GDPR has finally arrived. The regulation brings into law what Information Commissioner Elizabeth Denham calls the "the biggest change to data protection law for a generation", and companies across Europe have been working round the clock to prepare.
Techworld spoke to a selection of leading UK startups to find out what they've been doing to ensure their data protection practices comply with GDPR.
Data protection is essential to Bud's business. The company provides a plug and play platform that links financial services together. Consumers can use it to manage their finances online and banks such as HSBC to develop new digital features, which means Bud has to secure a lot of sensitive information and follow the rules of a heavily regulated sector.
Henry Adams, Bud's compliance and operations officer, believes the Hackney-based company is well-prepared for GDPR.
"We are quietly confident, given the circumstances we all find ourselves in," he says. "We've worked really hard internally and with our lawyers to make sure we are in a compliant position. Other organisations that have paper-based records and legacy systems to deal with have had it much worse."
Bud has focused on meeting customer needs under GDPR and auditing all data processing practices to cover current requirements and any near-term developments, by identifying all the data it stores and the ways it's all used.
"We went through an internal audit process with each team and then we got external counsel to check we were still sane," explains Adams. "They undertook a gap analysis and let us know where we needed to do more work."
Their recommendations led Bud to overhaul its privacy notice, update its data protection and data security policies, and audit its other policies to ensure that they're in line with the law.
"The key changes all relate to the rights for the individual and the lawfulness of processing under GDPR," says Adams. "For an early stage company like Bud, the benefit is we can adapt, communicate and oversee change to our internal processes relatively quickly."
Bud's compliance team has led the preparations. To ensure that the company remains compliant beyond the implementation date, a member of the team has been chosen to oversee all data processing activities, while the risk committee and board will provide oversight.
A lot of effort has been made to raise awareness among staff of what GDPR means to the company and their own individual roles.
"All employees have to undertake annual training on various subjects as a matter of course; data protection and the changes within GDPR are a part of this," says Adams. "We are a young company and all the teams in Bud were involved in the internal data audit and that has been a reasonably good learning process for all."
The gruelling preparations are over, but the compliance journey has only just begun. Adams is embracing the positive impact that GDPR will have on Bud's business.
"The GDPR is part of a wider regulatory and cultural shift as people take more ownership of their data," he says.
"This legal and cultural shift is part of what underpins our business and is a driving factor behind innovation that's happening in this sector across the world.
"People, empowered by ownership of their data can demand more from the institutions that serve them. This creates more competition and better outcomes for customers and we like to think we are an organisation that can help deliver this shift. So we're all for it."
CharlieHR has been updating the policies that protect both their internal data and that of their clients. The company produces human resources software for small businesses that manage their team directory, staff time off, and onboarding process.
As HR software they process and control a lot private and personal data. Their GDPR preparations are therefore split between their company and their customers.
"We have an obligation to be compliant with regards to ourselves as a company, but we also have an obligation to allow our customers to be compliant, because how you store employee data and your ability to let employees access that data, update that data and delete that data is a big part of GDPR," says Ben Gateley, co-founder and COO at CharlieHR.
"We're lucky in the sense that we've been on a bit of a journey over the last year and a half with regards to general data security and information security.
"We have done our Cyber Essentials, we've done our IASME Gold and we've finished off by doing our ISO 27001 and the beauty of those three standards and the controls that you put in place for that is that from my perspective that's meant that just at the starting gates we're probably 60-70 percent compliant with regards to GDPR. It's meant that from our point of view it's not been the most laborious task doing the rest of it."
Work to be done
Third-party software has been the primary concern for CharlieHR. The team has audited all the external vendors with whom they work, to understand the location and use of all their customer data and how they can update or delete it if requested.
For example, when someone is filling out a form, it's prudent for CharlieHR to tell them where their information is being held, how it will be processed and what happens if they want to access, update or delete that information.
The third element of their preparations involves tech, which covers the implementation of the full download, the full export of data for both a company and a user, and the process behind that.
Some tasks, such as identifying and removing elements of customer data from backups in IP addresses and user logs are almost insurmountable challenges for CharlieHR.
Under GDPR, the obligations expected of tech giants such as Amazon or a Google will not always apply as strictly to smaller companies with lesser resources.
"The legal advice that we're taking and that we're being given is that it would be inappropriate for us to have to sideline enough resource to deal with backups," says Gateley.
"There's a big theme in GDPR around wording things so that the consumer, the user can understand it, so we're spending a lot of time doing summaries of some of our policies so that anyone can understand them and that might mean just a bullet point at the top of the policy.”
Consent processes are already in place, both for a company and for an individual, and the breach notification procedures that formed part of ISO 27001 are being updated.
They're also setting up internal processes to manage new data subject rights, such as the right to be forgotten.
"With all this stuff, interpretation is always the hardest part and understanding what are the actions that we actually need to carry out," says Gateley. "The real solution is working with lawyers that can really put it into plain English for us.
