This article looks at the wider implications of the General Data Protection Regulation (GDPR), how SMEs are affected and sets out a short term compliance plan for startups seeking to prioritise before 25 May 2018.

With a tight budget, and a daunting implementation date drawing near, it would be easy for a small business to bury its head in the sand and hope the GDPR doesn’t apply to them. In fact, a common misconception among startups is that the GDPR only applies to businesses with 250 employees or more. While the GDPR has a broad scope, and does indeed apply to businesses of any size (including startups), now is not the time to panic.

What is the GDPR and are SMEs affected?

The GDPR is a new European Union Regulation intended to strengthen and unify data protection for all individuals within the European Union (EU). It replaces the old law (Directive 95/46/EC) in place since 1995. The GDPR aims to protect individuals regarding the processing of their personal data. It also changes the way companies access, acquire, use, share, store and provide individuals with access to their personal data. Crucially, it also requires accountability – being able to demonstrate compliance.

The GDPR applies to processing carried out by organisations operating within the EU; and organisations outside the EU that offer goods or services to individuals in the EU. Fines for non-compliance can reach up to €20 million or 4% of global turnover, whichever is the higher. A hefty fine for non-compliance could easily pose a threat to a startup's survival, both financially and in terms of reputation.

Are you a processor or a controller and why is this distinction important?

"Processing" personal data doesn’t automatically make you a "processor". Businesses can either be a controller or a processor depending on what they do with the data (and not just based on their opinion).

A controller determines the purposes and means of processing personal data whereas a processor is responsible for processing personal data on behalf of the controller. In simple terms, the controller makes the decisions and the processor acts on controller instructions. This distinction determines the obligations that apply to the business under the GDPR. Our Global Data Hub sets out the compliance obligations for controllers and processors in a helpful table.

What are the advantages of being an SME in the GDPR era?

Depending on what stage of the startup process you are at, you may well be an SME (fewer than 250 employees). You may be relieved from some of the GDPR compliance burden.

  • SMEs do not have to keep a record of data processing unless their processing results in a risk to the rights and freedoms of data subjects (e.g. ad-tech businesses fall within the scope of high risk), the processing is not occasional or the processing includes special categories of data (i.e. racial/ethnic origins, political opinions, etc.).
  • Broadly speaking, Data Protection Officers (DPOs) should be appointed where there is large scale processing of personal data. It would be unusual for an SME to process sufficiently large amounts of data to require a DPO but you should conduct the assessment for the purpose of your internal records in any event.

There is more good news news: startups and SMEs can use the GDPR to their benefit. The concept of privacy by design, i.e. building privacy friendly settings into products and services at the outset, is not new. The GDPR takes it a stage further though by making it a legal requirement. startups are generally more agile and their infrastructure and product or service development is normally in the early stages. This allows them to build privacy into their model a lot earlier on than many of their larger competitors.

With that in mind, small businesses and startups can build in appropriate consent mechanisms and marketing practices into their day to day routine. Staff can be trained early on in relation to the GDPR, creating a cultural shift that has a positive impact on compliance.

The GDPR also requires that businesses put in place appropriate technical and security measures. Again, it's much easier for a small business or startup to reinforce its security strategy and solutions compared to a large scale, established business.

Short Term GDPR-compliant activities to complete (before 25 May 2018)

We've put together a short term plan to focus your efforts on the key risk areas of GDPR compliance. While this isn't comprehensive, and the earliest remediation of compliance gaps is recommended, it should provide a useful starting point for building a GDPR plan of action:

  • Get to know your business' data flows – what data comes in and what goes out (think about every aspect, from your suppliers and vendors, to your customers and website);
  • Draw a diagram to help explain the various data flows to a regulator (whether or not you are required to maintain GDPR-standard records of your processing, you should have some sort of documentation about the data you process);
  • Confirm whether you are a data controller (making decisions) or a data processor (acting on a third party's instructions) in relation to the data you process;
  • Ensure you have a privacy policy that explains your approach to personal data (we have a useful checklist to help you draft it in sufficient detail) – remember transparency is key;
  • Amend your customer contracts and vendor contracts by way of a data processing addendum – setting out how each party will look after personal data. It's likely that your vendors and customers will already have a DPA that you can review and, where appropriate, sign. Note that the agreement should reflect the processor/controller position you have determined above;
  • Outline the high level technical measures you use to protect data (this may be requested by customers);
  • Document how long you hold data for (you cannot hold all types of personal data forever anymore – you must be able to justify the retention period);
  • Put in place a data breach policy to help ensure that you act within the new timeframes for notification (controllers must notify without undue delay, and in any event, within 72 hours of awareness of the data breach);
  • Prepare a longer term plan on completion of the above. Feel free to use our GDPR audit checklist to ensure you've covered all areas of your business that are impacted by the GDPR.