Many GDPR headlines talk of the legislation’s heavy fines that have been designed to make the data-munching multinationals put data security and consumer privacy at the forefront of future operations.

Many GDPR headlines talk of the legislation’s heavy fines that have been designed to make the data-munching multinationals put data security and consumer privacy at the forefront of future operations.

But the new laws apply just as much to start-ups, and bosses of small companies should know by now that burying heads in the sand is not an option. The GDPR and its culture of data privacy is something that all organisations in Europe and beyond have to uphold.

Companies found guilty of a data breach could leave themselves open to financial penalties, but reputations are equally at stake. As the Facebook / Cambridge Analytica scandal smoulders on in an era defined by low consumer trust, no companies will want to be singled out by the regulator as incapable of guaranteeing data security.

Larger firms and specific sectors will be more familiar with adapting to regulatory compliance, so where do smaller-scale operations start on the journey to compliance?

Navigating a new legislative terrain

First and foremost, the GDPR is not a tick-box exercise; rather, successful adherence will comprise taking mitigating action based on risk. Those without a plan in place should not expect any mercy.

Practical steps have to begin with knowing what data you have, where it’s stored and how it’s processed. Data mapping across customer- and employee-facing activities should form the basis of this audit.

Under the GDPR, only properly trained staff members will be allowed to process data. Should a data breach be discovered, the regulator will knock on HR’s door first to ask for evidence that staff have received the correct training.

Data Privacy Notice

The GDPR affords employees and customers alike more say in what happens to the personal details that companies hold on them. New freedoms include the right to be forgotten, and the right to be able to amend personal details with ease.

Any start-up’s GDPR-compliant approach to data processing should be spearheaded by a new data privacy notice to which all company stake-holders should be guided.

A data privacy notice will highlight who you are as an organisation, what you intend to do with the private details that are being submitted to your care, how long the details will be needed and with whom they will be shared.

Data privacy notices may tell more than this, but ultimately their aim is to reassure the data subject that you are going to handle their information responsibly and in a way that adheres to best practice, as stipulated by the GDPR.

Get on the pathway to compliance today

The best-laid plans for legislative compliance will be built on transparency and accountability. Should a data breach occur, the regulator will be looking for measures that you have put in place to mitigate risk.

Education plays a key role in this – learning about what needs to be done, so that every member in your team, no matter how big that team is, helps to uphold data security and contribute to building a culture of data confidence in the UK.

GDPR Conference Europe: GDPR Sprint

The GDPR Conference Europe: GDPR Sprint is tailored to helping start-ups through every stage of their compliance journey.

Coming to NatWest HQ at 280 Bishopsgate, London, on the 4th May, this exclusive event is supported by Henley Business School’s GDPR Transition Programme, and brings unrivalled alignment of the UK’s leading data protection experts and practitioners.

Attendees can expect a day packed with insight and actionable guidance through five keynote presentations and three-panel discussions, while Q&As offer the chance to get your specific queries addressed by industry authorities.

Click here to book your ticket to this exclusive event at a special discounted price.


By Tom Davies, Features Editor, GDPR Report

GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at

comments powered by Disqus