The General Data Protection Regulation, GDPR has been in effect for close to three years now. The ultimate goal of the regulation is to protect the personal data of EU residents and ensure their fundamental right to privacy. Businesses are still dealing with the mammoth of a privacy law. Big tech firms and conglomerates have a poor track record when it comes to compliance. But, startups have a competitive edge. 

Unlike large companies that have to make major structural and operational changes, GDPR compliance for startups can be faster and agile. GDPR mandates the concept of privacy by design. It is a framework where you embed privacy-friendly settings into products, services and all business practices at the outset.  Startups, usually at an early stage of business, can build and implement privacy in their business model and get GDPR compliant easily. 

Achieving data transparency and privacy-friendly policies from the get-go will save startups from regulatory scrutiny in a future that will see more and more global data privacy laws.

Is GDPR compliance for startups different?

No. GDPR applies to all organisations that process EU residents’ personal data, including third-party processors. It can likely give startups an edge in two cases:

  • Businesses with less than 250 employees do not have to maintain a data inventory or keep a record of data processing, unless the processing risks the rights of individuals, or the processing is not occasional or if processing involves special categories of data (sex, racial or ethnic origin, political opinions, or health). You can read the ICO guidelines with examples, to see if you fit the criteria.
  • Data Protection Officers (DPOs) need to be appointed when there is large scale processing of personal data. It is unusual for a startup to process sufficiently large amounts of data to require a DPO. However, if you are looking to scale up your business, you can consider appointing a DPO on an ad-hoc basis.

Taking GDPR head-on can look challenging at first. But, we have you covered. To have a full grasp of GDPR, read our ultimate guide to GDPR. For practical and actionable steps on GDPR compliance for startups, read on.

12 Steps to GDPR Compliance for Startups

1. Conduct data mapping

The first thing you need to do is data mapping. Categorize all the personal data you collect and assess if you process any sensitive categories of personal data. If you do, you have to put additional provisions in place. This includes acquiring parental consent, a Data Protection Impact Assessment (DPIA) or appointing a Data Protection Officer (DPO).

Ensure that the data you store and process in places other than your website is taken into account. This could be your email marketing tools, analytic platforms like Google Analytics, Hotjar, CRM software like Salesforce, Freshworks, Hubspot, accounting software, or payroll tools etc. You can use the GDPR self-assessment tool by ICO which caters to small and mid-sized businesses.

A data inventory will be the stepping stone that will lead you to the next steps for GDPR compliance. You can identify the kinds of data you process, the format and location it is stored (the cloud, third parties), how it is shared internally and externally (third-party data transfers), who is accountable and who has access to this data etc.

2. Identify lawful basis for processing

Identify the lawful basis for processing every piece of personal data that you collect. GDPR provides for six legal bases for processing: consent, the performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest. 

It is crucial because GDPR requires businesses to document and inform users under their right to be informed. It also means you need to include these details in your privacy policy. You can use the ICO’s interactive guidance tool to help you decide which lawful basis is the most appropriate for your processing activities. 

The legal basis should also be demonstrable at all times i.e. a business must be able to show internally, to users, and to regulatory entities what legal basis it uses for processing data. Check out how Hubspot has integrated a feature that tracks the legal basis of processing all contacts’ data. CMS startup Contentful has detailed their legal basis for processing for each category of data they process.

GDPR Compliance for Startups

3. Limit data collected via contact forms

Data minimization is a key principle in GDPR. It mandates that businesses collect data for specified purposes and also periodically review and delete unnecessary data. Broadly speaking, the less data you process in your business the easier it is to be compliant.  

Marketing and lead generation activities like forms and mailing lists are the most common ways businesses collect data. According to a consumer engagement survey, 84% of consumers said that they have decided against engaging with a business because it demanded too much of their personal information. It will be a good practice, GDPR or otherwise, to avoid forms that require a user to fill in a lot of personal data. 

Collect only the fields you actually need for processing and are relevant to your business purpose. For example, if a user is subscribing to your newsletter, the only personal information you need to collect is their email. Also note that the less data you have, it will be easier for you to ensure prompt responses to Data Subject Access Requests (DSAR) required under GDPR. 

4. Provide active opt-in forms

Under GDPR, consent should be free, specific and informed. So, your website contact forms need to reflect transparency. Don’t just collect data, justify why you are asking for a piece of particular information. In fact, a consumer survey by DMA shows that 62% of consumers in the UK feel more comfortable sharing their data with these privacy laws in place. 

Contact forms that invite users to subscribe should have a tick box or opt-in method. This is to ensure that the user has accepted the terms of using the website and how they agree to be contacted. 

Digital agency Cyber-Duck has a contact form that has a tooltip on each data field you fill in as well as email opt-in options for sending other marketing communications to a user. 

GDPR Compliance for Startups

5. Keep mailing lists clean

If you have purchased mailing lists from third parties, ensure the user has given consent, or else you will be in violation of GDPR. It is advisable that you automatically unsubscribe users who have not given consent from your mailing list. 

For instance, if you use a marketing automation tool that sends out emails on behalf of your CRM, you could receive a penalty if it sends an automatic email to someone who has opted out. Pub chain Wetherspoons deleted their email database in order to avoid the risk of sending emails to users who may not have consented. 

Give subscribers the ability to manage their preferences, as well as to opt-out of emails. Take a look at how Buffer lets the user decide preferences before signing up. 

6. Use double opt-in for email marketing

If your website has a mailing list or subscription form, enable double opt-in. Double opt-in means that after the user provides their email, you send an email with a confirmation link that the user must click to finalize their subscription. 

