What does GDPR mean for a start-up?

Opportunity abounds! The EU law on privacy, GDPR, presents the opportunity for start-ups to get on the front foot and design their product or service to comply with the gold standard of EU privacy laws, leaping ahead of legacy non-compliant competitor products. Not only will this secure more customers, but it will keep the business’s costs down too.

As importantly, those who don’t include GDPR in their design considerations may lose a huge business advantage or possibly fail altogether. This is because GDPR is fast becoming not only the European standard for privacy, but the global standard for privacy. All EU companies have to comply with GDPR, and will only want products and services that enable them to comply with GDPR. And as the GDPR quickly impacts everyone in the supply chain, any organisation that has an EU customer in its supply chain, will also need products and services that comply with GDPR.

Creating products and services that comply with GDPR requires a good understanding of the GDPR law as well as a good deal of creative thinking and UX design experience. The key design features for GDPR compliance relate to enabling individuals to exercise their privacy rights under GDPR. Design features need to include:

• not collecting personal data that is not "necessary" for the product or service to serve its purpose;
• including features that allow privacy collection notices to be displayed and options chosen at the point where personal data is collected, and recording this information and the users’ choices;
• being able to identify "personal data" from other data; and identifying all the personal data that is associated with each individual;
• being able to allow a user to access, correct and supplement their personal data;
• being able to suspend or stop processing a users’ personal data;
• being able to enable the user to make a download of a users’ personal data in to a convenient csv or similar file;
• being able to trace an individual’s personal data through the different systems that the product or services uses, including to third parties and to enable any corrections that are made to the users’ data to be passed on to those other systems and third parties;
• being able to encrypt personal data wherever possible, and pseudo-anomymise it wherever possible, especially in back-ups and archives; and being able to delete personal data in accordance with a pre-defined retention policy.

One of the key issues is to ensure that the cost of complying with these user’s rights is kept to a minimum, usually by enabling the user to 'self-serve' wherever possible. Another key issue is to use good design to minimise the impact of meeting the GDPR requirement in a user-friendly way. For example, privacy collection notices that should be included at each point where a user enters personal data run to a page or more of mandatory text, so careful consideration needs to be given for the users’ experience. In addition GDPR requires all consents need to be opt-in, with clear, unambiguous, freely given, informed, affirmative consent so there are no more 'default' yes, or 'default' yes check boxes. And you can't have a single "I Agree" check box for both a privacy consent and your terms and conditions. It is much easier and cheaper to design these features into your product roadmap and include privacy by design and default than it is to retrofit these features into legacy products and services. All this gives the start-ups a huge advantage.