Your inbox has probably been overflowing recently with emails from businesses around the world – everyone from your social media platforms and your local supermarket to the host of an event where dropped your business card into the box and a restaurant whose survey you completed on a tablet one night three years ago.
The reason? The EU General Data Protection Regulation 2016/679 (GDPR), a regulation in EU law on data protection and privacy which came into effect on 25 May 2018.
While the EU and having European customers may still be a dream for your business, as a startup or emerging company in MEA it is still important to understand the implications of GDPR on your operations – it may give you a competitive advantage over less agile players in your market.
Does GDPR apply to my business?
GDPR applies to the processing of personal data in the EU and outside the EU in some circumstances. For non-EU businesses, GDPR applies where the processing of personal data is related to:
• offering goods or services to EU-based persons (Data Subjects) – regardless of whether any payment is received; or
• monitoring the behaviour of EU Data Subjects where that behaviour takes place within the EU.
For paragraph (i) above, the key test is whether it envisages offering its products or services to individuals in the EU. A website that is accessible in the EU is not enough to fall under the scope of GDPR. Using a European language on a website will likely carry less weight for a MEA business (where, for example, English and French are widely used). However, if the website combines a European language with the ability to pay in euro, it is easier to suggest that the website owner “envisages” offering the products or services to Data Subjects in the EU.
The monitoring of behaviour in paragraph (ii) includes tracking behaviour on the internet especially where that activity is used to analyse or predict preferences, behaviours or attitudes and to make decisions about the individual. This goes beyond using cookies and would also capture the use of location data or recording IP addresses.
GDPR applies to my business but I have a limited budget. What should I do?
GDPR sets high standards across the board and does not differentiate by business type. But startups and emerging companies are pushed for cash and time: you probably don’t have the funds to invest in expensive cyber security systems or the comfort of a loyal customer base. So, you need to be smart about the order in which you implement steps to become GDPR-compliant.
• Audit: review your current privacy model and what needs changing. Focus on security measures, advertising and other growth hacking measures (e.g. social media campaigns) you are using. There is a range of tools and services available, from self-guided checklists to dedicated consultants. If you hire a consultant, make sure they are familiar with dealing with startups and SMEs, not just larger companies. The same goes for any lawyer you hire.
• Data minimisation: reduce the amount of personal data in your business. Think carefully about what data you’ll collect and how long you need to keep it. Aim for the smallest volume and duration as possible. Delete data that is not needed.
• Records: keep a clearly labelled bundle of materials recording all the steps you’ve taken towards compliance. This could be in hard copy or stored electronically but it’s more useful if it is in a form that can be easily shared with your customers or partners if they ask to see it.
• Teamwork: everyone within your organisation should take responsibility for improving data protection. Give employees the resources and time to become familiar with the changes and to be trained. Monitor feedback from your front-line employees (e.g. sales staff).
• Data protection officer: it would be unusual for a startup or emerging company to process sufficiently large amounts of data to require a data protection officer. However, if you do, you probably don’t need to hire a new employee and can assign the role to an existing staff member who has a strong sense of accountability. Make GDPR compliance one of their KPIs.
• Don’t over-invest: customers will probably ask you to provide them with various items to demonstrate the level of compliance in your organisation. You’ll need to spend time and money to stay ahead of those requests but, equally, don’t over-invest in expensive resources you don’t need. For example, you probably don’t need a glossy pack of materials created by a designer setting out the personal data flows and technical protection measures taken – simple diagrams and notes prepared in-house will probably be enough. Keep an open dialogue with your customers as this will help you determine where, and how heavily, to invest, noting that these may change over time as regulation and enforcement of GDPR evolves and/or your customer base develops.
Use GDPR to your benefit: startups are generally more agile and their model is often in the early stages of development. This will allow you to build data protection into your business much faster than your larger competitors. It is relatively straightforward to build consent mechanisms into your marketing efforts and day-to-day procedures.
GDPR doesn’t apply to my business. Should I still comply with it?
Complying with GDPR shows your audience that you are a trustworthy organisation that respects their privacy and personal information. Compliance with GDPR may provide a competitive advantage from a marketing and customer relationship perspective.
One of the most compelling reasons for a startup to become GDPR-compliant is to allow it to serve customers who demand compliance and shut out competitors who don’t offer this to their customers. This is particularly true for startups operating in the B2B space, serving larger organisations.
But remember that GDPR-compliance does not come with a certificate: it is a set of regulations which will be applied to specific circumstances. So, if you choose to comply, you’ll need to convince your customers that you are compliant.
Investors will also have a number of questions on GDPR when evaluating your business (see our Article GDPR and VCs – what will they be looking for?)