Complying when people exercise statutory choices. |
Data security | Taking physical and IT security measures to protect data in our hands. |
Security breaches | Knowing how to recognise, and react to, an incident. |
Prior assessments | Conducting additional documentary compliance for some riskier uses. |
Data sharing | Specific terms need to be agreed depending on the type of recipient. |
International transfers | Transferring personal data outside the EEA requires additional action. |
Marketing | Email and phone marketing is not possible without prior consent. |
Cookies | You need website users’ consent and must give them precise information. |
Governance | Appointing an individual / team with sufficient expertise and influence. |
How do we comply with the rules?
Primarily through a combination of specific compliance documents, template contracts, organisational training and smart governance. It is important to acknowledge that you are bound under the GDPR to comply with these rules proactively.
What happens if we break the rules?
The consequences include:
What should we do?
The reality is that the GDPR and other data privacy law applies to your start-up. Take early and proactive steps to try and comply. European regulators look more favourably on organisations which have had a go at compliance but got it wrong compared to those which have not tried at all. This can be the difference between a written warning and a damaging fine.
Remember in particular: compliance with GDPR and the viability of business development in a post-GDPR world are two important points that prospective investors now check as standard.
How can Greenwoods GRM help?
We have designed a series of advice products which help organisations of all sizes, financial resource and ages, such as:
To talk through any of these issues get in touch with Priya Thapar on +44 (0)20 3691 2063 or email pthapar@greenwoodsgrm.co.uk
Greenwoods Legal LLP is a Limited Liability Partnership, registered in England, registered number OC306912. Our registered office is Queens House, 55-56 Lincoln’s Inn Fields, London, WC2A 3LJ. A list of the members’ names is available for inspection at our offices in Peterborough, Cambridge and London. Authorised and regulated by the Solicitors Regulation Authority, SRA number 401162. Details of the Solicitors’ Codes of Conduct can be found at www.sra.org.uk. All instructions accepted by Greenwoods Legal LLP are subject to our current Terms of Business. VAT Reg No: 161 9287 89.