Showcasing the Best of Welsh Business

Start-up Series: How to be GDPR Compliant Without Breaking the Bank


Following the introduction of the GDPR in 2018, businesses must ensure they manage their data both effectively and legally.

For start-ups in particular, ensuring compliance with the GDPR is vital to engender trust from customers and clients, as well as to secure future investment and avoid potentially crippling fines for data protection breaches.

Siobhan Williams, Associate Solicitor at Darwin Gray outlines some key steps for start-ups to ensure compliance with the GDPR:

1.       Conduct an internal data assessment. Think about what information you need to obtain from customers, clients and employees in order to provide your goods/services and to discharge your duties as an employer. Don’t forget to think about information you are obliged to obtain by any regulations or legislation you are subject to.

2.       Trim any excess. Think about your existing customer/client journey and what information you are already collecting from them. Are you habitually collecting personal information from people which you don’t use or need?

3.       Keep records. Make sure you keep a written audit trail of the data assessment you have conducted and the decisions you have made. Ensure you have a reasoned explanation of which of the 6 lawful bases you have for processing personal information. Take advice if you are unsure.

4.       Ensure you have data protection policies. You will likely need two policies: one which is customer/client facing, and one dealing with your employees. It is worth investing some resources here to ensure that you have a comprehensive and compliant policy.

5.       Think about your relationships with third parties. You might subcontract some services to third parties, or you might be acting as a data processor as part of the services you supply to your own clients and customers.  Make sure that your terms of business have up to date data protection provisions – if you are processing data on behalf of your clients, make sure you have appropriate warranties from them that they have the right to share the personal data with you.

For more information,  contact Siobhan Williams at [email protected] or find out more about how Darwin Gray can help with your data protection queries:


Darwin Gray is a commercial law firm based in Cardiff. We are proud of our reputation for using a practical and solution-focused approach when helping our clients.

We have a strong team ethic, putting approachability, consistency and quality at the heart of everything we do. Your business will always be at the forefront of our minds, whilst ensuring you also receive excellent value for money.

We specialise in a number of commercial areas, including:
– Commercial Property
– Franchising
– Corporate and Commercial
– Employment and HR
– Intellectual Property
– Social Housing
– Data and Data Protection
– Dispute Resolution
– Insolvency
– Construction

Our work reflects our values; we are genuinely friendly people who are approachable and accessible to our clients. The Darwin Gray approach is thorough and careful, but we are also known for reacting quickly when it matters and providing creative solutions to whatever challenge our clients are facing, drawing on our rich and varied experience.

We endeavour to prevent problems as well as solve them, and would love to get to know you and your business.


Related Articles