Customer Traction

Reading Time Time to read: 3 minutes

GDPR Primer For Startups

Will Herrmann

Chief Financial Officer

General Data Protection Regulation (GDPR) is Europe’s new framework for data protection law. It will come into force in May and there’s increasing levels of anxiety around Old Street with startup businesses grasping to understand what it means for them.

Key takeaways

  • So long as your confident you’re treating data responsibly there should be no cause for alarm

  • GDPR isn’t aimed at startups

  • You’ve left it late but there’s plenty of time to start preparing for GDPR and it shouldn’t be overwhelming

Here’s the good news! If you’re neither an ignoramus nor a sociopath there’s no need to be worried about GDPR.

Sound data protection principles will be the same today as they were yesterday and will be the same on 25th May 2018. If you weren’t worried about your company’s data protection before, why would you be worried now?

The regulation is merely an evolution of the previous Data Protection Act (DPA) and the new regulatory provisions are highly unlikely to be overwhelming for startup businesses.

In a nutshell, GDPR means that businesses need to be more accountable for data protection and, where they act irresponsibly, the repercussions will be bigger.

If the police wanted to improve road safety by increasing responsibility and fines, it wouldn’t change my driving habits and nor would I have increased levels of anxiety about being pulled over. I’d still be driving down the motorway at around 79 mph (the National Police Chief’s Council enforcement guideline). The Information Commissioner’s Office (ICO) are responsible for policing data protection in the UK. They have neither the budget nor the inclination to be chasing ‘people driving at in or around 80mph’, they’re after the truly irresponsible and those with malintent. Check out their recent Enforcement Cases, it reads as a gallery of villains and idiots.

It’s to be expected that startups with limited budgets and nascent operational processes will treat data imperfectly. I also have no doubt that there are plenty of startups executing aggressive strategies that skirt the boundaries of responsible data processing. What’s important is that they don’t act in complete ignorance and employ policy and process commensurate to the breadth and depth of the personal data held and the nature of that data.

Here’s how not to be a GDPR ignoramus and some data protection hacks you should employ today:

  1. Know the basics and act on them... read the ICO’s excellent 12 step guide - It’s a 10 minute read and covers all the basics. Get your legals sorted (Privacy Statement & Consent), document brief policies and procedures, train employees, understand if you need a data protection officer

  2. Practice data minimisation… the less data you process in your business the easier it is to manage and the less attractive you are to hackers. Only ever process personal data that’s valuable and that you absolutely need

  3. Transfer data risk to suppliers… avoid keeping any personal data within random spreadsheets in random places. Use trusted, reliable 3rd party software when you’re confident they follow good data protection principles and meet GDPR standards. Keep customer data within CRM software and keep your employees’ personal data in HR software like CharlieHR**

  4. Be able to prove that you’ve considered data protection risk… at Forward Partners we carried out a quick exercise to map the data that we collect, how we process it in the business, and what we do with it in the end. We then over-layed the data risks within our processes. Having documentation like this helps to meet the GDPRs accountability principles and will be useful to have in the back pocket should the ICO ever come knocking (see example below)


*processing data means collecting, storing, using, basically anything

** GDPR applies to employee and supplier data as well as customers and leads


Further Reading:

Wired Article: What is GDPR?

The ICO’s Guide to the General Data Protection Regulation (GDPR)

Example Data Protection Workshop

Will Herrmann

Chief Financial Officer

Will spent nearly 10 years working as a business consultant with Accenture before pivoting his training in project management towards finance and operations leadership roles within the world of startup. He made the move with as their Finance Director & Head of Business Operations, where he went on their journey of significant growth and exit. His background means that he is passionate about making sure that finance and business operations are in a state of utter control whilst within a culture of continuous improvement.

Apply for Office Hours

We’re looking for great entrepreneurs with great ideas.

Apply here

Similar Guides