The GDPR implementation date of 25 May 2018 is mere months away, and startups across the UK are rushing to get ready for what Information Commissioner Elizabeth Denham called the "the biggest change to data protection law for a generation".
Techworld spoke to a selection of leading UK startups to find out what they've been doing to ensure their data protection practices comply with the new requirements.
CharlieHR has been updating the policies that protect both their internal data and that of their clients. The company produces human resources software for small businesses that manage their team directory, staff time off, and onboarding process.
As HR software they process and control a lot private and personal data. Their GDPR preparations are therefore split between their company and their customers.
"We have an obligation to be compliant with regards to ourselves as a company, but we also have an obligation to allow our customers to be compliant, because how you store employee data and your ability to let employees access that data, update that data and delete that data is a big part of GDPR," says Ben Gateley, co-founder and COO at CharlieHR.
"We're lucky in the sense that we've been on a bit of a journey over the last year and a half with regards to general data security and information security.
"We have done our Cyber Essentials, we've done our IASME Gold and we've finished off by doing our ISO 27001 and the beauty of those three standards and the controls that you put in place for that is that from my perspective that's meant that just at the starting gates we're probably 60-70 percent compliant with regards to GDPR. It's meant that from our point of view it's not been the most laborious task doing the rest of it."
Work to be done
Third-party software has been the primary concern for CharlieHR. The team has audited all the external vendors with whom they work, to understand the location and use of all their customer data and how they can update or delete it if requested.
For example, when someone is filling out a form, it's prudent for CharlieHR to tell them where their information is being held, how it will be processed and what happens if they want to access, update or delete that information.
The third element of their preparations involves tech, which covers the implementation of the full download, the full export of data for both a company and a user, and the process behind that.
Some tasks, such as identifying and removing elements of customer data from backups in IP addresses and user logs are almost insurmountable challenges for CharlieHR.
Under GDPR, the obligations expected of tech giants such as Amazon or a Google will not always apply as strictly to smaller companies with lesser resources.
"The legal advice that we're taking and that we're being given is that it would be inappropriate for us to have to sideline enough resource to deal with backups," says Gateley.
"There's a big theme in GDPR around wording things so that the consumer, the user can understand it, so we're spending a lot of time doing summaries of some of our policies so that anyone can understand them and that might mean just a bullet point at the top of the policy.”
Consent processes are already in place, both for a company and for an individual, and the breach notification procedures that formed part of ISO 27001 are being updated.
They're also setting up internal processes to manage new data subject rights, such as the right to be forgotten.
"With all this stuff, interpretation is always the hardest part and understanding what are the actions that we actually need to carry out," says Gateley. "The real solution is working with lawyers that can really put it into plain English for us.
Gateley is confident that the good data practices embedded in CharlieHR have left it well placed to meet its readiness deadline in February 2018. The company has mapped all its data, conducts training on a quarterly basis, uses Slack channels for audit purposes and adds any new GDPR processes to existing internal systems that users already understand.
"I would say one of the really key things is just cultural change for most organisations," says Gateley. "We're lucky that we have been focusing on having a culture of the highest standards for information and data security from day one.
"We're a 19-person organisation so still pretty small, but when we were four people, so when we just started, we were doing things like Cyber Essentials and started that process there so it's been embedded in the organisational culture from day one. We take this stuff seriously anyway. It's not a huge shift for us."
The good preparations have left him positive about the potential for GDPR to provide the public with transparency on how their data is used.
"I'm not sure that's always happened, so I think GDPR's going to be really good at upping the baseline across a bunch of companies."
London startup Sunlight has had to address similar issues in its GDPR preparations. The company produces an employee learning and development platform that gives staff control over their professional development and has to worry about both its internal data protection practices and those of its suppliers.
"We try to adhere to best practices as much as possible, but with GDPR we definitely did have to make additional adjustments, specifically when finding out how our providers were also preparing for GDPR,” says Juan Lagrange, Sunlight's co-founder.
"One of the things that GDPR introduces is that you are responsible for the data and all the time that is being used and who you send it to. So part of the process has been not only doing an internal audit ourselves, but also having to audit each of our providers."
Sunlight uses AWS to run its infrastructure, SendGrid for its emails and a number of other companies for its analytics. All of these have to process Sunlight's data in an appropriate manner and be capable of fulfilling any relevant data subject rights such as deleting or moving personal data.
Lagrange believes the process will easier when an official GDPR certification is available.
"Currently, you really have to take each of the company's words that what they're doing is GDPR compliant and make sure you are working with legit providers," he says.
"It's impossible for you to actually audit internal systems for all of these large companies, so until there is some form of GDPR certification - which I'm sure will come down the line - it is a very manual task and very time-consuming."
Sunlight has been assessing its GDPR preparations through an online test that evaluates how its stores and processes data.
"When we first did the test the data aspect was really secure," says Lagrange. "We have a really amazing tech team and that part was really taken care of, but there were a lot of things under the processes that weren’t really in place.
"To give you an example, you have to tell your clients if there is a high-risk breach, and there has to be a specific procedure for that. Those more manual processes internally that are not necessarily related to data are something that we're currently working on."
Some new features have been added to the platform to manage the enhanced data subject rights, but Sunlight still has a list of actionables it needs to complete.
The company has been taking legal advice and plans to soon appoint a Data Protection Officer (DPO) and conduct a full audit with an external advisor.
The startup advantage
Lagrange believes that GDPR could give startups an edge over their corporate competitors, many of whom are starting to show their age and size after stitching together a wide array of systems through acquisitions.
"Those guys I think are having a much harder time from a technical perspective than a new startup where everything has been built relatively brand new and there's not much technical stuff to fix, especially if they started off doing things right," he says.
"We see it as a potential competitive advantage. Of course, when you go through to bid against a big company, the size is always important in their trajectory, but the fact that you can be more nimble and that you can get prepared faster I think is a plus for us."
Ve Global provides advertising and marketing technology to clients across 18 countries, which makes international regulatory differences a key focus of its GDPR preparations.
"For us, and for probably for any cross-border business, one of the biggest challenges has been trying to understand the impact of the new regulation in different territories across the EU and ensure we have the flexibility and framework to support different regulatory environments," says David Marrinan-Hayes, COO at Ve Global.
"Members of our dedicated GDPR team have been working in Berlin this week in meetings with Ve's German lawyers in order to understand the German landscape in the lead up to GDPR implementation."
The company has been working on its GDPR implementation plan since 2016, in parallel with its preparations for ISO27001 accreditation, an international standard for information security management systems (ISMS). The ISO27001 application process provided an opportunity to review its data storage, security and access infrastructure and protocols.
"For us, some of the work is simply upgrading our existing policies, procedures and infrastructure," says Marrinan-Hayes. "Other aspects have required fresh thinking on our part and rolling out new ways of thinking about how we deploy principles, such as privacy by design, to our whole organisation."
Creating a collective buy-in for GDPR
Ve's general counsel is leading on all aspects of compliance, while its CIO who's ensuring technical and infrastructure compliance, but Marrinan-Hayes believes the regulation requires a company-wide commitment. To gain this, Ve has given every key department their own sense of ownership over the GDPR implementation plan.
To help all staff establish a base level of understanding, the company has also curated an essential reading list, comprised of articles from the EU GDPR website and other reliable sources. Further training will follow in the coming months.
The next steps in Ve's preparations is to finalise and deploy its new privacy policies and communicate this to its clients.
"Ongoing education and awareness both internally and with our clients is key," says Marrinan-Hayes. "Aside from that, we will continue the ongoing process of implementation, review and validation as guidelines develop."