Home/Blog/GDPR compliance for startups and new businesses

GDPR compliance for startups and new businesses

Starting a new business is an exciting step for all entrepreneurs, but it may come with quite a steep learning curve. Organising finance, finding an appropriate workspace, and kickstarting your marketing roadmap are likely to be items high up on your agenda. One thing that shouldn’t be an afterthought, however, is data protection.

All UK businesses need to comply with GDPR, including small businesses and startups. Compliance with UK GDPR and the Data Protection Act is mandatory and is a vital part of any company’s procedures. From managing newsletter signups to gathering CVs for your very first employee, there are many things startups must consider when handling personal information.

The first place to start is making sure you understand what is meant by personal data, what data your business is likely to collect, and how long you need to keep that data.

Creating a comprehensive document retention and destruction policy is a great place to begin. But what other steps should your startup take to ensure GDPR compliance?

Register with the ICO

Any business that processes personal data as a controller needs to register with the ICO. This is a very simple process that typically costs around £52 per year for startups and can be completed via the ICO website. There are a number of exemptions to this requirement, with a quick self-assessment process available on the site.

Be transparent about data processing and create a privacy policy

If you are controlling personal data, your data subjects should know how you’re using it. This is where your privacy policy comes in. When you have a data retention and destruction process finalised, you can use the information to create your first-ever privacy policy. Your privacy should include information about what data you’re collecting and how it will be used. This may include any software systems you use (e.g. CRM or accounting software), how your marketing opt-in processes work, any review platforms you share customer email addresses with, how long CCTV is retained, where data is stored, and how long it will be kept for. You should also include information about how you’d handle information about potential employees. Unsuccessful applicant CVs, for instance, should be immediately deleted or destroyed.

All businesses, however small, need a privacy policy if handling personal information. This is a legal requirement. To get started with your own privacy policy, the Information Commissioner’s Office website has a wealth of excellent resources.

Secure your logins and create an IT policy for any new hires

With a new start-up, it’s important to ensure strong digital security – even if there are only one or two employees. Sharing passwords, USB drives, and accessing work files on personal devices can expose your company to the risks of a data breach. By putting a strong, no-nonsense IT user policy in place, the risks are dramatically reduced.

Some things you should implement to strengthen your digital security are:

  • A strong password policy and multi-factor authentication
  • The use of anti-virus and firewalls
  • Access controls for data storage – if someone doesn’t need access to personal information, they shouldn’t have it
  • Restrictions on internet use and downloading software
young 40 years old small business owner woman in the office talking on a smartphone.

Startups need to consider compliant disposal for confidential waste

Confidential waste doesn’t just mean customer order forms. It could be something as simple as a customer email address scribbled on the back of a receipt or a misprinted address label. When information that is confidential or personal in nature is no longer needed, you need to make sure it’s disposed of properly – not just thrown in a recycling bin.

In a YouGov survey commissioned by the BSIA in August 2023, it was found that 31% of micro-businesses had no paper waste stream at their organisation, neither for recycling nor for confidential documents! Only 3% of large businesses didn’t. This is because large businesses know how important it is to avoid any risk of a data breach. You also need to consider whether your employees may inadvertently make the wrong call when deciding what paperwork is or isn’t confidential. We recommend a ‘Shred Everything’ policy for paperwork. Whether you shred at work or use a specialist shredding service provider, confidential paperwork needs to be destroyed.

One of the main benefits of using a shredding service is that you’ll receive a Waste Transfer Note and Certificate of Destruction after every shredding service. In the event of a breach, these documents will quickly demonstrate your compliance.

Understand what Subject Access Requests (SARs) are and how to respond to them

If you store information about individuals or companies, there is a chance you may receive a subject access request. This is where an individual can request to view the information you hold about them.

Under GDPR, you have one month to respond to this request. It is, therefore, good practice to have a procedure in place to deal with any SAR quickly and efficiently. This includes understanding what information should be revealed under the SAR and the information you can keep confidential.

Getting data protection right for your start-up company is a vital part of being able to perform in today’s marketplace. With a company’s reputation playing such a large part in modern business, a well-publicised breach in your data security measures could substantially harm your start-up before it is even fully off the ground.

By ensuring GDPR compliance and following these basic steps, your startup or small business can thrive while keeping customer or employee information safe. GDPR compliance is a win-win.