Why startups and scaleups need to care about data protection (and it's not for the reasons you might think)

Need a bit of a push to start making more effort with your data protection practices? Recently Ben Martin, author of  GDPR for Startups and Scaleups and Director of Privacy at Trustpilot sat down with SeedLegals co-founder and CEO Anthony Rose to make the case for why startups and scaleups should invest the time in their GDPR compliance journey. We hand over to Ben for his insights.

I recently caught up with Anthony Rose, co-founder of SeedLegals. In our conversation we talked about data protection, startups and the perception of GDPR as being something only mature companies need to think about. Early on in our discussion Anthony raised an interesting point about the perception of data protection for startups:

Startups are focused on acquiring customers and getting investment, and whilst they probably “should” care about data protection, they always have other priorities which are more pressing and urgent.

And this isn’t surprising – if you’re fighting to find new customers and investment, pulling resources to deal with something you see as purely “compliance” is counterintuitive. Furthermore, it’s unlikely you’re ever going to be pulled up before a regulator and fined, so why bother?

And this is all true. But I think focusing on fines and sanctions misses the point. In my view, rather than seeing data protection as something compliance-related which will slow you down and be a cost to your business, it should instead be viewed as an opportunity to be leveraged – no matter what stage your business is at. And the best bit is that it needn’t involve a significant amount of work.

After I put this idea to Anthony, he asked me what benefits and competitive advantages I thought dealing with GDPR could bring.

Use GDPR compliance to build trust with investors and customers

Show investors you take your company’s health seriously

Compared to an established player, established institutions don’t know who you are, and so if you want something from them, it’s your job to get them to trust that you can deliver. You’ll no doubt be generating trust in a number of ways: through a quality pitch, a good business plan and showing off your early successes. All of these are fantastic – but in a competitive market, where current conditions make investor funding and business’ budgets harder to come by, you need to be able to differentiate yourself.

I’ve spoken to a number of angel investors who said that a few years ago, when making a decision to invest, they leant towards focusing on the founder, narrative and product. However, increasingly they look for businesses which have an awareness of the numbers, good business practice and regulatory compliance, especially around data. With this in mind, if you can demonstrate to a prospective investor that the personal data upon which your business is built is in good health, you’ve got necessary permissions to contact your marketing list and that your privacy policy complies with the law, then it will set you apart from other businesses in your space and maturity.

Reassure customers that their data is safe with you

Similarly, if you are trying to win business customers, they will likely ask you lots of questions on your data practices. If you can easily answer their questions on how you’ll use their data, then they’ll be much more likely to sign up to your product or service, and much less likely to want to do full-scale due diligence versus you not having thought about data protection. Finally, if you operate in the B2C space and are transparent with your customers and comply with individual requests for copies of their data, they are more likely to trust you and will be less likely to complain.

Good data protection practices at every stage of your business’ journey can enable you to convert prospective customers and tell a story to prospective investors that your business is a well-run operation that is looking to the future.

Take small steps now, avoid problems later on

Anthony and my conversation then turned to discussing the point at which startups should start considering data protection; whilst it might be an opportunity, why not wait?

There’s a perception that complying with data protection law is something which is binary – either you are compliant or not. The reality is that there’s no such thing as 100% compliant, and everyone is on a compliance “journey”, which changes and develops as your business does. Another false perception I’ve seen is that if you do want to be “compliant” you need to make a significant investment in terms of time and money – this isn’t the case. For startups, there may be certain key areas to focus on and these can be implemented in a proportionate way.

The problem with holding off is that you miss out on the opportunities I mentioned above, and when it comes to implementing GDPR, it is much harder to “retrofit” good data protection practices to your business and get them to stick. If instead you act proportionately and take small steps early on, you can lay good foundations which can be built upon with an iterative and incremental approach.

Follow these simple steps to GDPR success

What are these foundations? Well, there are a few simple steps you can take to set yourself up for success:

1. Bulletproof your data protection “UX” – the UX in your product or service is there to provide a great experience for users at the different touch points they have with your business. Yet, interactions which relate to data protection are often neglected, and result in a poor user experience. My view is that you should not just think about these touchpoints as compliance tick boxes or as an aside, but you should bake good design into your data protection processes and documentation, in the same way as you do the other areas of your business. Doing this will not only improve your users’ experience, it will also demonstrate to prospective investors and customers that they can trust you with their personal data. Some examples:

• Privacy Policy – first, this isn’t a legal document, so shouldn’t be written like one! Use simple language and avoid legalese. Second, when carrying out due diligence, your Privacy Policy will be one of the first places a prospective investor or customer will look. If your policy is lacking in clarity or badly written or simply doesn’t comply with the law, then alarm bells will ring for prospects and customers.
  If you aren’t sure where to start, SeedLegals has a Privacy Policy generator, which can help you to quickly pull together a Policy for your business.

• Marketing permissions – it’s important that you have the necessary permissions to market to your prospective customers – in some cases you need consent and in others, you don’t. Getting this right will avoid complaints, and accurate permissions will ensure that you have good leads on your marketing list.
  Opt-ins are a complex area, so if you need to delve into this in more detail, you can download the chapter on email marketing from my book GDPR for Startups and Scaleups for free from www.gdprforstartups.com.
• Data rights – most privacy laws, including GDPR, give individuals rights over their data. You should focus on being able to provide individuals with a copy of their personal data, and allowing them to delete their data.
  There’s a lot of material on how to deal with data rights online (and I’ve also got a chapter on it in my book).

2. Be principled: GDPR is a principles-based law. This means that rather than always having specific rules which need to be followed, there are key ideas which should guide how you deal with personal data. And these principles are fairly simple:

• make sure you have a good reason to process an individual’s data (for example, having their consent, using it to perform a contract or because of a legitimate business need);
• deal with people’s data fairly, always be transparent and don’t do things with individual’s data which you haven’t told them about;
• look after the data that individual’s give you, keep it up to date, collect only data you need, and once you no longer need it, delete it; and
• keep some records on all of the above.

Ultimately, whilst these are legal principles, they also make good business sense – realistically, do individuals want to be spammed with emails? Do you really want to keep records on individuals for 10 years? Should you be processing data on an individual without them knowing? Good governance, data health and transparency will also help to demonstrate you are a business that prospective investors and customers can trust.

3. Think practically and consider the future – in most cases, setting up systems and processes in a way which helps with points 1 and 2 isn’t complex, but it will make things a lot easier further down the line. By thinking about data protection upfront, it will save significant time and effort in the long run, and will have a negligible impact in the short term.

What to do now to save time and money in the future

In short, data protection and GDPR should be viewed as an opportunity to help get investment and customers. By taking small steps early on, without much effort, you can lay the foundations for the future and save yourself time and money in the long run.

If you’re interested in the topics raised by this article, you can reach out to me at GDPR for Startups.