Is Your Startup GDPR Compliant?

Is Your Startup GDPR Compliant?

When the General Data Protection Regulation (GDPR) went into effect last year, Google and Facebook were fined a collective $8.8 billion for not being compliant.1 Other companies, including newspapers, chose to opt out and were blocked in Europe. Your startup likely cannot afford the hefty fines or the lost business opportunity of not being in compliance. And you just may find that the regulations, meant to protect users, increase trust and loyalty among your customers.  

The GDPR’s purpose is to protect the personal data and privacy of European Union (EU) citizens. That means if you have, or plan to have, users or customers in any of the 28 EU countries, then you must be in compliance with this EU-wide regulation. The GDPR replaces the 1995 Data Protection Directive. A directive can be molded by each individual country in the EU, whereas a regulation such as GDPR is applied identically across all EU members.  

Technically, the regulation only applies to companies with 250+ employees. However, there is a clause that states if the data-processing impacts the rights and freedoms of its data subjects (users and customers), it doesn’t matter how many employees the company has. In short, every company needs to be GDPR compliant just in case.   

Types of Data Protected 

The GDPR requires that companies be clear on their use of data and the justification(s) for using said data. The following types of personal data2 are protected: 

Key Components of the GDPR  

With many companies deploying massive resources to meet the GDPR requirements and the fact that it’s nearly 100 pages long, you may think it’s an overly complicated regulation. For established entities, the true challenge comes from the major changes to existing processes and practices. As an earlystage founder, you have an advantage because you can start out on the right foot – which turns out is the only way to do it (see bullet six below). The key components of the GDPR3 include: 

New in 2019 

The biggest changes implemented for 2019 center around enforcement. The EU has expanded the territorial scope of the regulation and will become more uniform in how it is applied. As more precedents are set, standards will naturally fall in place. Companies who may have only received a warning in 2018 (or did receive one) can expect to face actual fines in 2019.  

GDPR enforcement and penalties use a tiered approach based on company size and severity of the infraction. The maximum fine is, “4% of annual global turnover or €20 million (whichever is greater).” Note that “turnover” means revenue, not profit – so this can affect every dollar earned anywhere in the world, not just those earned in Europe and not just those that flow through to the bottom line. Penalties can be applied to both data controllers and processors. This is another reason why it makes good business sense to ensure you are GDPR compliant, even if you don’t have users or customers in Europe yet.  

Looking to the future, we can expect more regulation. The U.S. still seems to be behind Europe in valuing data privacy, however California and Vermont both have state-level legislation pending that would help protect their citizens’ personal data. Compliance may at first feel complicated and demanding of a lot of resources. On the bright side, if your users and customers feel like their information is safe, they will be more likely to trust and try new products like the one you’re building.  

Other Resources 

The EU General Data Protection Regulation (GDPR) Website 

Cyber Security and Data Privacy 101 for Early Stage Founders 



chatCONTACT US today for a free consultation to discuss the financial pain points of your business.