9 Tips on data protection for start ups

June 12th, 2023 Posted in Compliance, Data Protection

Data protection and GDPR compliance for start-ups – what to consider?

Starting up a new business can be complex; from the seeds of that first idea, writing a business plan, registering your business name to opening the doors or going live with your online business. One area you may not have considered that should be on every “business start-up checklist”, is data protection and GDPR compliance.

Customers are more aware than ever before of their data protection rights and they expect transparency and honesty. Implementing good privacy practices will help establish your brand and build consumer trust. Failing to consider your customers’ rights and your data protection obligations could be costly to your reputation and impact your bottom line if you are fined by a supervisory authority. And, it’s not just your customers who know their rights, it’s your employees too!

If you’d like to get an idea of what you can expect to pay for an external DPO, read our ultimate guide to DPO costs. We also suggest you take a look at our latest guidance on the EU AI Act, which is important if your organisation uses, or plans to use AI in any form. 

In this blog, we discuss my top eight data protection considerations when starting up a new business.

9 Data Protection Tips for start-ups

1. Know your data and why you are collecting it

Start with a Record of Processing Activities (RoPA). What is  RoPA? A RoPA is a key component of robust data governance, if used correctly, it will allow you to identify and mitigate risks as it shows, for example, who has access to that information and the measures in place to protect the data. Under the UK GDPR, there are explicit provisions setting out the requirements organisations must adhere to when documenting their processing activities. In order to comply with data protection legislation you need to know the following:

  • What personal data you will/are collecting?
  • Why do you need to collect it?
  • Whose data are you collecting? Customers/employees/suppliers.
  • What lawful basis are you using to collect and process it?
  • Where in the world are your customers located?
  • Will you need to consider other data protection legislation?
  • Who and where are your data processors?

Documenting this information will help you build a “single source of truth” for all your data processing activities.

2. Data Protection Impact Assessments and Privacy by Design and Default

Unsure what a DPIA is? Read our complete Guide to DPIAs. Whilst the completion of a data protection Impact Assessment (DPIA) is not mandatory under UK/EU GDPR, unless there is a high risk to the rights and freedoms of an individual, it’s advisable to conduct a DPIA for your core processing activities whether it is mandatory or not. A DPIA will not only help you assess the risks to individuals, but it will also help you assess your compliance with the data protection principles, such as;

  • You are collecting data for a specific purpose (purpose limitation)
  • Collection and processing are limited to what you need rather than want you want to collect “just in case” (data minimisation)
  • You keep data only for as long as you need it (storage limitation)

Once you have identified any risks, you can ensure your systems and processes build in “privacy by design and default”. This means you anticipate and are proactive in mitigating risks to individuals right from the outset. You should embed data protection into your design and architecture, whether this is a paper-based personal data capture, a new website, a mobile app, or a Software as a Service (SaaS) that you offer to your clients. You don’t want to fall foul of expensive retrofitting further down the line because you didn’t conduct thorough due diligence at the outset.

3. Be Transparent

Transparency builds trust and so ensure you tell your customers how you collect and process their personal data. Data subjects have a ‘right to be informed’ about the collection and use of their personal data under the UK GDPR. This means, when you are processing individuals’ personal data, you must provide privacy information to these individuals which includes, for example, your purposes for processing their personal data and who it will be shared with. This information is most commonly presented to individuals in the form of a privacy notice.

A privacy notice must be easily accessible, clear, concise and use jargon-free language. Privacy notices are not just for your customers, as your business grows and you recruit staff, recruitment and employee privacy notices will be just as important in showing your transparency. Don’t worry if you’ve never written one before, our data protection experts have written a guide on how to write a privacy notice.

4. Policies and Processes

Prepare for the unexpected. It is far easier to deal with the unexpected when you already have policies and procedures in place. Whether it’s training on data protection to ensure your employees know their responsibilities when processing personal data, to managing an unfortunate data breach or another incident. Having up-to-date and regularly reviewed policies and procedures will save you valuable time, and your reputation!

5. Marketing and Capturing Consent

You may have seen in our Guide to PECR that ensuring you have GDPR-compliant consent and demonstrating it is valid, is an important part of the accountability principle. Take time to consider how you will manage this, this can be as simple as a spreadsheet to outsourcing your email marketing to a bulk email service provider who will record consent and unsubscribe lists.

6. Contracts

Ensure you have contracts in place with your suppliers and processors. This is crucial to ensure all parties understand their obligations, responsibilities and liabilities. If you are transferring data to countries outside the UK or EU that are not recognised as having a commensurate data protection law, then you need to include appropriate additional safeguards to protect the data. This is assessed by completing a Transfer Impact Assessment or Transfer Risk Assessment.

7. Security

It is important to ensure you have the appropriate security controls in place to protect your customer and employee data. Security is not only the technical measures such as passwords and anti virus protection but considering how you will manage access to data for your remote workers, regular training for your employees on how to recognise phishing emails.

You will also need to consider ongoing security monitoring with vulnerability testing and penetration testing. If you’re building an app, have you adequately tested it before it goes live to ensure there are no vulnerabilities? You will want to consider web app testing or mobile app testing. And, don’t forget your suppliers, data protection/security due diligence checks before engaging suppliers, should be built into your supplier onboarding processes. Read our blog for more information on the GDPR security principle.

8. Accountability

Keep accurate and up to date records, registers, policies and procedures so you can demonstrate how you comply with the GDPR. The GDPR’s Accountability principle means you are responsible for evidencing how you comply with the GDPR.  Accountability obligations are not a one-off activity, you will need to keep your compliance activities under regular review and where necessary update the measures you have put in place.  Implementing a data protection monitoring framework will help you embed accountability measures into your business.

9. Data Protection Expertise

As a start-up business, you may not have all the data protection knowledge you need. Engaging a data protection officer/expert to help you build structure into your activities will help mitigate the risks of playing catch up with your compliance and avoid expensive retrofitting. Need more advice on whether to outsource your DPO? Our experts have you covered in our blogs on the topic.

Are you a start-up in need of some GDPR compliance advice?

As a specialist data protection consultancy, Evalian is well-placed to assist you with navigating the complexities of the uncertainty and constantly changing data protection landscape. As a specialist data protection, Evalian is well placed to assist you with navigating the requirements of the UK/EU GDPR, including helping you to write your policies and processes.

If you would like an informal conversation on how we can assist, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered. Visit our GDPR Consultancy services page to see how we can help. Alternatively fill out the form below and one of our friendly team will be in touch!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Click the graphic below to download our quick reference guide on 9 tips for startups:

9 Compliance Tips for Sartups


Leah Smith

Written by Leah Smith

Leah has worked in the Government sector in Information Assurance, Information Security and Data Protection for over 21 years and was DPO for Ordnance Survey and its group of companies before joining Evalian®. Leah’s qualifications include Practitioner Certificate in Data Protection PC.dp (GDPR), ISEB Certified Information Management Principles (CISMP) and ISO27001 Lead Implementer.