The General Data Protection Regulation, GDPR has been in effect for close to three years now. The ultimate goal of the regulation is to protect the personal data of EU residents and ensure their fundamental right to privacy. Businesses are still dealing with the mammoth of a privacy law. Big tech firms and conglomerates have a poor track record when it comes to compliance. But, startups have a competitive edge.
Unlike large companies that have to make major structural and operational changes, GDPR compliance for startups can be faster and agile. GDPR mandates the concept of privacy by design. It is a framework where you embed privacy-friendly settings into products, services and all business practices at the outset. Startups, usually at an early stage of business, can build and implement privacy in their business model and get GDPR compliant easily.
Achieving data transparency and privacy-friendly policies from the get-go will save startups from regulatory scrutiny in a future that will see more and more global data privacy laws.
Is GDPR compliance for startups different?
No. GDPR applies to all organisations that process EU residents’ personal data, including third-party processors. It can likely give startups an edge in two cases:
- Businesses with less than 250 employees do not have to maintain a data inventory or keep a record of data processing, unless the processing risks the rights of individuals, or the processing is not occasional or if processing involves special categories of data (sex, racial or ethnic origin, political opinions, or health). You can read the ICO guidelines with examples, to see if you fit the criteria.
- Data Protection Officers (DPOs) need to be appointed when there is large scale processing of personal data. It is unusual for a startup to process sufficiently large amounts of data to require a DPO. However, if you are looking to scale up your business, you can consider appointing a DPO on an ad-hoc basis.
Taking GDPR head-on can look challenging at first. But, we have you covered. To have a full grasp of GDPR, read our ultimate guide to GDPR. For practical and actionable steps on GDPR compliance for startups, read on.
12 Steps to GDPR Compliance for Startups
1. Conduct data mapping
Categorize all the personal data you collect and assess if you process any sensitive categories of personal data. If you do, you have to put additional provisions in place. This includes acquiring parental consent, a Data Protection Impact Assessment (DPIA) or appointing a Data Protection Officer (DPO).
Ensure that the data you store and process in places other than your website is taken into account. This could be your email marketing tools, analytic platforms like Google Analytics, Hotjar, CRM software like Salesforce, Freshworks, Hubspot, accounting software, or payroll tools etc. You can use the GDPR self-assessment tool by ICO which caters to small and mid-sized businesses.
A data inventory will be the stepping stone that will lead you to the next steps for GDPR compliance. You can identify the kinds of data you process, the format and location it is stored (the cloud, third parties), how it is shared internally and externally (third-party data transfers), who is accountable and who has access to this data etc.
2. Identify lawful basis for processing
Identify the lawful basis for processing every piece of personal data that you collect. GDPR provides for six legal bases for processing: consent, the performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.
The legal basis should also be demonstrable at all times i.e. a business must be able to show internally, to users, and to regulatory entities what legal basis it uses for processing data. Check out how Hubspot has integrated a feature that tracks the legal basis of processing all contacts’ data. CMS startup Contentful has detailed their legal basis for processing for each category of data they process.
3. Limit data collected via contact forms
Data minimization is a key principle in GDPR. It mandates that businesses collect data for specified purposes and also periodically review and delete unnecessary data. Broadly speaking, the less data you process in your business the easier it is to be compliant.
Marketing and lead generation activities like forms and mailing lists are the most common ways businesses collect data. According to a consumer engagement survey, 84% of consumers said that they have decided against engaging with a business because it demanded too much of their personal information. It will be a good practice, GDPR or otherwise, to avoid forms that require a user to fill in a lot of personal data.
Collect only the fields you actually need for processing and are relevant to your business purpose. For example, if a user is subscribing to your newsletter, the only personal information you need to collect is their email. Also note that the less data you have, it will be easier for you to ensure prompt responses to Data Subject Access Requests (DSAR) required under GDPR.
4. Provide active opt-in forms
Under GDPR, consent should be free, specific and informed. So, your website contact forms need to reflect transparency. Don’t just collect data, justify why you are asking for a piece of particular information. In fact, a consumer survey by DMA shows that 62% of consumers in the UK feel more comfortable sharing their data with these privacy laws in place.
Contact forms that invite users to subscribe should have a tick box or opt-in method. This is to ensure that the user has accepted the terms of using the website and how they agree to be contacted.
Digital agency Cyber-Duck has a contact form that has a tooltip on each data field you fill in as well as email opt-in options for sending other marketing communications to a user.
