The date most companies have been dreading is looming. As of the 25th May, the General Data Protection Regulations (or GDPR) come into force. But why all the panic? In light of recent Facebook scandals, it’s nice to think companies must manage your data properly. Better still, the individual rights created by the GDPR mean we can finally pin down what each company has on us. Or ask them to delete it. As companies, much of what the GDPR entails is not new. These requirements have been enshrined in law for some considerable time. The big difference? Well, it comes down to the fines. Companies which fail to meet GDPR requirements could have to pay a proportion of their yearly revenue. The panic, then, is understandable.

The problem with GDPR is that the document itself is huge. I should know, I’ve spent the last month poring over it. Inevitably, because the stakes are high and so is the workload, there are a lot of GDPR consultants popping up. Search for ‘GDPR obligations’ in Google and the first few pages are offering advice. For a price. Whilst this is all well and good if you’re a big company, it’s tougher if you’re a startup like us. So, because we think responsible data management shouldn’t give you a headache, we’re offering some help. We have put together some of the key things a small startup like us needs to do for GDPR. In the spirit of Clocktimizer, we’ve also made them as simple as possible.

Disclaimer: As stated earlier, we aren’t GDPR consultants (thank god). This advice is offered after our own laborious reading of the GDPR. Use it as a starting point for tackling your obligations. However, for more detailed and free information, head to your data protection local authority and get reading. (That’s ICO in the UK or Autoriteit Persoonsgegevens in the Netherlands).

Map your data

There are very few companies who do not manage some sort of personal data. Have you taken an email address? That’s personal data. Did you need someone’s phone number or full name? Yeah, that’s personal data. Before you can start writing about how you keep that data secure, you need to know what and where it is. So step one is to get mapping. You will need to identify what types of data you hold. Under what lawful basis do you hold them? How do you protect them?

First of all, don’t panic. Everlaw has put together a rather brilliant spreadsheet to help. Each field comes with an explanation of what information is needed. If you fill this out, then you can tick off data mapping from your list. Don’t forget that this provision isn’t a one time thing, however. Every time you collect a new sort of data, you will need to update this spreadsheet.

Get those policies into words

There are two big policies you need to have in place before GDPR comes into effect. These are:

  1. Data protection policy
  2. Data security policy

Your data protection policy should cover exactly what you think it should cover. This is your overarching approach to Data Protection. You should explain what information you process and why you process it. Describe who manages the information and how. Ensure that you address data protection itself. How do you prevent the inappropriate use of data? This can include information like who implements the policy and who ensures compliance.

Once you have your data protection policy in place, you can start drafting your data security policy. Under GDPR there are no official standards for data security (as yet). For now, you simply have to show that the security measures you implement are ‘reasonable’. Now we hope that for most of you, security is taken seriously. If not, you can check out our blog here for some cyber safety tips. What is important under GDPR is to write down what security measures you take. Do you have certification? How do you deal with new starters, or people leaving the company? If you make staff take regular security tests, then write this down. It is a living policy, so you should make sure that this document is updated regularly.

Protect your user’s rights

If you actively collect data (say names and emails addresses in order to set up a demo of your product) then you need to get consent. Now, we are all familiar with the little tick box indicating we agree that our data may be used. However, not many of us have actually read the privacy policy attached. Well, for GDPR, we all need to update that privacy policy. Moving forwards, your privacy policy must include who you are, what you are going to do with the information and who you are going to share it with. The ICO provides a great sample policy here.

You should also outline how users can pursue their individual rights. Under GDPR individuals have been awarded six new basic rights. The right to information, access, rectification, erasure, restrict processing, data portability or objection. Individuals are able to withdraw consent at any time. This means that they are able to inform you that they no longer agree to your use of their data. You must then remove this data. Users may send a request in under these rights at any time. If you fail to comply with that request within 30 days you could face a penalty. To ensure users know how to enfore their rights with you, you should have an easily accessible privacy policy.

 Appoint an officer and get registered

The final essential piece in the GDPR puzzle is to appoint a DPO (or data protection officer). For small startups like us, this isn’t strictly necessary according to the law. However, since GDPR is becoming such an intrinsic part of business, it won’t do any harm either. If you have someone responsible for GDPR compliance, then you are unlikley to fall behind. There is one exception to this rule, however. If your company manages either a high volume of data, sensitive data or information about criminal records then you do still need to appoint a DPO. Remember, GDPR is not a static thing. You can’t just write some policies and leave them to gather dust. You have to keep them updated and you must continue mapping your data and training your staff.

Next, if you aren’t already, register with your local data protection authority. Each EU member state has their own GDPR governing institution. In the UK this is the ICO. For us in the Netherlands this means the Autoriteit Persoonsgegevens.


We have also made this information available as a presentation. Simply complete the following form for your free copy.