The GDPR And Its Effect On Startups And SMEs

Written by MicroStartups

With the EU’s General Data Protection Regulation (GDPR) coming into effect on 25th May 2018, companies worldwide have begun to prepare for its arrival. Here, we will look at some of the effects the GDPR will have on businesses, especially on start-ups and SMEs, who make up the bulk of the economy at large. Click here for an interactive experience of the GDPR.

The good, the bad, & the basics

There is already a lot of information online about the GDPR. One good source by AppInstitute is their GDPR guide, in which the GDPR and its implications are clearly and thoroughly explained.

To put it simply, though, the current data protection legislation was enacted in the late 1990s, before technology and the internet became what they are today. The GDPR is an update in reaction to that advance. New GDPR Legislation has been put in place primarily to standardize data protection throughout the EU when previously it was up to the acts of the respective governments – the 1998 Data Protection Act in the case of the UK.

The GDPR aims, on the one hand, to give EU residents – as consumers and employees – more control over how and how much of their personal data is used (to include the rights to object, erase, and restrict processing), no matter where the company or organisation doing the collecting and processing is located.

It has also redefined the principles of consent so that it needs to be specific, active, and affirmative on the part of the subject. Companies can no longer assume blanket consent, consent by default, or consent as a condition of sale, and individuals will now be able to easily withdraw their consent.

Extra reading: A survey of 100 IT professionals by

At the same time, under the GDPR, the EU hopes to give businesses more clarity with a single, identical, European-wide regulation, thereby making it easier and cheaper for them to operate.

On the negative side for businesses, the GDPR threatens non-compliant organisations with heavy fines which can rise to a staggering €20 million, or alternatively they can take an annual percentage of the global turnover of the offending company which is 4% – whichever is more.

It is very specific about organisations needing to identify themselves as data controllers, data processors, or both. Data controllers decide how and/or why personal data is collected, whereas data processors simply process that data.

It will be the data controllers’ responsibility, however, to make sure their respective data processors abide by the requirements of the GDPR. As such, certain organisations will have to appoint Data Protection Officers, and train their staff in the new practices. This new data protection legislation even extends to the information that companies keep on their employees.

The effect of these preparations to become compliant is that they are taxing, especially on companies and organisations based outside of Europe, not to mention British companies navigating the lead-up to Brexit.

That said, the EU sees these regulations as an opportunity for businesses to build greater trust with their customers and employees through transparency, to clear out old databases, and to update some of their old processes and models.

The effects on marketing for startups and SMEs

To a certain extent, startups might not feel the effect of these changes, as they can integrate the necessary platforms, training, and processes before they enter the market, in a case of never having “known different”.

The cost in time, manpower, and money is more likely to have a greater effect on smaller, already-established companies, where these resources tend to be more limited, and even more so on small marketing firms, whose businesses depend so heavily on third-party analytics and shared consumer information.

It is specifically the new consent regulations that are likely to have an impact on smaller marketing firms, especially those that specialize in any form of cold calling.

As mentioned earlier, consent now needs to be active and affirmative on the part of the “targeted” individual. This means that marketing companies will now need to inform this individual on who is or will be marketing to them, how their personal information will be used, and the process for opting out at any time.

If any third-party will have access to that personal information, that third-party will also need to be named. Under the new limitations on blanket consent, if the campaign or purpose changes, the marketing company will have to inform the individual of that change in order to get their consent under the new agenda.

There are certain provisions outlined in GDPR under which an organization can “lawfully” process personal data without consent. These provisions are very specific, though, and generally apply to “compliance with a legal obligation”, protecting an interest that is “essential for the life of” the subject, processing the data if the data is in the interest of the public, or “in the exercise of official authority vested in the controller.” The organization would need to meet at least one of these justifications in order to be “lawful”.

And companies will still be able to share certain types of information. In the case of analytics, a lot of that information is already generic and anonymized. GDPR also encourages those who process and control date to implement newer, more technical kinds of measures to what they call “Pseudonymise” received data. This aims to reduce the overall risk of unauthorized re-identification.

Where consent comes back as an issue is when organizations and businesses share and hold personal data as a means to improve user experience or to personalise advertising. To do so, they will need to offer users clearly explained opt-in tools for each individual purpose, as well as the ability to opt-out easily.

Marketing businesses that target younger demographics will need to pay even more attention to the new rules on parental or guardian consent to process any data. This makes the process tricky for everyone, but where larger businesses may be better equipped to handle that burden, smaller businesses will once again be more affected.

How to prepare

It might sound cliche, and even flippant, to suggest that the best way to prepare is to embrace the change – the preparations are challenging, there will be growing pains, and in the long run, certain processes will be cumbersome, especially with regards to consent.

Smaller marketing firms and startups are likely to feel the burden of these new responsibilities the most.

And yet, come 25th May 2018, the GDPR will come into effect and there will be no way around it. Companies would do well to familiarize themselves with the requirements and to then phase them in. They will have to train their staff, appoint Data Protection Officers, review their current policies, and may need to build new platforms. Starting early helps.

More than anything, however, companies will need to organize themselves around a culture of “privacy by design”. The intent behind these changes is largely positive, and the changes come with new opportunities. Startups and SMEs, in particular, have the benefit of not being saddled by old, complacent processes.

GDPR is making room for transparency, trust, and innovation. It isn’t just tidying up the field, it’s reshaping it.

About the author: Izaak Crook is a Digital Marketing Executive for AppInstitute, a SaaS App Builder platform that allows anyone to create their own iOS and Android app without writing a single line of code.

About the author


A team of writers and marketers, MicroStartups was founded to inspire the entrepreneurial and business community to give back. We believe in business growth through giving and supporting the local community.

Leave a Comment