How Startit got itself into compliance with GDPR
At Startit @KBC, we work hard to teach our incubated startups not just how to be successful in their businesses, but also how to be responsible corporate citizens of their countries and the world. One of the important ways we can encourage it is to be a model of this kind of behavior ourselves. The arrival of GDPR and the changes it means for everyone in the tech world are significant, so that’s why we made sure to take our transition to GDPR compliance seriously. Take a look at how we did it below.
Maybe use this as your checklist for things to action still.
To begin with, we set up a meeting with a qualified attorney and retained their services to help us draft the clauses we were going to need to insert into our contracts and Terms & Conditions. It was also important to make sure we had the right language to introduce these to people - it’s never a good idea to present legal language to your clients in a way that would make them feel manipulated into signing something.
Then, we compiled a complete list of every platform service that the members of our team use, and put it into a single, easily-searchable document.
And from this document, we were able to examine all these platform services, and made sure that they were also in compliance with GDPR, and check what kinds of data we put into those platforms.
Where necessary, we asked members of our team to revise the data they had entered into those platforms, and put processes in place to shut down the accounts if they left.
We reviewed and checked the overall data levels available to the staff, and where necessary, we made changes and revisions to data access levels.
After reviewing the work we did with the lawyer in Step 1, we made the necessary changes to our Terms and Conditions and rolled these out .
Right after this, we updated all our contracts, whether they were with - partners, startups, applicants, or even something as simple as newsletter permissions. We confirmed that no data from any outside party is ever entered into our CRM without that party’s consent through the proper documents, so we have permission to hold it.
After all this was in place, we were ready to send an email to existing groups to ask them to sign up for new GDPR terms.
Then we entered all the information about the platforms and any data saved there, as well as more detailed information into the GDPR register. This register was then circulated around to our team to be checked for any inaccurate or missing information. It’s always important to take a second look!
We also gave ourselves some calendar reminders to update the GDPR register in the future.
As the last major step, we implemented training for our staff in what GDPR really means for us and for them, and for the data we both store and use for communication. It was very helpful to have done all the earlier steps, because we could refer back to steps 3, 5, and 9 in this process in the event we ended up using a new platform service in the future.
Finally, we made sure to create a reminder for 5 years out to start deleting the data we don’t need anymore. We thought it was important to have a long head start on the 9 year deadline, and set the right example.
Laws and regulations change all the time, and businesses need to know how to keep up. It’s not enough just to be doing the minimum, and Startit @KBC always wants to make sure our startups are prepared for building their successes in ways that are also appropriate for the communities they’re a part of!
Interested to know more about GDPR? Make sure to check out our podcast about GDPR and privacy or check out some handy tips from our partner Lawquare here.