Unlocking Success: Why Startups and Scaleups Shouldn’t Ignore Data Protection
Unlocking Success: Why Startups and Scaleups Shouldn’t Ignore Data Protection
As a matter of law, all organisations including startups are legally obligated to implement data protection by design and by default under Article 25 of GDPR – that means *all* the aspects of GDPR not just some of them – they can’t pick and choose! Do startups consider GDPR when they should in their business lifecycle and when they do, do they pick and choose what to implement?
The sad fact is that, in 2024, too many founders of startups are so focused on meeting their financial runway requirements, it means GDPR is often either put on the “to-do later pile” or the organisation implements what I call a “veneer of respectability” hoping no one will find out.
Some investors and the Board of Directors of startup organisations are only now, some 8 years after GDPR came into being, beginning to challenge organisations to prove their bone fides in this important area. Why? Because cyber and data risks in many sectors come in the top 3 business risks. – https://www.wtwco.com/en-us/insights/2024/03/global-retail-risk-outlook-2024
The founders and Boards of Directors or startups need to better understand the Cyber and Data Protection landscapes so they fully appreciate the risk profile of the organisation they support.
Ben Martin’s book, GDPR for Startups and Scaleups, has significant content and provides a lot of detail for founders and investors absorb. This valuable insight will help them meet their Article 25 obligations and reduce business risk.
Another book, I can highly recommend is Clare Paterson’s book “A practical guide to Data Protection in Social Housing”. This book is an easy and digestible read for anyone coming to the topic from a standing start – 99% of it is valuable for every sector.
I recently had to chance to meet with Ben, and this is what he had to say…
‘In a recent discussion with Chris Roberts, owner of Cybata, we discussed data protection for startups, and the common perception that GDPR is something that only established companies need to consider. One key observation was the tendency of startups to prioritise customer acquisition and securing investments over concerns about data protection.
It’s understandable: when you’re actively seeking customers and funding, diverting resources to what seems like mere “compliance” might appear counterproductive. Besides, the likelihood of facing regulatory fines seems remote, prompting the question – why bother?
While these concerns hold merit, focusing solely on potential fines misses the broader point. Rather than viewing data protection as a compliance burden, it should be seen as an opportunity that can benefit your business at any stage. Importantly, integrating good data protection practices need not be a massive undertaking.
When discussing this perspective, the emphasis shifted to the advantages and competitive edge that GDPR compliance could offer. Addressing and focusing on trust became a central theme in our conversation:
“When dealing with established institutions, such as investors or business customers, they want assurance that you are trustworthy. They want confidence that their investment is secure, their data won’t be mishandled, and your business won’t vanish overnight. Essentially, they need to trust you.”
Chris also explained the importance of encouraging the leaders of startup and scaleups to think about creating a cyber and data safe organisation. Not only does this encouragement lead to compliance but it also provides a firm foundation for growth. Compliance is just the proof, the right steps are being taken.
In a competitive market where obtaining investor funding and business budgets is challenging, building trust becomes crucial. Angel investors, for instance, increasingly consider businesses that exhibit an understanding of numbers and good practices. Demonstrating that your business has a solid grip on personal data health, possesses necessary permissions for marketing activities, and complies with privacy laws can set you apart from competitors. In addition, where investors find data protection risks with your business, or have questions around the quality of your data, they may use this as ammunition to drive the value of your business down.
Likewise, when targeting business customers, having clear answers about your data practices can significantly influence their decision to engage with your product or service. Chris offered insight on this point: “Supply chain pressures on data protection due diligence have been slowly building over the last few years. I work with a number of Ed Tech and Sport Tech startups and scaleups who have been referred to Cybata by Local Authorities (their prospective clients and funding bodies) because the startups and scaleups didn’t have clear answers to due diligence questions and needed training in these areas”.
In the B2C space, transparency in dealing with customer data requests builds trust and reduces the likelihood of complaints.
Establishing good data protection practices at every stage of your business journey enables you to convert prospective customers and present a narrative to investors about a well-run operation with a forward-thinking approach.
The conversation then delved into the timing of when startups should start considering data protection. Is it an opportunity worth pursuing early, or can it wait?
Contrary to the misconception that compliance is a binary state, either achieved or not, the reality is that compliance is a continuous journey. Waiting to address data protection means you will miss opportunities and implementing GDPR compliance becomes more challenging if postponed, with it being much harder to integrate good data protection practices after the event.
Starting early allows for a proportional approach, focusing on key areas essential for startups. Building these foundations involves a few straightforward steps:
- Bulletproof Your Data Protection UX:
– Ensure your product or service’s user experience reflects a commitment to safeguarding personal data, showcasing trustworthiness.
– Craft a clear and compliant privacy policy, a crucial element in due diligence for investors and customers. - Marketing Permissions:
– Secure necessary permissions for marketing activities to avoid complaints and maintain accurate leads on your marketing list. - Data Rights:
– Comply with data rights, providing individuals with access to their data and allowing them to delete it when necessary. - Be Principled:
– Follow GDPR principles, ensuring a legitimate reason for processing data, fairness, transparency, responsible data handling, and maintaining records. - Think Practically and Consider the Future:
– Set up systems and processes that align with the principles mentioned above, ensuring a smooth and cost-effective approach in the long run.
In summary, viewing data protection and GDPR compliance as opportunities to attract investment and customers is crucial. Taking small steps early on can establish foundations for the future, saving time and resources in the long run.
For more information on this and other related topics, see www.gdprforstartups.com.
Ben Martin is the author of GDPR for Startups and Scaleups, a practical guide to data protection which simplifies GDPR and sets out a blueprint to building a data protection programme from the ground up. He is also the Director of Privacy at Trustpilot, a FTSE 250 company and has built his career implementing data protection programmes at rapidly scaling and established international businesses. You can find out more about Ben’s book here: www.gdprforstartups.com
Chris Roberts is the owner of Cybata, a data and cyber training and consultancy business which runs in-house and external training sessions and to help businesses handle data and cyber threats properly. Chris has extensive experience in the tech and security space and prior to running his own business, led global teams helping businesses to stay safe online. You can find out more about Cybata here: https://cybata.co.uk