As our previous coverage noted, this is something all tech companies need to prepare for. In our live stream, Founders’ Network Programme Lead, Lauren Nicholson, talked to three people with hands-on experience of GDPR: James Clark of law firm DLA Piper, Robin Williams of startup Data Hive, and Steve McNicholas of international data company Callcredit.
While the full video stream is for Founders’ Network members only (interested in joining? Apply now!), here we’ve pulled out some of the most important and interesting points the panel made.
Why is GDPR being introduced?
James Clark: The EU wanted organisations of all sizes to take accountability for the data they collect – to take a step back, see what data they collect and look at how they store it and look after it. Data protection has often been a tick-box exercise, up to now.
Also, GDPR makes end-users more aware of how their data is being used. It aims to give individual data subjects much more of an understanding of what’s being done with their information. You’ll need clear signposts around your website about what’s happening to users’ data, for example. And when using third-party data services (like Google Analytics for tracking browsing data), you’ll need a proper contract with them, with GDPR taken into account.
The first step in preparing for GDPR
James Clark: You need to understand what you’re doing with personal data, so you need to some kind of data-mapping exercise. Look at activities across the business – both internal and customer-facing. Look at what data you collect, how you’re using data, and who has access to it.
Once you understand that, you can look for weak spots. For example, there might be areas where you collect more data than you need.
You can work with an external GDPR consultant, or you can do it yourself. If you’re just starting out, there’s certainly a lot you can do yourself. Look to the Information Commissioner’s Office for help. They’ve published help and guidance on their website. The EU’s data protection website has useful resources too.
Look at what data you collect, draft effective notices, and look at your data security and access rights. These are good, common sense things you can do for yourself.
Steve McNicholas: In Callcredit Group, we have more than 1,300 employees across the globe, and handle hundreds of millions of data transactions per month.
We’ve had programmes running for 18 months looking into all our products and services.
You need to run a ‘DPIA’ (data protection impact assessment). This looks at the data you hold and the permissions around it. Data needs to be dealt with as part of a culture of respect across the company. GDPR takes the UK’s current Data Protection Act to the next level, but the principles are the same.
What data do you really need?
Robin Williams: At Datahive, we’re both a processor of data and a controller of data. So, we have to work with best practice in mind for both approaches. There are so many data-based tools out there that are useful for businesses, but GDPR means you need to consider exactly how much of this data you need. If you work with a good data supplier, they will have a unique identifier for every piece of data, that will allow you to track it’s source and where it was verified.
There’s always been a best practice when it comes to using personal data, but GDPR brings it to the front of mind. It makes you consider whether you’re really in a customer relationship with the people you hold data on. Consider how you use things like e-marketing and general marketing in a way that shows you’re building a customer relationship.
Relevancy is the important thing. You need to be relevant to the customer, rather than just collecting all the email addresses you can. If you can’t account for your data properly now and don’t need it, start getting rid of it now. There’s an opportunity for a clean start with your data.
James Clark: Even with the data you need, ask yourself if you can abbreviate some of it. You might not need full postcodes in all situations, for example. And ask if you can justify holding the data. Keep a record of your reasoning to show you’ve considered it.
What are the liabilities if you get it wrong?
James Clark: There’s been a lot written about GDPR, and a lot of it starts with the premise that you need to be terrified. I’m here to reassure people.
You do need to take this seriously; it applies to all organisations, and smaller organisations can be fined up to €20 million. There are even some criminal offences under GDPR. But don’t panic. It’s a principle-based law, and it’s not heavily prescriptive of how you apply those principles. How you get there can be proportional to the size of your business.
Data security is important
Robin Williams: Make sure data you give out is suitably protected – make it password protected, or on a link that only works for a limited time. Don’t just attach data to an email. Let people use it, but without leaving it vulnerable. Give yourself a unique number that can tie you to that data so it can be tracked and you can see where it’s been used.
Do due diligence to make sure you have good quality, relevant data, not just cheap data you bought off someone’s Zip Drive.
GDPR has a big upside for your business
Steve McNicholas: The consumer has more power under GDPR. They have ‘the right to be forgotten’ (for data about them to be deleted), for example. Consumers are starting to see the value in their data. It’s incredibly important for a company of our size that we’re seen to be GDPR compliant.
It’s about abiding by the principles of GDPR, not just ticking boxes. The benefits of getting this right are better than the negatives of getting it wrong. The power and benefit of getting it right is huge for your reputation.
Robin Williams: GDPR is a leveller. As a startup, you don’t have the resources of a big company – but you don’t have the red tape and entrenched processes either. It’s an opportunity to build trust with customers faster than bigger rivals.
Even the smallest startups should start now
James Clark: Small startups might think it’s not worth bothering with GDPR, because there are bigger targets for regulators to go after. But even if that was totally true (it’s not), it’s better to bake all this in at the outset of your business journey so it can scale with you. It will be much harder add it in later when you’re a more complicated organisation, and more of a visible target for regulators.
Don’t be scared of GDPR
Steve McNicholas: Don’t see GDPR as a threat, but it will become a threat if you choose to ignore it.
James Clark: GDPR isn’t scary, but it is important. That said, once it’s sorted, it will just be ‘business as usual.’
Want more valuable, actionable insights like these, as part of a network of peers from across the North of England? Apply for Founders’ Network now.