Gateley is confident that the good data practices embedded in CharlieHR have left it well placed to meet its readiness deadline in February 2018. The company has mapped all its data, conducts training on a quarterly basis, uses Slack channels for audit purposes and adds any new GDPR processes to existing internal systems that users already understand.
"I would say one of the really key things is just cultural change for most organisations," says Gateley. "We're lucky that we have been focusing on having a culture of the highest standards for information and data security from day one.
"We're a 19-person organisation so still pretty small, but when we were four people, so when we just started, we were doing things like Cyber Essentials and started that process there so it's been embedded in the organisational culture from day one. We take this stuff seriously anyway. It's not a huge shift for us."
The good preparations have left him positive about the potential for GDPR to provide the public with transparency on how their data is used.
"I'm not sure that's always happened, so I think GDPR's going to be really good at upping the baseline across a bunch of companies."
London startup Sunlight has had to address similar issues in its GDPR preparations. The company produces an employee learning and development platform that gives staff control over their professional development and has to worry about both its internal data protection practices and those of its suppliers.
"We try to adhere to best practices as much as possible, but with GDPR we definitely did have to make additional adjustments, specifically when finding out how our providers were also preparing for GDPR,” says Juan Lagrange, Sunlight's co-founder.
"One of the things that GDPR introduces is that you are responsible for the data and all the time that is being used and who you send it to. So part of the process has been not only doing an internal audit ourselves, but also having to audit each of our providers."
Sunlight uses AWS to run its infrastructure, SendGrid for its emails and a number of other companies for its analytics. All of these have to process Sunlight's data in an appropriate manner and be capable of fulfilling any relevant data subject rights such as deleting or moving personal data.
Lagrange believes the process will easier when an official GDPR certification is available.
"Currently, you really have to take each of the company's words that what they're doing is GDPR compliant and make sure you are working with legit providers," he says.
"It's impossible for you to actually audit internal systems for all of these large companies, so until there is some form of GDPR certification - which I'm sure will come down the line - it is a very manual task and very time-consuming."
Sunlight has been assessing its GDPR preparations through an online test that evaluates how its stores and processes data.
"When we first did the test the data aspect was really secure," says Lagrange. "We have a really amazing tech team and that part was really taken care of, but there were a lot of things under the processes that weren’t really in place.
"To give you an example, you have to tell your clients if there is a high-risk breach, and there has to be a specific procedure for that. Those more manual processes internally that are not necessarily related to data are something that we're currently working on."
Some new features have been added to the platform to manage the enhanced data subject rights, but Sunlight still has a list of actionables it needs to complete.
The company has been taking legal advice and plans to soon appoint a Data Protection Officer (DPO) and conduct a full audit with an external advisor.
The startup advantage
Lagrange believes that GDPR could give startups an edge over their corporate competitors, many of whom are starting to show their age and size after stitching together a wide array of systems through acquisitions.
"Those guys I think are having a much harder time from a technical perspective than a new startup where everything has been built relatively brand new and there's not much technical stuff to fix, especially if they started off doing things right," he says.
"We see it as a potential competitive advantage. Of course, when you go through to bid against a big company, the size is always important in their trajectory, but the fact that you can be more nimble and that you can get prepared faster I think is a plus for us."
Ve Global provides advertising and marketing technology to clients across 18 countries, which makes international regulatory differences a key focus of its GDPR preparations.
"For us, and for probably for any cross-border business, one of the biggest challenges has been trying to understand the impact of the new regulation in different territories across the EU and ensure we have the flexibility and framework to support different regulatory environments," says David Marrinan-Hayes, COO at Ve Global.
"Members of our dedicated GDPR team have been working in Berlin this week in meetings with Ve's German lawyers in order to understand the German landscape in the lead up to GDPR implementation."
The company has been working on its GDPR implementation plan since 2016, in parallel with its preparations for ISO27001 accreditation, an international standard for information security management systems (ISMS). The ISO27001 application process provided an opportunity to review its data storage, security and access infrastructure and protocols.
"For us, some of the work is simply upgrading our existing policies, procedures and infrastructure," says Marrinan-Hayes. "Other aspects have required fresh thinking on our part and rolling out new ways of thinking about how we deploy principles, such as privacy by design, to our whole organisation."
Creating a collective buy-in for GDPR
Ve's general counsel is leading on all aspects of compliance, while its CIO who's ensuring technical and infrastructure compliance, but Marrinan-Hayes believes the regulation requires a company-wide commitment. To gain this, Ve has given every key department their own sense of ownership over the GDPR implementation plan.
To help all staff establish a base level of understanding, the company has also curated an essential reading list, comprised of articles from the EU GDPR website and other reliable sources. Further training will follow in the coming months.
The next steps in Ve's preparations is to finalise and deploy its new privacy policies and communicate this to its clients.
"Ongoing education and awareness both internally and with our clients is key," says Marrinan-Hayes. "Aside from that, we will continue the ongoing process of implementation, review and validation as guidelines develop."