Disruptive Startups Must Also Disrupt Common GDPR Assumptions

Thursday August 16th, 2018 by Silvan Jongerius

In July, I attended the Pirate Summit in Cologne where there was plenty of discussion among startups and entrepreneurs about the GDPR. As the founder of a consulting firm with “GDPR” in the name (as well as the wearer of a customized T-shirt just for this occasion) attendees were eager to share their thoughts with me about the regulations that officially came into effect in May. A common feeling among founders was that they had navigated some rather stormy regulatory seas in recent months. When one considers a regulatory timeframe, however, their voyage is only beginning.

        Evening event at Pirate Summit 2018          TechGDPR CEO Silvan Jongerius at the Pirate Summit 2108

All Hands on Deck for GDPR

Given that the Pirate Summit is one of the largest startup events in Europe, it stands to reason that my conversations there with founders were an accurate representation of current perceptions and concerns about the GDPR in the startup sector overall. Among the most common reactions is, “Oh, yes, GDPR. We already took care of that, and I’m glad it’s behind us now.”

Actually, not quite.

Such a  reaction is concerning because it leaves companies vulnerable to much larger problems later on. As TechGDPR continues to emphasize with our clients, GDPR compliance is never “done”; it is a process—one requiring ongoing vigilance over each new data-related activity that a company begins.  Whenever personal data is collected or processed, action needs to be taken.

The Size of Your Ship

The second most common reaction from founders is frustration and even resentment about the perception that startups and other smaller companies face a heavier burden to become GDPR compliant than larger, more established companies.  

In reality, even the smallest startup need not be overwhelmed. Unlike large corporations, whose compliance issues span multiple departments (and in many cases, continents), it remains far easier for a smaller company to analyze why it is collecting and processing data. Such questions can be sorted through in a matter of days within startups, setting a solid path for integrating GDPR practices throughout the company as it grows and expands.

Larger companies, on the other hand, often don’t know what data exists  where or why, and they are at a loss to justify many disparate mountains of personal data that have been collected for years—“just in case.” Big firms may have more resources for responding to the GDPR, but they also have far more holes to patch and processes to implement—not to mention the organizational aspect of involving many more people in their GDPR compliance efforts.

Changing Tides 

Being aware of how to implement key data collection storage is paramount, both for my fellow Pirates and for the rest of the global tech community. Sooner or later, all companies will need to properly comply if they want to stay in business. The key question is: which companies, regardless of size, will be proactive, and thus be able to feature their customer-focused privacy practices to attract and retain business? Conversely, which companies will sabotage their reputation by addressing personal data protection only because of the threat of serious fines or a devastating privacy breach?

As people (or, as the GDPR calls them,  “data subjects”) continue to increase their awareness of the rights and freedoms that any form of data privacy affords them, customers will increase their scrutiny of corporate privacy practices and seek out companies that align with customers’ data protection expectations. Successful companies will leverage the GDPR as a framework for the best practices in protecting customers’ or users’ personal data. Such companies will be able to build not only better data storage systems, but a better reputation among customers.

Staying on Course for GDPR Compliance

If you are a founder or leader of a startup or other small company and you are feeling overwhelmed by the GDPR, you are not alone. At TechGDPR, we are used to meeting clients who are grappling with the GDPR and don’t know where to start. We also spend a great deal of time reminding them of the advantages of sustained GDPR compliance.

The best place to start is in shifting our perception of the GDPR to see it as an opportunity for protecting privacy for everyone, including you. Every person who is part of a startup is also a “data subject” in countless databases and with a rapidly growing digital footprint. When we, as leaders in small companies, prioritize protecting human rights related to privacy, we are also advocating for our employees, our families, and ourselves—not to mention avoiding a few shipwrecks.

Silvan Jongerius is the CEO of TechGDPR.

Follow TechGDPR on Twitter

How to use legitimate interest under the GDPR?
January 29th, 2021

The impact of the GDPR on Big Data
December 1st, 2020

International Transfers of Personal Data after the Schrems II ruling
August 6th, 2020

A Comparison of POPIA and GDPR in Key Areas
July 28th, 2020

HIPAA, the GDPR and MedTech
July 23rd, 2020

Small meetings under the COVID-19 ordinance in Berlin
March 18th, 2020

Response to the GDPR-relevant points in the German Blockchain Strategy of September 2019
September 29th, 2019

GDPR compliant products debunked: it’s all about HOW you use it
September 26th, 2019

GDPR’s Right to be Forgotten in Blockchain: it's not black and white.
August 13th, 2019

What is the difference between personally identifiable information (PII) and personal data?
June 27th, 2019

Artificial Intelligence (3)
Berlin (1)
Beyond EU (6)
Big Data (2)
Blockchain (10)
Comparison (1)
Court Cases (1)
Data Subjects (6)
DLT (1)
DPO (2)
European Commission (2)
GDPR Canvas (1)
GDPR Status (2)
Germany (2)
International Transfers (1)
IoT (4)
Privacy by Design (7)
Regulation (3)
Speaking (1)
Startups (1)
Strategy (2)
Terminology (2)
Uncategorized (2)
WiFi (1)
Workshop (2)
Article 17
Artificial Intelligence
Big Data
call center
CJEU ruling
Cold calling
Data transfers
European Commission
GDPR Analysis
GDPR Compliance
GDPR so far
gdpr workshop
gdpr year one
German Blockchain Strategy
International transfers
medical data
one year gdpr
open workshop
personal data
personally identifiable information
Privacy by Design
privacy policy
Retail Analytics
right to be forgotten
right to erasure
Schrems II
south africa
January 2021 (1)
December 2020 (1)
August 2020 (1)
July 2020 (2)
March 2020 (1)
September 2019 (2)
August 2019 (1)
June 2019 (3)
May 2019 (2)
April 2019 (1)
February 2019 (2)
January 2019 (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (4)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.