So long as your confident you’re treating data responsibly there should be no cause for alarm
GDPR isn’t aimed at startups
You’ve left it late but there’s plenty of time to start preparing for GDPR and it shouldn’t be overwhelming
Here’s the good news! If you’re neither an ignoramus nor a sociopath there’s no need to be worried about GDPR.
Sound data protection principles will be the same today as they were yesterday and will be the same on 25th May 2018. If you weren’t worried about your company’s data protection before, why would you be worried now?
The regulation is merely an evolution of the previous Data Protection Act (DPA) and the new regulatory provisions are highly unlikely to be overwhelming for startup businesses.
In a nutshell, GDPR means that businesses need to be more accountable for data protection and, where they act irresponsibly, the repercussions will be bigger.
If the police wanted to improve road safety by increasing responsibility and fines, it wouldn’t change my driving habits and nor would I have increased levels of anxiety about being pulled over. I’d still be driving down the motorway at around 79 mph (the National Police Chief’s Council enforcement guideline). The Information Commissioner’s Office (ICO) are responsible for policing data protection in the UK. They have neither the budget nor the inclination to be chasing ‘people driving at in or around 80mph’, they’re after the truly irresponsible and those with malintent. Check out their recent Enforcement Cases, it reads as a gallery of villains and idiots.
It’s to be expected that startups with limited budgets and nascent operational processes will treat data imperfectly. I also have no doubt that there are plenty of startups executing aggressive strategies that skirt the boundaries of responsible data processing. What’s important is that they don’t act in complete ignorance and employ policy and process commensurate to the breadth and depth of the personal data held and the nature of that data.
Here’s how not to be a GDPR ignoramus and some data protection hacks you should employ today:
Know the basics and act on them... read the ICO’s excellent 12 step guide - It’s a 10 minute read and covers all the basics. Get your legals sorted (Privacy Statement & Consent), document brief policies and procedures, train employees, understand if you need a data protection officer
Practice data minimisation… the less data you process in your business the easier it is to manage and the less attractive you are to hackers. Only ever process personal data that’s valuable and that you absolutely need
Transfer data risk to suppliers… avoid keeping any personal data within random spreadsheets in random places. Use trusted, reliable 3rd party software when you’re confident they follow good data protection principles and meet GDPR standards. Keep customer data within CRM software and keep your employees’ personal data in HR software like CharlieHR**
Be able to prove that you’ve considered data protection risk… at Forward Partners we carried out a quick exercise to map the data that we collect, how we process it in the business, and what we do with it in the end. We then over-layed the data risks within our processes. Having documentation like this helps to meet the GDPRs accountability principles and will be useful to have in the back pocket should the ICO ever come knocking (see example below)
*processing data means collecting, storing, using, basically anything
** GDPR applies to employee and supplier data as well as customers and leads
Wired Article: What is GDPR?
Example Data Protection Workshop