Do you know what GDPR is and how its enforcement will affect your startup?

With all the hype around GDPR and 2017’s cyber-attacks (remember what happened to the NHS?), individuals are far more aware and hot on their data rights than they ever were before.   The EU’s GDPR is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used.  However it’s pretty safe to assume that most startups are still not completely clear about what they need to do to ensure they’re comfortable and ultimately compliant.

It’s not surprising really, a busy startup owner doesn’t have the time or the energy to read through the swaths of information (sometimes conflicting) on what they need to be aware of and do. In a dramatic move, even a huge company like Wetherspoons deleted their entire database just so they could make sure to stay onside with the law. But that’s obviously not a practical move for many organisations, where processing data is an essential function for their business to operate.  Our legal partner Lawbite recently launched a GDPR Checklist to help businesses identify areas within their data practices they may need to address.  So far Lawbite have received around 200 responses from smaller businesses and startups and have shared the top 3 most surprising findings with us along with some useful tips!

1. At a basic level, around a third of respondents had no idea whether they were ‘data controllers’ or ‘data processors’.
   > This legal jargon may be puzzling, but it’s important to know what the difference is and which apply to your organisation. In essence, a data controller collects information and a data processor actually does something with it – so you could very well be both! You have different obligations around under the GDPR for each. 
2. Lawbite asked whether respondents knew what lawful basis they had for collecting and processing personal data. Disappointingly, only 41%
   > It’s a pretty fundamental question here, asking whether you absolutely know that your data collection and processing is lawful. As a business, you should really understand the grounds you have for collecting and using people’s personal information.
3. In terms of understanding the rights of data subjects under GDPR, it was another alarming result, 77% of respondents admitted they didn’t know, or simply weren’t sure.
   > Part of understanding the law is being able to know what your data subjects’ rights are over the information you hold about them. The GDPR has solidified and strengthened many rights people had under the Data Protection Act. For example, you might have heard about the right to erasure or ‘right to be forgotten’, where individuals can request their data be deleted if there is no compelling reason for you to keep it.

We all know the last couple months of this year is going to fly by, then suddenly May 2018 and the enforceability of GDPR will be upon us.  We’d hate for your business to get caught out or even for someone to lodge an official complaint to the Information Commissioner’s Office (ICO). Why not take Lawbite’s free GDPR Checklist today and see how you get on? They also have a free and more comprehensive GDPR Audit document you can request by submitting an enquiry to their team here. [https://www.lawbite.co.uk/partners/SUD-GDPR].

Alternatively you can just call the Lawbite team on 0207 148 1066 explaining that you’ve come via Startup Direct and would like to speak to a lawyer about GDPR.