GDPR Compliance for Startups

The newsletter subscription of CookieYes uses a double opt-in method and also communicates the same with the user. 

GDPR does not mandate double opt-in, but it is a good way to demonstrate that the user has indeed given consent. It is also a good practice to have an unsubscribe option in the emails you send. Email marketing tools like Mailchimp, Hubspot, GetResponse, Constant Contact and Sendinblue have double opt-in features, as well as other features streamlined for GDPR compliance.

7. Use GDPR complaint CMS and plugins

Make sure that the CMS you use is GDPR compliant. Popular platforms like WordPress, Wix, Joomla, Squarespace etc. have GDPR compliance mechanisms in place. If your CMS platform does not support GDPR compliance, you may have to add custom codes, extensions, plugins, or software that can help you get compliant.

Many WordPress marketplace plugins that are used on your website make use of personal data, some use their own cookies. Be it your contact form, analytics plugins, SEO or backup and storage plugins, ensure that they are all GDPR compliant. Ensure that contact form plugins etc. don’t store the data submitted by the user in their database. In fact, using a GDPR compliance plugin can make the process faster. Also, make sure to list plugins used on your website in your privacy policy.

8. Store data in secure locations

Under GDPR, all data you collected should be either stored in the EU or subject to European privacy laws. Your business could be using cloud-based applications such as  Salesforce, Dropbox, WeTransfer, Expensify, Workday, and more. 

In fact, a Netskope Report says that even the smallest organizations use 258 cloud apps on average. So, you should be mindful of all the data your cloud services can access.

If you use large cloud vendors like Microsoft, AWS, and Google, you won’t have compliance issues as they have data centres around the globe. If you are using other SaaS cloud vendors, ensure that you meet the data sovereignty regulations of GDPR. Take a look at how UK mobility startup Gett details their data storage locations and how they comply, in their privacy policy. 

9. Offer data access and portability

The right to access personal data plays a key role in GDPR, as it also allows a user to exercise further rights such as rectification, data transfer and erasure. Data Subject Access Request (DSAR) forms are usually filed offline or via emails but can be integrated on your website like how luxury bath brand Artize has done.

Under GDPR, users also have the right to receive their personal data and store it for further personal use i.e. data portability. Businesses that collect data should provide the user with the ability to download or transfer the data elsewhere. 

Make sure you have a system in place to provide a user with a downloadable file of their data if requested (use open formats such as CSV, XML, JSON). You should also be able to promptly erase a user’s personal data on request. 

10. Fine-tune your privacy policy

Update your privacy policy and make your data collection and processing transparent. The first step to a good privacy policy is to establish the identity, address and contact details of the data controller, you can include details of your DPO (if you have appointed one).

Your privacy policy should specify the types of data you collect, what you use it for, the legal basis for collecting, how long you will store the data, your cookie usage policy, whether you transfer the data, and if you share it with third parties or plug-ins. German startup Pitch is a great example of how to practice complete transparency in your privacy policy.

Privacy policies can be long-winded and complex, but ensure that it is written in simple and clear language. It is also a good practice to place the links to your privacy policy within the consent form, to make it easily accessible. 

You can use a free privacy policy generator that will create a customized GDPR compliant privacy policy, exclusively for your business.

11. Create a cookie pop-up/banner 

Under GDPR, cookies can be considered personal data because they store enough data that can be used to identify an individual. So, you must obtain user consent before using any cookies except strictly necessary cookies. The user must have a choice so that the consent given is clear and specific. 

A standard practice is to have a cookie banner or pop-up when a user visits a website that allows them to consent or decline the use of cookies. You must also document and store consent received from users for proof.

Cookie consent can be acquired only after you provide accurate and specific information about the data each cookie tracks and its purpose. You cannot have a default (pre-ticked) option and must require users to opt-in i.e. give explicit consent. Health tech startup Infermedica has a cookie banner that lists the type of cookies they use and an option to disable them.

GDPR Compliance for Startups

Like Infermedica, you can use CookieYes to make your cookie consent mechanism granular and transparent. Check out how easily you can implement a CookieYes cookie consent banner on your website.

In case you are not providing granular details in your cookie banner, ensure that you link your cookie policy. Check out how EU startup Wunder Mobility lists all their cookies and their expiration period in their detailed cookie policy.

Also, make it easy and accessible for users to withdraw consent or change their cookie preferences at any time. If the user doesn’t give consent to certain cookies, you cannot place cookies on their browser. But, you have to allow the users to access your site as cookie walls are not permitted under GDPR.

12. Protect yourself from data breaches

Protect user data by encrypting it, restricting sharing, minimising the amount of data you hold. With fewer data to steal, the risk of theft or data breach will be lower.  

Keep all data secured in an encrypted environment. Consider adding an HTTPS protocol to your website so that all the user data is encrypted. A best practice recommended by GDPR regulation is to use either anonymization or pseudonymization.

Delete data that is no longer used, to minimize the amount of data including obsolete data from your database. Conduct regular vulnerability scans on systems, devices, and networks to identify potential security gaps.

It’s also important that you set up internal guidelines for data breach reporting, in the event of a data breach. You have to contact the data protection authority within 72 hours of becoming aware of the breach. You also have to be prepared to notify all customers that may have been affected as soon as possible.


GDPR compliance isn’t the easiest task. But, if you adopt the steps in this checklist, you will be in the right direction of complete GDPR compliance for your startup. If you are looking for a cookie consent solution that will help set your GDPR compliance in motion, sign up to CookieYes today!

If you want to get more familiar with GDPR compliance, here are a few articles and free tools:

Free Cookie Checker for Websites

Free Privacy Policy Generator

GDPR Fines: What Happens If You Fail To Comply