Following the introduction of the GDPR in 2018, businesses must ensure they manage their data both effectively and legally.
For start-ups in particular, ensuring compliance with the GDPR is vital to engender trust from customers and clients, as well as to secure future investment and avoid potentially crippling fines for data protection breaches.
1. Conduct an internal data assessment. Think about what information you need to obtain from customers, clients and employees in order to provide your goods/services and to discharge your duties as an employer. Don’t forget to think about information you are obliged to obtain by any regulations or legislation you are subject to.
2. Trim any excess. Think about your existing customer/client journey and what information you are already collecting from them. Are you habitually collecting personal information from people which you don’t use or need?
3. Keep records. Make sure you keep a written audit trail of the data assessment you have conducted and the decisions you have made. Ensure you have a reasoned explanation of which of the 6 lawful bases you have for processing personal information. Take advice if you are unsure.
4. Ensure you have data protection policies. You will likely need two policies: one which is customer/client facing, and one dealing with your employees. It is worth investing some resources here to ensure that you have a comprehensive and compliant policy.
5. Think about your relationships with third parties. You might subcontract some services to third parties, or you might be acting as a data processor as part of the services you supply to your own clients and customers. Make sure that your terms of business have up to date data protection provisions – if you are processing data on behalf of your clients, make sure you have appropriate warranties from them that they have the right to share the personal data with you.