Scaling a startup is hard work. You can use all the help you can get and you specifically can use all the leads you can get. You don't need pesky privacy laws to get in the way of your lead generation efforts. If you get to contact a bunch of people who may not have opted into your marketing messages, that's great. Right? Well no, there is a good reason we advocate inbound marketing to startups.Don’t spam
First, you are more than likely to be investing time and resources marketing to people who might not want to hear from you. Open rates are low, there is little engagement and conversion rates are nowhere near to getting you to your goals. When you build a list of contacts who are interested in hearing what you have to say, who are a good fit for your business, it’s a lot more likely that they will actually engage with your offers and be receptive to a conversation with a sales rep.
Second, you aren’t allowed to. It’s simply not legal and in the past, there weren’t a lot of real consequences. Yes, you were hurting your sender score and some email providers would block you from their services after too many offences but that’s pretty much it. The previous European Data Protection Directive and the ePrivacy law have been in place for years and things like opt-in for marketing messages, cookie consent and the need to report data breaches have been in place for years.
What’s different: the fines under GDPR
What’s new are the measures available to national Data Protection Authorities to either fine you or to order you to adjust your practices. These national DPAs aren’t just here to cause trouble, they are actually a great resource of information and one of their functions is to provide information and guidance if you would need it. You can find a list of all national DPAs here. I guess I don’t have to repeat the maximum fines that you could get for not being compliant with the GDPR. It’s important to keep in mind that the amount will be relevant not only to your offence but also to the size of your business and the scale of processing and the potential danger to your data subjects in case of a problem.
Your customers might not be allowed to work with you under the GDPR
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
That is article 28.1 of the GDPR. Let’s break it down:
- “Where processing is to be carried out on behalf of a controller”
Are you processing data on behalf of your customers? Don’t just think about systems where contact details are stored here but what about when you help managers improve their 1:1’s like Duuoo? Chances are that your (tech) startup is a processor for your customers.
- “The controller shall use only processors providing sufficient guarantees ... that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
The GDPR dictates that controllers cannot use any processors that aren’t GDPR compliant and can prove it. I’m not a contract law specialist but my basic understanding of contracts is that they cannot be unlawful. First of all, this means that controllers aren’t likely to want to work with you but they might even have a legal base to break the contract with you. I’m not an expert on contract law but I sure would like to get an answer to this before May 25 2018.
Where a startup should start for GDPR compliance
GDPR is huge and it’s easy to get lost in all the documentation but there are a few things you should work on to make sure that you can, at least, document your road to compliance.
- Use a CRM and preferably a marketing system. HubSpot has an amazing scholarship for startups which make cost not really an objection anymore.
- No more exports of contact lists and data on unencrypted devices. Even creating a policy to remotely wipe lost Macbooks and iPhones is a start.
- Limit the data you collect. Take a look at what data you’re collecting and make sure you only collect what you really need to improve your product or run your campaigns.
- Educate your entire team on GDPR and appoint one contact to handle all privacy-related questions. This person should also be named as a contact person in your privacy notice.
- Review your marketing strategy. What goes into your systems, who do you contact and do you adhere to your opt-in policy?
- Create lists of all your contacts, review what legitimate basis you have for processing data on these subjects and manage them accordingly.
- Run opt-in campaigns before May 25 next year to make sure you can keep contacts in your database.
- Review your vendors, do you use any processors that aren’t compliant?
- Add a clause to your contract with your customers that outlines your role and responsibility as a processor or controller where relevant.
This list isn’t comprehensive enough to cover complete GDPR compliance but it does have you work on the basics. Remember that showing you’re working on ‘privacy by design’ and documenting your efforts to become compliant go a long way in working with your national Data Protection Authority and can even protect you against a fine in the case of a complaint against you.