In July, I attended the Pirate Summit in Cologne where there was plenty of discussion among startups and entrepreneurs about the GDPR. As the founder of a consulting firm with “GDPR” in the name (as well as the wearer of a customized T-shirt just for this occasion) attendees were eager to share their thoughts with me about the regulations that officially came into effect in May. A common feeling among founders was that they had navigated some rather stormy regulatory seas in recent months. When one considers a regulatory timeframe, however, their voyage is only beginning.
All Hands on Deck for GDPR
Given that the Pirate Summit is one of the largest startup events in Europe, it stands to reason that my conversations there with founders were an accurate representation of current perceptions and concerns about the GDPR in the startup sector overall. Among the most common reactions is, “Oh, yes, GDPR. We already took care of that, and I’m glad it’s behind us now.”
Actually, not quite.
Such a reaction is concerning because it leaves companies vulnerable to much larger problems later on. As TechGDPR continues to emphasize with our clients, GDPR compliance is never “done”; it is a process—one requiring ongoing vigilance over each new data-related activity that a company begins. Whenever personal data is collected or processed, action needs to be taken.
The Size of Your Ship
The second most common reaction from founders is frustration and even resentment about the perception that startups and other smaller companies face a heavier burden to become GDPR compliant than larger, more established companies.
In reality, even the smallest startup need not be overwhelmed. Unlike large corporations, whose compliance issues span multiple departments (and in many cases, continents), it remains far easier for a smaller company to analyze why it is collecting and processing data. Such questions can be sorted through in a matter of days within startups, setting a solid path for integrating GDPR practices throughout the company as it grows and expands.
Larger companies, on the other hand, often don’t know what data exists where or why, and they are at a loss to justify many disparate mountains of personal data that have been collected for years—“just in case.” Big firms may have more resources for responding to the GDPR, but they also have far more holes to patch and processes to implement—not to mention the organizational aspect of involving many more people in their GDPR compliance efforts.
Being aware of how to implement key data collection storage is paramount, both for my fellow Pirates and for the rest of the global tech community. Sooner or later, all companies will need to properly comply if they want to stay in business. The key question is: which companies, regardless of size, will be proactive, and thus be able to feature their customer-focused privacy practices to attract and retain business? Conversely, which companies will sabotage their reputation by addressing personal data protection only because of the threat of serious fines or a devastating privacy breach?
As people (or, as the GDPR calls them, “data subjects”) continue to increase their awareness of the rights and freedoms that any form of data privacy affords them, customers will increase their scrutiny of corporate privacy practices and seek out companies that align with customers’ data protection expectations. Successful companies will leverage the GDPR as a framework for the best practices in protecting customers’ or users’ personal data. Such companies will be able to build not only better data storage systems, but a better reputation among customers.
Staying on Course for GDPR Compliance
If you are a founder or leader of a startup or other small company and you are feeling overwhelmed by the GDPR, you are not alone. At TechGDPR, we are used to meeting clients who are grappling with the GDPR and don’t know where to start. We also spend a great deal of time reminding them of the advantages of sustained GDPR compliance.
The best place to start is in shifting our perception of the GDPR to see it as an opportunity for protecting privacy for everyone, including you. Every person who is part of a startup is also a “data subject” in countless databases and with a rapidly growing digital footprint. When we, as leaders in small companies, prioritize protecting human rights related to privacy, we are also advocating for our employees, our families, and ourselves—not to mention avoiding a few shipwrecks.
Silvan Jongerius is the Managing Partner of TechGDPR.
Follow TechGDPR on Twitter