How Do Data Protection Requirements Evolve from Series A Through to Series C
What does data protection really mean for your scaleup? We hear about it, we talk about it, but do we all know the full extent of the GDPR requirements needed for your scaleup?
Tom Gell is the Lead DPO and director of customer experience at Trust Keith, looking after the company’s customers and product - everything customer facing when someone becomes a customer.
He offers insight and advice about how your scaleup should focus on the important data protection law that is the GDPR.
Do data protection requirements evolve from Series A through to Series C?
Tom says there are two answers to that question. The official answer being that the law doesn’t change, and so businesses need to think about GDPR no matter what.
“It’s not like at Series A you can get away with it and at Series C you can't. But where does the pressure come from in the UK? It's not really from the regulators, it tends to come from other businesses, partners etc. as they expect to see more maturity as you grow, and as you scale you have more resources to put behind it.
“There will always be basics all businesses will need to have in place from Series A, that's a) common sense to have in place when you actually think about it and b) legally required.
“There's not really a way to get around that anyway, but there are then additional things that are going to improve it and make your position stronger, and they're going to be the things you start to bring in as you've got more time to dedicate to it and invest it.
“At the same time, I would say that the bigger you get, the more stringent a lot of the checks get, so from investors or partners, there will be less they'll be willing to let you get away with, so you will find there will be additional measures.
“There will always be a core that's really important, but beyond that, those are the things you will start not getting away with as you grow. You can have them in place from day one if you want to, but you won't get away with not having them at Series C.”
The most common data protection mistakes
Mistakes happen, especially when you’re setting out at the beginning of your GDPR journey early on in your business.
One mistake is not thinking about GDPR when building a product according to Tom.
“No business doesn't process personal data, there's no such thing because it's staff as well; any staff you input, you've got personal data from them.
But if your product in any way requires the use of personal data, if you don't think about it, when you're building or creating your product, or making changes, that's the kind of thing that comes back to bite you.
“It's not necessarily a case where we're saying, if you don't think about data protection when you're building a product, you're gonna get fined by the ICL, probably you're not, but you are going to find that there might be certain things that you make mistakes on or things that you do that someone later on doesn't want to work with you because they think ‘there's too much high risk for us.’”
And you could in fact end up creating a rod for your own back, Tom notes.
“There's companies that we've worked with where they have tied themselves in knots over data because they've done certain things with their product that meant they have this huge treasure trove of data that would be so valuable to other people if they were able to sell it, but they can't sell it because no one will touch it, because they've done things to it in a way that there are too many hurdles to jump over.
“If you don’t think about GDPR from the get-go you will either create trouble for yourself because things are not going to be compliant and people won’t work with you, or you will end up with data that is unusable, in a format that's really difficult to use, or create additional problems and workloads later.
“And that's just going to compound because the more you have to do to unpick that, the more it's going to cost you, so that would probably be the biggest common mistake.”
If we were to focus on marketing, and issues that can arise, one of the biggest mistakes Tom says is not knowing the law of marketing.
He says: “Everyone talks about GDPR, but when we talk about digital marketing, anything online, any electronic forms of marketing, you actually want to look at a different law called PECR (Privacy and Electronic Communications Regulations) in the UK.
“Yes, you still need to think about GDPR, but the thing that talks about having to get consent, that's from the PECR, not from the GDPR, and that's been in existence since 2002. You’ve had to get consent to do online marketing since 2002 which has nothing to do with the GDPR.”
There are a few ways in which people can get this wrong according to Tom. For example, making basic errors where they think ‘we can't market to anyone without consent,’ which Tom says isn’t actually true if you were to read and look into it.
“You can do prospecting, for example, on business contacts (in B2B they’re called Corporate Subscribers, which means they're not sole traders or partners in a law firm); some people don't prospect because they're too nervous because they think they need consent all the time.
“And the second thing, if you give a customer an opportunity to opt out from marketing communications at the point that they're buying a product or negotiating to buy a product from you, at that point, you're pretty much able to continue marketing to them.
The idea that you can only have opt in boxes and you can't have opt out - you can have opt out, it's okay to use in certain circumstances.
“So again, businesses don't market to a whole group of people because they didn't realise that they can.
“Often people talk about marketing protection means getting into trouble, but by not investing your time trying to understand some of these fairly straightforward concepts once you dig into them, the huge mistakes that we see are people missing out on things; not understanding they have certain abilities to do certain things.”
To put it into full perspective, Tom says people often believe the GDPR means you can’t share information - which is the opposite of its purpose.
“The whole purpose of it really is arguably to tell you how you can share information. That’s a way to sum this up - don’t believe the public perception of the rules and the law; actually check it, or speak to someone who knows what they're doing, because you often find that the popular perception of the GDPR is completely wrong.”
GDPR inflection points
As your business grows there will need to be much more focus on GDPR - as Tom mentions earlier in this conversation - but are there any inflection points for documents and the like?
Tom says there is a basic - which he often describes as the MVP of privacy - setup you must have in place (which is common sense to have in place as it will benefit your business in other ways).
It's not all exclusively about privacy, he says.
If you're dealing with personal data, every single thing that you do has an impact on data protection, which means that data protection has an impact on every single part of your business. And doing something right with data protection can improve your business in ways that are not specific to data protection - and setting up the MVP is one of the ways to achieve it.
“From a UK/EU perspective, that comes from looking at the fundamentals that the laws have in place, one for example is a ‘record of processing activities’ (often called a roper) which literally lists out all the processing you do, why you do it, what the legal basis is for doing it, and all of those sorts of things.
“That’s a really useful document because it takes things from your business and your ideas and it puts them down in a really tangible way.
“You have an ability to interrogate what your business is doing, but also an ability to understand what you can and can't do with a lot of your data, because you’ve got the lawful basis i.e. we got consent for this, we've done all this on this lawful basis, which means we can’t market to them we'll have to get something different, or this person has put in a deletion request so we have to delete data and here’s data we can’t delete; we have to keep it because of X Y Z. It’s a useful base where you can see everything that's going on.
“Our general recommendation to get to a record of processing is to map out visually what's happening with data in your business. Where does it come from? Where does it go? What is it? Map out where it's going to; so, from a website, it goes on a form, it goes to this system. It’s going to make filling in your record of processing much easier.”
Tom also notes on how to deal with breaches and incidents, as he says you would be surprised by how many actually do happen - and how important it is to keep an eye out.
“You will want to know that you've got a failsafe instantly in case something goes wrong. People want to know that you will know what to do if there's a breach, so it's pretty much a no brainer to have this in place.
“If you don't ever have a breach, which is theoretically possible, you don't even have to use the process, so it's not a huge burden to put something like this in place.”
However, Tom believes it’s always worthwhile to have a breach system process in place; to have a way of looking at things over time, because if you were to look at a breaches on an individual basis, they can seem quite small - because they are, but can all mount up into something bigger.
“We worked with one company that was having a small incident, but we started tracking it, and it was a small incident every week from one of their suppliers, and that translates to 52 issues a year, which you shouldn’t have to deal with.
“Thinking about it from a bigger picture perspective, that's the important thing to add.
“Unfortunately, in today's world, a breach can be a business ending thing. Take it seriously, because no one's going to want to work with you if you have a breach which impacts them.”
But finally, Tom says you need to understand who is responsible and accountable for these things.
“My top advice if you're a founder, or CEO, or C-suite and your company is growing and you are getting too busy i.e. if there are 300-400 people, by all means pass on the responsibility, but never pass on the accountability. When you pass on the accountability, it goes wrong every time.”