10 point checklist: GDPR compliance for startups

10 point checklist: GDPR compliance for startups

Table of contents

Show more Show less

Starting a company can be difficult, but implementing data privacy right from the beginning doesn’t have to be. While large corporations can struggle with the reorganization needed to develop their privacy operations, startups can’t afford the resource drain of these issues, and fortunately can avoid them. In fact, a pre-seed firm or one that is in the seed phase can even create a competitive advantage by designing privacy into their products or services and operations early. Then they’re ready for any future legislative changes that are enacted. 

 

“Providing customers with absolute data transparency and privacy-friendly policies from the get-go will allow for a smooth transition into the privacy space, saving future scrutiny under changing privacy laws.” – Donata Skillrud from Termagedon 

 

Neglecting data privacy during early stages can result in serious repercussions once your company starts to grow. Especially when looking at international expansion after building a strong domestic base. When looking to establish a base abroad, in the US, for example, and transferring data to third parties, the GDPR must still be adhered to.

 

Taking the data privacy principles “privacy by design” and “privacy by default” into consideration, it is no wonder that more startups are looking to solidify their privacy strategy at the beginning of the startup journey.



For example, understanding that your company will utilize app data will influence the privacy strategy. Or if your company focuses on sensitive personal data, such as healthcare records, privacy must take center stage.

 

“When a company is in the growth stage, the product and website should have already been developed with privacy in mind”, says Nishant Bhajaria, author of Privacy Egineering. “This is because the technical aspects of data privacy can be challenging to implement once a product goes live.”

 

Implementing a strong data privacy strategy from the start will provide your company with several strategic advantages:

 

  • Privacy is key to establishing your brand and trust in your company.
    Customers expect careful and transparent handling of their data, which can lead to a loss of marketing revenue if this isn’t taken into consideration by a company.
  • Looking at why and how you collect data can influence the way your product is developed, and will save time and money by designing with privacy and data protection in mind.
  • When working with investors, ignoring data privacy can be an obstacle and lead to delays or loss of deals. Many VCs expect to see a privacy strategy from the get-go.

GDPR compliance checklist for startups

Here are the important areas to focus on for any startup to reach full GDPR compliance: 

 

1. Conduct data mapping


Where is your data coming from? And most importantly, which types of data are you collecting? Understanding the sources of your data is key for implementing full GDPR compliance and for creating a solid privacy strategy. The following sections of this checklist rely heavily on the identification of which cookies your website collects. Therefore, we recommend conducting a website audit as one of the first steps.

 

2. Appointing a DPO

 

The early appointment of a Data Protection Officer is advisable, as it points you in the right direction and builds structure at an early stage. If you know that your company processes sensitive data, or if the core activities of the company require large scale, regular and systematic monitoring, hiring a DPO will be the safest, most proactive approach. If you are still unsure whether or not you should hire a DPO, the Information Commissioner’s Office (ICO) has compiled a short checklist where you can determine if your organization needs a DPO.

 

3. Limit data collection

 

Once you have identified which data you collect and for which reasons, make sure to periodically review and delete unnecessary data. Create marketing strategies that rely less on sensitive user data or third-party data. This can be done by solidifying a mailing list marketing strategy.

 

4. Identify legal basis

 

You can only process data under the GDPR if you can produce evidence – both written and procedural – of at least one of the six named legal bases, which include: consent, legal obligation, contractual obligation, legitimate interest, vital interest, or public task. Identify what applies to the data that your company collects, and be sure to include this detailed information in the privacy statement.

 

5. Fine tune your privacy policy

 

The privacy policy is the backbone of any privacy strategy, creating the basis of trust and transparency between you and your users. More and more consumers are paying attention to the details of privacy policies, so don’t make the mistake of thinking that your customers will only scroll past it. And according to Article 12, GDPR, making sure that it is easy to understand is quite important. That’s why companies such as Termageddon are offering policy generation services to create GDPR- privacy policies.

 

6. Compliant Consent Management Platform

 

Implementing a GDPR-compliant Consent Management Platform (CMP) early on in implementation of your privacy strategy is a competitive advantage for your company. A Consent Management Platform takes care of collecting, storing and managing consent. Changes to existing legislation and implementation of new laws are also handled with regular product updates so you don’t have to figure out the complexities on your own. 

 

7. Privacy by design

 

Make sure that your Consent Management Platform is fully compliant with the GDPR. While having a cookie banner that only allows for opt-in may seem like the surest way to get consent, it actually isn’t. Many studies show that offering clients the equal possibility to opt-in or out actually increases the chances of a consumer providing consent. 

 

8. Collecting granular consent

 

Not all types of consent are equal. That’s why we’ve gathered up a list to explain to what degree of granularity consent must be given. Users need to be able to opt out as easily as opt in, and must be able to change their preferences in the future. Read more about what is considered the right type of consent here.

 

9. Store data in the EU 

 

According to EU legislation, it is advisable that all data collected should be stored in the EU.

 

10. Bonus item: Implement company-wide measures


A company’s GDPR strategy shouldn’t be left solely to the legal department or DPO, but should be seen under a holistic lens. Privacy is the new normal, and by creating awareness and understanding in all staff, every product idea or marketing strategy will be created with privacy in mind– from the beginning. Fortunately, data protection is becoming more and more relevant as companies focus on consumer good. This is why starting early is the smartest policy.

Privacy from the start should be your goal as a company

Creating the right data privacy strategy isn’t always a walk in the park, but there are many resources to put you in the right direction. Check out our extensive Knowledge Hub or sign up to our many panel discussions where you can learn more about all things data privacy.

If you would like to learn more about our Consent Management Platform and how to get privacy-ready, contact our experts for a free consultation!