Skip to content

What can a startup do to meet the GDPR obligations?

After exploring what obligations your startup has under the GDPR, this next article aims to let you know what changes can be made to your startup. Below you will find some simple steps you can take to ensure you meet the GDPR obligations today. 


Think before collecting! When someone enters your website, what are you asking them to share? Perhaps their email address or their name to create their profile. Once you know whether your start-up is dealing with personal or/and sensitive data, you can ensure that the obligations indicated the previous section are met. 

#1 – List down all the information being collected and identify what you need that particular information for. Having the information gathered will allow the startup to ‘develop an inventory’. This inventory can help determine the types of information held and the risks associated with that information. 

Next, you could deliberate whether that information is actually necessary for the particular purpose in question. Remove all information that you think is unnecessary for the completion of the task at hand, keeping only the minimum information. As data minimisation is one of the obligations under the GDPR, removing unnecessary information is a crucial step to take.

 #2 – Write out and publish your privacy policy. Let the world know what data the start-up is collecting, how it is legally obtaining that information and what you are doing to protect that data. Article 13 of the GDPR specifies the details to include in a privacy policy. Have a look at this website’s privacy policy for inspiration. 

The key features that should be included in a privacy policy are the following:

  1. Including the identity of the controller.
  2. The contact details of the data protection officer (if the company has more than 250 employees.
  3. The purposes and legal basis of the processing personal date.
  4. The length of storage of data.
  5. The method to employ the right to request from the controller access to and rectification or erasure of personal data.
  6. The fact that the user of your services has the right to lodge a complaint with a supervisory authority.
  7. How decisions are made about processing data.

#3 – Create a cookie policy warning. A cookie policy warning means that you are informing the user of the website that you are legally collecting user data. With the warning, users of the website are able to give their consent for the installation of cookies or block access. Usually, a warning appears as a pop-up when entering a website. 

#4 – Make sure you provide users the possibility to manage their personal data. Some examples include:

  1. Opt-in options to sign-up or receive newsletters.
  2. Allowing a user to access, delete or to modify all their information.
  3. Prevent automated profiling.
  4. Have the possibility to object to the processing of information. 

Within the privacy policy, the email and contact details of the controller of the personal data must be included. This gives the user the possibility to contact the controller to enforce their right of access to their personal information held by the startup. 

#5 – Appoint an individual within the organisation to manage data protection requests. Ultimately, this individual will be the person that the users can contact in case they want to exercise their rights under the GDPR. 

#6 – Keep records on consent in order to prove GDPR compliance. Listing down the information collected, indicated in the first section of this article, will allow you to comply with the seventh principle, accountability. Having the information organised will allow you to more readily identify the data and compliance with the GDPR.  

Currently, only about one in every three European companies are compliant with the GDPR. Despite this, that does not mean you have to be one of them! Non-compliance may result in hefty fines up to €20 million or 4% of global revenue, which companies should definitely avoid.

So, let’s update those policies to avoid any unnecessary fines.

If you are an expert, you can join the community with the link below: