The introduction of the General Data Protection Regulation (GDPR), which comes into force in May this year, represents the most sweeping overhaul of data protection regulations in the UK in two decades.
At its heart, GDPR can be seen as raising the data protection bar in the social media age. The way this is put into practice is varied and sometimes complex, and includes requirements for:
- consent for data use, particularly with regard to under-18s
- greater transparency and accuracy in privacy notices
- updated security rules and more stringent reporting obligations for data breaches
- an upgraded regime for enforcement, remedies and liability
- the introduction of the principle of privacy by design and default.
How tech startups can prepare for GDPR compliance
If you want to stay GDPR-legal as a small business, you have two choices. You can either go back to the customers and prospects you have on your database and – in a GDPR compliant manner – ask them to re-approve your use of their data.
Or, as many organisations are doing, you can delete the wealth of information you have already gathered and start collecting it again from scratch.
Embedding GDPR processes into your business is going to be time-consuming because you will have to design data privacy into all your systems and processes. For example ensuring your CRM data is safeguarded in your marketing software. That means you will have to develop different ways of working and possibly retrain staff so that everyone in your company knows and understands their new data security obligations.
You will also have to look at your current software to see if it will keep you GDPR compliant. As it stands, if these won’t allow you to completely erase personal data on request, or once it is no longer relevant, you will either have to reconfigure it so it can, or switch to another system.