Nicky Johnston: GDPR – Does it really matter to Start-Ups?

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

It certainly does, but having read Warwick Ashford’s article the other day it seems a significant number of start-ups remain in the dark.

As far we’re concerned here at TalentSpark, GDPR exists to create a better customer experience for all customers – something all start-ups must focus on – which is an important distinction business leaders need to keep in mind.

So, we chatted to GDPR expert Willie Fairhurst from ECS, who is working with us on meeting the regulations, to get his insight.

Willie Fairhurst of ECS
Willie Fairhurst of ECS

Here are the top eight areas that you, as a startup or small business, need to consider making sure you are on track to meet the 25th May deadline. 

  • Fair and Lawful 

Are you collecting the personal data for a fair and legal purpose? It is incumbent on you as the collector of data to outline why you are collecting each element of personal data and what you plan to use it for.

  • Specific for its purpose

You need to be explicit about the use of the data you collect and the reasons you are collecting it, which now includes genetic and biometric information. It is no longer acceptable for companies to include in the small print that data collected can be “shared with third parties” or that “you may receive information from partners”.

  • Adequate and specific for purpose

There must be an explicit purpose for holding personal data. Known as “minimisation”, it is a process of only collecting data necessary to complete your business goal. This may seem like a change in approach given the clamour over the last few years to build up as detailed a picture of people as possible.

However, while data is still vital and will drive business going forward, you need to be explicit on how you plan to use it.

  • Accurate and up to date

As a business the onus is on you to make sure the information you hold on your database is accurate and up to date. It is important you are not trying to contact people using old details – not only is it a complete waste of time but it is also intrusive for those who may receive the communication.

  • Length of time holding data

This is still a bit of a grey area as there is no explicit direction on the specific length of time, but the regulations have stated for a while that you can hold data for “a reasonable and appropriate length of time”.

You need to justify what this length of time is and why it’s relevant. Most businesses are using two years a rule of thumb (six months for marketing) to re-engage with customers to make sure they are still happy to remain on their database.

  • Right to be forgotten

This is one of the most significant moves in this change in regulation. Under the new regulations for GDPR you have the “right to be forgotten”. People, within reason, have the right to have all their information deleted from your system. There are situations where there is a legal requirement to hold information on individuals – employee pay records, for example – based on existing regulations. People can also request the transfer of all their information to another system for free.

  • Safe and Secure

It is the responsibility of the data controller to keep the information they hold safe and secure. This includes managing relationships with other suppliers that you may pass on information to – for example, ensuring they are GDPR compliant. As the data controller you are responsible for the transfer of data and security of it during the transfer. If you have not confirmed the supplier is compliant you will be responsible.

  • Not transferred out site EEA

Data must not be transferred outside the EU. There is a ‘Privacy Shield’ which can be applied for to enable data to be transferred to the US. However, unless you have the explicit and documented permission from the user to transfer their data out with the EU you will be in breach of the regulations.

Getting ready for GDPR

These are fairly broad areas that need to be covered, but it’s important you take the time to identify how they will impact on your business and take steps to meet the requirements before the 25th May.

It might seem like a bind just now but in the long term it will improve your customer service and increase the efficiency of much of the marketing efforts.

Nicky Johnston is a consultant at EdenScott


Related News