For many startups personal data is at the heart of what they do. Startup.co.uk’s list of the top startups of 2019 rank Revolut: a challenger bank, Igloo: a challenger energy provider, and Trouva: disrupting the retail space as the top three. Each in different sectors but absolutely dependent on customer data.
Resources in a startup are often spread thin, with a skeleton legal function and a strong focus on rapid growth this can make it difficult to know where to focus efforts with compliance with the GDPR. The principles-based nature of the rules is complex and the consequences of getting compliance wrong, significant.
There are no easy answers, but we have identified 5 key questions to get you started.
1. Do you understand your data flows?
To be able to check how you are doing in terms of GDPR compliance you need to understand your data flows. This means tracking what happens with personal data right from when it is collected (what are you collecting and how), through to how you are using it, where it is being stored and who it is being shared with. This understanding will underpin a range of things from your thinking on what legal bases you are relying on, to what you need to tell individuals and even identifying appropriate security measures.
2. Do you have good governance structures?
The accountability principle is a key part of the GDPR. It is not enough just to comply you need to be able to demonstrate you are complying. This can include putting in place policies, written data processing contracts and establishing record keeping processes. Whilst policies are a good start, good practice actually needs to be embedded throughout the organisation. Startups often have an advantage over more established organisations because they can be more agile in embedding data protection compliance into their organisation. Once the policies are written it can help to reflect on whether they (i) are being implemented in practice; (ii) are working well (e.g. have you had complaints about how you are handling subjects rights requests?); and (iii) support the processing decisions you are making.
The ICO is currently consulting on an accountability toolkit to help organisations. You can have your say here.
3. How long are you keeping data for?
Another key principle under the GDPR is that you must not keep personal data for longer than you need it. Many startups won’t have been in existence long enough to have records dating back 10 or 20 years however this does not mean that data retention practices aren’t something to keep an eye on. Clear data retention policies that detail when to delete different types of personal data can not only help with GDPR compliance but may reduce unnecessary storage costs. Often there are legal reasons to hold on to personal data e.g. for disputes or tax purposes, but you should reflect on whether the business really needs to hold on to things like customer enquiries that are not taken forward. Regular deletion of unnecessary personal data means there is also less to search if you get a subject rights request and, less personal data exposed if you suffer a data breach.
4. Are you prepared if you suffer a data breach?
A clear process to follow if you suffer a data breach is essential and can help you manage the risks effectively. This can cover a broad range of issues such as forming a breach response team, identifying who needs to be notified (e.g. regulators, insurers, individuals) and pre-drafted press releases. If you also take the time to understand your organisation’s approach to security (including whether the security measures are appropriate to the type of personal data you hold) this can assist spotting risks, quickly addressing the issues and make answering regulators questions easier.
5. Are you aware of current developments in your sector?
It is not just the Information Commissioner who is interested in data these days. If you are subject to additional regulation like startup.co.uk’s top three: financial services, energy and consumer, it helps to think about how you are managing data from a holistic perspective. These regulators are grappling with issues such as facilitating switching through data portability, data ethics and ensuring consumers are treated fairly. If you want to keep up with the latest you can keep an eye on our blogs.
We are looking forward to discuss these topics at TechCrunch Disrupt in Berlin, in particular also with the companies that made it under the top 50 of Europe’s Digital Top 50 award, which we are sponsoring this year in conjunction with Google, McKinsey and Rocket Internet. The DT50 awards aim to bolster Europe’s thriving tech scene by rewarding the bold and trailblazing work of the entrepreneurs behind the Continent’s most promising startups.