6 things every startup needs to know about GDPR

September 23, 2020


Here Stuart Cooke, Marketing Manager from Evalian discusses the importance of GDPR for startups and how to stay compliant.

When you’re starting up a business, there are lots of important things you need to consider: your products or services, your finances, your marketing, your location, your employees – the list feels endless! But since May 2018, you also need to put some careful thought, planning and budget into your enterprise cybersecurity and ensuring that your business is GDPR compliant. 

With so much already on your plate, we thought we’d help to make things simpler. In this guide, we’ll cover six of the most important things that every startup needs to know about GDPR.

What GDPR actually means

Let’s start with the basics! GDPR stands for General Data Protection Regulations. These are a new set of data privacy and security laws that were put in place back in May 2018. They have been recognised as the toughest privacy and security laws in the world. The idea behind these new regulations is to give all EU citizens more control over their personal data, particularly as businesses collect and store more and more of our personal information.

Whether GDPR impacts your startup

Any startup that plans to, or already collects the personal data of customers or clients in the EU as part of their service, is legally required to comply with GDPR. This can be anything from collecting customer information for shipping purposes to using a supplier or vendor from a European nation. This is regardless of whether you yourself are based in the EU, if you’re collecting data from EU citizens in any form you will still need to follow these regulations. 

Because of this wide territorial scope, many (in fact most) businesses across the world will have been impacted by GDPR and will have to comply with these laws. If you are unsure whether you fall into this category it’s best to assume you do and seek advice. You can also check out the guidelines in full, here.

What will happen if your business is not compliant 

If your business is discovered to be in breach of GDPR or to have no GDPR policies in place at all, you could find yourself facing a hefty fine. The maximum fine that can be imposed is the equivalent of $20 million – not a small number! While it’s unlikely you’ll receive a figure this large as a startup, you could still be faced with a penalty of up to 4% of your annual turnover. 

Not only this but failing to be compliant can have a damaging effect on your reputation as a business, with consumers becoming increasingly concerned about their online safety and personal data.

What constitutes personal data 

The definition of ‘personal data’ under GDPR is much broader than any other security laws. In the official guidelines, personal data is defined as ‘any information which is related to an identified or identifiable natural person’. So, in a nutshell, anything that could be used to identify an individual. This covers everything from names, photos and email addresses, to identification numbers, IP addresses, medical information and everything in between. 

Even factors related to their physiological, mental, economic, cultural, or social identity classifies as personal data. For example, information about someone’s sexual orientation or any religious groups they belong to.

How to ensure your business is GDPR compliant

Being GDPR compliant doesn’t happen overnight, but the good news is, when you’re starting up a business you have the best chance to get it right from the get-go. There are several important steps you must take to ensure compliance and there are a variety of checklists available online that you can use to help you make sure you’re doing this. But at the very top level, you must consider the following to ensure your business is GDPR compliant:

  • Get consent – consent is a key player in GDPR and is something that should always be at the forefront of your mind. You must explicitly ask for and gain the consent of individuals if you want to collect, store, and use their data 
  • Appoint a Data Protection Office (DPO) if you think this will help or if you’re legally required to do so
  • Create a data breach response plan – with just 72 hours to report a breach, you need to make sure you have a strong incident response plan (IRP) in place
  • Educate your teams to ensure they understand GDPR and their roles and responsibilities 
  • Hire GDPR advisors or service providers if you’re ever unsure
  • Get a strong security system in place to reduce the likelihood of a data breach – again, you can hire service providers if you don’t feel you can do this effectively yourself


These are just some of the very basic level – albeit very important – facts about GDPR that startups need to know. There are plenty of service providers out there and literature online to help support you when it comes to GDPR. If you are ever in doubt, it’s best to seek expert advice and help to ensure you’re not breaching GDPR guidelines.

More must-read stories from Enterprise League:

Related Articles