A GDPR checklist for your online startup: Yes, it applies to you too

Starting a new business is an exciting time, but it also comes with a lot of paperwork, research, and dare we say it, stress. One of the many things you need to consider when starting up your online company is the European Union General Data Protection Regulation (GDPR). There are certain provisions of the regulation that will impact the way you collect, manage, and process data of European customers, regardless of your business location.

The Regulation is far-reaching, and there are severe penalties in place for noncompliance. It is best to ensure you are compliant from the moment your company goes live, rather than putting it on the bottom of your ‘to-do’ list.

What is the GDPR?


Faced with increased digitalization, an increase in internet users, and an overall shift towards doing almost everything online, the European Commission realized that its data protection regulations needed updating. The aim is to harmonize data privacy laws throughout the bloc and protect the privacy of its citizens, even if their data is processed outside of the EU.

So, the GDPR was created. The toughest privacy and security law obliges organizations and companies all over the world, to respect certain provisions related to the data protection of EU citizens. Whether it’s a website or company in Paris or Buenos Aires, if it’s targeting, collecting, or storing data of EU citizens, the GDPR applies.

The regulation took effect back on 25 May 2018. Anyone found not complying with it can face large fines surpassing tens of millions of euros. Furthermore, failure to comply can also result in significant reputational damage as we now live in a world where data integrity is sacred.

Whom does the GDPR apply to?

The GDPR applies to anyone who processes the personal data of EU citizens or residents. It also applies to those that offer them goods and services. Personal data refers to any information that can directly or indirectly identify the individual including names, email addresses, location, ethnicity, gender, sex, biometric data, religious beliefs, web cookies, political opinions, and pseudonymous data.

Processing refers to any action performed on the data, regardless of whether it’s manual or automated. This can include collecting, storing, structuring, organizing, using, and even erasing it.

What are the principles of GDPR?

The GDPR outlines seven principles when you collect and process data of EU citizens or residents. These are as follows: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

Startups and established companies of any sizes must meet the following principles to be compliant.

1) Get a data protection officer

This can be an existing member of your team who is required by law (if you have 10 or more employees or are processing personal data) to retain the position of DPO. Their role is to ensure the organizations adhere to data protection laws including national laws and the GDPR.

2) Document everything

GDPR requires that a business keeps a paper trail of literally everything to do with the collection, processing, and use of data. This includes who is allowed in the office, who handles and has access to data, who data is passed to, virus and backup precautions, and ensuring that data collection for different reasons is processed in different ways.

3) Get your tech in place

Doing all this work by hand would be exhausting, therefore it’s best to look to technology to protect the data of your business. Make sure the software and hardware you use is compliant with GDPR and protects data by design. Oh, and make sure you keep up with updates.

4) Protect the rights of your customers

If your customers know their data is safe, they will trust you more and your relationship will improve. As per GDPR, you need to ensure the data subjects have the right of access, the right to be informed, the right to rectification, the right to restrict processing of their data, the right to be forgotten, and the right to object. This information and examples of how customers can exercise their rights should be visible on your website.

5) Conduct an audit

You need to understand what software you are using and how different aspects of your business collect data. For example, website cookies, web forms, newsletters, email lists, social media, Google Analytics, and third-party vendors such as payment providers, etc. You need to put in place a process to detail how, why, and for how long you keep this data while ensuring you have a lawful basis for holding it. 

In the case of personal data amassed before your startup launching, i.e., imported from another business or method, you must ensure they have opted into its use and it was collected in a compliant way.

6) Create and implement policies 

Based on all the previous steps, you need to write several policies relating to consent, data collection, contacting, opting out, and privacy. Make sure you publish these policies on your website and that they are easy to access. You must also ensure your Terms and Conditions are GDPR compliant and check that any third parties you work with are also compliant.

7) Boost safety

It’s no good having all of this in place if your website isn’t secure and your servers containing people’s data are easy to hack. Ensure that any data that your company holds is as secure as you, and technology can make it. If your company experiences a breach or hack, be honest with your clients and inform them of the steps you have taken to stop this from happening again.

Last word

This might all seem like a lot of work, particularly if you are operating outside of the EU. However, the GDPR is there to protect people and a correct implementation creates happier and more secure customers that trust your brand. 

As an online startup, some of the provisions and requirements may be a little out of your area of knowledge- that’s ok, Fast Offshore can help you assess your needs and also assist with company formation and management, settlement and high-risk merchant accounts, blockchain, cryptocurrency, licensing and ongoing maintenance.

Contact Us

Follow us on Social Media!