With a tight budget, and a daunting implementation date drawing near, it would be easy for a small business to bury its head in the sand and hope the GDPR doesn’t apply to them. In fact, a common misconception among startups is that the GDPR only applies to businesses with 250 employees or more. While the GDPR has a broad scope, and does indeed apply to businesses of any size (including startups), now is not the time to panic.
The GDPR is a new European Union Regulation intended to strengthen and unify data protection for all individuals within the European Union (EU). It replaces the old law (Directive 95/46/EC) in place since 1995. The GDPR aims to protect individuals regarding the processing of their personal data. It also changes the way companies access, acquire, use, share, store and provide individuals with access to their personal data. Crucially, it also requires accountability – being able to demonstrate compliance.
The GDPR applies to processing carried out by organisations operating within the EU; and organisations outside the EU that offer goods or services to individuals in the EU. Fines for non-compliance can reach up to €20 million or 4% of global turnover, whichever is the higher. A hefty fine for non-compliance could easily pose a threat to a startup's survival, both financially and in terms of reputation.
"Processing" personal data doesn’t automatically make you a "processor". Businesses can either be a controller or a processor depending on what they do with the data (and not just based on their opinion).
A controller determines the purposes and means of processing personal data whereas a processor is responsible for processing personal data on behalf of the controller. In simple terms, the controller makes the decisions and the processor acts on controller instructions. This distinction determines the obligations that apply to the business under the GDPR. Our Global Data Hub sets out the compliance obligations for controllers and processors in a helpful table.
Depending on what stage of the startup process you are at, you may well be an SME (fewer than 250 employees). You may be relieved from some of the GDPR compliance burden.
There is more good news news: startups and SMEs can use the GDPR to their benefit. The concept of privacy by design, i.e. building privacy friendly settings into products and services at the outset, is not new. The GDPR takes it a stage further though by making it a legal requirement. startups are generally more agile and their infrastructure and product or service development is normally in the early stages. This allows them to build privacy into their model a lot earlier on than many of their larger competitors.
With that in mind, small businesses and startups can build in appropriate consent mechanisms and marketing practices into their day to day routine. Staff can be trained early on in relation to the GDPR, creating a cultural shift that has a positive impact on compliance.
The GDPR also requires that businesses put in place appropriate technical and security measures. Again, it's much easier for a small business or startup to reinforce its security strategy and solutions compared to a large scale, established business.
We've put together a short term plan to focus your efforts on the key risk areas of GDPR compliance. While this isn't comprehensive, and the earliest remediation of compliance gaps is recommended, it should provide a useful starting point for building a GDPR plan of action:
If you have any questions on this article please contact us.
The UK has a well-established suite of reliefs designed to incentivise equity investment in companies in the early stages of their existence. This article focuses on developments in these venture capital schemes, particularly the Enterprise Investment Scheme (EIS), the Seed Enterprise Investment Scheme (SEIS) and Venture Capital Trust regime (VCTs) and recent trends and developments, with a particular focus on the changes introduced in the Finance Act 2018.
1 of 5 Insights
If you are a software developer, you will know all about open source software (OSS). OSS is software whose source code is publicly available to be used, adapted, modified and re-licensed, usually free of charge. Because it is unusual for software developers to give away their source code, some people think OSS is released without being subject to licence terms.
2 of 5 Insights
There is a lot to think about when setting up a new business. It's crucial to take protecting your intellectual property rights seriously from the outset. Don't believe the following myths!
3 of 5 Insights
One of the key issues an investor or buyer will look at is whether a company owns the intellectual property rights used in the course of its business. Securing this right at the beginning will save you money and time in the long run but may be more complicated than you might suppose.
5 of 5 Insights