5. Keep mailing lists clean
If you have purchased mailing lists from third parties, ensure the user has given consent, or else you will be in violation of GDPR. It is advisable that you automatically unsubscribe users who have not given consent from your mailing list.
For instance, if you use a marketing automation tool that sends out emails on behalf of your CRM, you could receive a penalty if it sends an automatic email to someone who has opted out. Pub chain Wetherspoons deleted their email database in order to avoid the risk of sending emails to users who may not have consented.
Give subscribers the ability to manage their preferences, as well as to opt-out of emails. Take a look at how Buffer lets the user decide preferences before signing up.
6. Use double opt-in for email marketing
If your website has a mailing list or subscription form, enable double opt-in. Double opt-in means that after the user provides their email, you send an email with a confirmation link that the user must click to finalize their subscription.
The newsletter subscription of CookieYes uses a double opt-in method and also communicates the same with the user.
GDPR does not mandate double opt-in, but it is a good way to demonstrate that the user has indeed given consent. It is also a good practice to have an unsubscribe option in the emails you send. Email marketing tools like Mailchimp, Hubspot, GetResponse, Constant Contact and Sendinblue have double opt-in features, as well as other features streamlined for GDPR compliance.
7. Use GDPR complaint CMS and plugins
Make sure that the CMS you use is GDPR compliant. Popular platforms like WordPress, Wix, Joomla, Squarespace etc. have GDPR compliance mechanisms in place. If your CMS platform does not support GDPR compliance, you may have to add custom codes, extensions, plugins, or software that can help you get compliant.
8. Store data in secure locations
Under GDPR, all data you collected should be either stored in the EU or subject to European privacy laws. Your business could be using cloud-based applications such as Salesforce, Dropbox, WeTransfer, Expensify, Workday, and more.
In fact, a Netskope Report says that even the smallest organizations use 258 cloud apps on average. So, you should be mindful of all the data your cloud services can access.
9. Offer data access and portability
The right to access personal data plays a key role in GDPR, as it also allows a user to exercise further rights such as rectification, data transfer and erasure. Data Subject Access Request (DSAR) forms are usually filed offline or via emails but can be integrated on your website like how luxury bath brand Artize has done.
Under GDPR, users also have the right to receive their personal data and store it for further personal use i.e. data portability. Businesses that collect data should provide the user with the ability to download or transfer the data elsewhere.
Make sure you have a system in place to provide a user with a downloadable file of their data if requested (use open formats such as CSV, XML, JSON). You should also be able to promptly erase a user’s personal data on request.
11. Create a cookie pop-up/banner
Under GDPR, cookies can be considered personal data because they store enough data that can be used to identify an individual. So, you must obtain user consent before using any cookies except strictly necessary cookies. The user must have a choice so that the consent given is clear and specific.
Cookie consent can be acquired only after you provide accurate and specific information about the data each cookie tracks and its purpose. You cannot have a default (pre-ticked) option and must require users to opt-in i.e. give explicit consent. Health tech startup Infermedica has a cookie banner that lists the type of cookies they use and an option to disable them.
Also, make it easy and accessible for users to withdraw consent or change their cookie preferences at any time. If the user doesn’t give consent to certain cookies, you cannot place cookies on their browser. But, you have to allow the users to access your site as cookie walls are not permitted under GDPR.
12. Protect yourself from data breaches
Protect user data by encrypting it, restricting sharing, minimising the amount of data you hold. With fewer data to steal, the risk of theft or data breach will be lower.
Keep all data secured in an encrypted environment. Consider adding an HTTPS protocol to your website so that all the user data is encrypted. A best practice recommended by GDPR regulation is to use either anonymization or pseudonymization.
Delete data that is no longer used, to minimize the amount of data including obsolete data from your database. Conduct regular vulnerability scans on systems, devices, and networks to identify potential security gaps.
It’s also important that you set up internal guidelines for data breach reporting, in the event of a data breach. You have to contact the data protection authority within 72 hours of becoming aware of the breach. You also have to be prepared to notify all customers that may have been affected as soon as possible.
GDPR compliance isn’t the easiest task. But, if you adopt the steps in this checklist, you will be in the right direction of complete GDPR compliance for your startup. If you are looking for a cookie consent solution that will help set your GDPR compliance in motion, sign up to CookieYes today!
If you want to get more familiar with GDPR compliance, here are a few articles and free tools: