Skip to content

What Obligations does a Startup have under the GDPR?

In this article, you will be able to continue investigating how the GDPR applies to your start up, and what obligations the startup needs to fulfil to be GDPR compliant. Luckily for startups, companies with less than 250 employees (SMEs) do not have the same obligations as massive corporations. Below you will see how to protect personal data and when complying with seven key principles. 


To set the record straight, when a company deals with a user’s data, it could take the form of personal data or sensitive data. Personal data is any piece of information that can identify you as a person. This includes information such as a full name, email address, phone number, profile picture etc. (For the full list of personal data, click here). A great example is your phone, which collects and stores all your personal data, ranging from your name associated to your user account, to your home address stored on Google Maps. Meanwhile, sensitive data is another issue. Sensitive data includes information such as a user’s racial or ethnic origin, political or religious opinions, health information etc. A useful rule of thumb is to ask yourself whether such information would cause some conflict. (For further information about sensitive data, click here, recital 51).


There are seven principles that a company must keep in mind when dealing with someone’s data.


Firstly, any data that your startup will collect must be dealt with correctly. This means that the startup must process data lawfully, fairly, and transparently. Sounds ambiguous… but in reality, it’s not so complicated. It simply means that the client/user has given you permission to use their personal data through consent with full and clear knowledge of what is going to occur with their data. 

As a startup you can ask your users for consent, by giving them an option to check a box or press a button, agreeing to share information. Consent has to be given for a specific purpose which should be indicated alongside the check box or button. It is very important that the box is not already checked and that the user has the possibility to opt-in. Pre-filled boxes violates the GDPR’s concept of consent. 

Let’s illustrate the concept of consent with an example. When a user enters your website and your startup offers the option to subscribe to a weekly newsletter, data in the form of an email must be collected from the user. The user then inserts their email and must have the possibility to submit the request through ticking a box or pressing a button, acknowledging that they are submitting their information to your startup for the purpose of the newsletter. It is also necessary to then give the user the possibility to opt-out in a way that is easy for the user to do. The unsubscribe option at the bottom of the newsletter is a common tool used by companies. 

Below, you can see a great example:

If you are not an online service, but are creating a user profile in a shop, consent still has to be given. This can be done by e-signing a document or confirming through submission that permission has been granted to the startup, corresponding to the profile creation.


Secondly, purpose limitation is an integral aspect to comply with. This means that any data collected from a user of the website must be for a specific and indicated purpose. The obligation ensures that the company is transparent about what the data is being collected for and what is going to happen to that data. Anything outside that description is not permitted. This obliges the company to request for consent from the user every time a new use for the data is required. 


Thirdly, your startup must minimise the information that it collects. A great rule of thumb is only collecting what is ‘really’ necessary. Upon analysing the information requested on your website, consider what purpose it serves and whether it is fundamental. Also, when storing that data, the same applies – meeting the storage limitation obligation. As the information becomes unnecessary for the purpose it served, remove it! Keep only the minimum data necessary to keep track of your users.


Data accuracy is another obligation that the startup must comply with. This means that all the data held must be correct and up to date. The startup must give the user the opportunity to update their information. Providing an email to a person responsible for data management in the company or having the ability to edit their profile are two different options possible to correct data.


For the sixth principle, treat data confidentially and treat it with integrity. To ensure this, a company must have a security system from which it operates. Quick action if there are any security breaches, may avoid any further damage. 


Accountability is the seventh and final principle that your startup must comply with. There are two parts to accountability. Firstly, the startup must indicate clearly who the controllers and processors of the data are. This could be indicated in the privacy statement of the startup (example within the contact and general section, click here).

Then, the startup must be able to show that you have complied with the provisions found in the GDPR.  A way of indicating this would be to collect the consent given by the individuals who have subscribed to the weekly newsletter.


There are seven obligations that a startup needs to comply with to be GDPR compliant. The good news it that you have already dedicated time to figuring out what those obligations are! The next step for you is to read the following article “What can I do to meet the GDPR obligations?” to see what your startup can do today to become GDPR compliant. 

If you are an expert, you can join the community with the link below: