Earlier this month, Meta was fined 405M euros for allowing teens to set up Instagram business accounts that displayed their phone numbers and email addresses—a breach of the EU’s notoriously strict General Data Protection Regulation (GDPR). This is just one of several GDPR violations in the few years since the legislation was enacted. 

No wonder so many marketers, SaaS vendors, and agencies are spreading fear, uncertainty, and doubt about GDPR compliance. As a marketer in the martech space, I might have even contributed to it. But recently, as a fractional CMO, I was on the other side of the issue: I had to figure out exactly what my startup needs to do to become GDPR compliant as quickly and cheaply as possible. After going through our current data privacy measures and assessing the gaps, here’s what I found.

Note: if you’re familiar with GDPR, you can skip the next section and go straight to the checklist.  

What is the GDPR?

The GDPR is “the toughest privacy and security law in the world.” It took effect in 2018, and though it was drafted and passed in the European Union, it applies to all organizations, anywhere in the world, that target or collect data related to people in the EU.

The GDPR gives individuals the right to ask organizations to delete their personal data if it meets certain criteria. However, organizations can also deny a request if it meets certain criteria, or if it can justify that the request was unfounded. 

The GDPR fines make non-compliance a costly mistake for businesses. GDPR violations are assessed using the following criteria:

• Gravity and nature

• Intention

• Mitigation

• precautionary measures

• History

• Cooperation

• Data category

• Notification

• Certification

• aggravating/mitigating factors

Less severe infringements can result in a fine of up to 10M euros or 2% of the organization’s worldwide annual revenue from the previous financial year (whichever amount is higher), while more serious violations can incur a penalty of up to 20M or 4% of the organization’s worldwide annual revenue from the previous financial year (whichever amount is higher). 

As of writing, 405M euros is the highest penalty imposed on Meta for violating the GDPR, and it’s the second largest fine in the law’s history after the 746M euro penalty imposed on Amazon in July 2021.

These penalties may seem enormous, but it’s all pocket change for big tech. It’s the smaller organizations and startups that should be worried: While they could fly under the radar and would certainly face smaller fines if caught, a major data breach will erode their credibility and could ruin their reputation. 

While reviewing my startup’s privacy regulations, a less experienced person on my team came to me with examples of how LinkedIn was implementing GDPR. While they meant well, this wasn’t the approach I was looking for: LinkedIn is a huge social media decacorn with a target painted on its back, and they need to implement GDPR to a much more sophisticated degree than your typical growth-stage startup.

After much research, I felt like there was no good super-tactical checklist for growth-stage startups like the companies I work for, so I created one. 

Important Note: Before you proceed, please remember that this is all based on our research and it isn’t legal advice. I just covered the fastest things you can do to get your startup up to code, and implementation varies from company to company. Make sure to consult a privacy lawyer before implementing any changes in your company’s data and privacy policies.

A GDPR Checklist for Growth Stage Startups

When I was putting our GDPR strategy together, the first thing I did was Google the topic. But most of what I found was the “lowest common denominator.” While huge corporations, especially major platforms like Facebook, have a target painted on their backs and need scalable solutions, I wanted scoped-down solutions that were right-sized for a 50 to 200-person startup.

• Appoint a Data Protection Officer - Someone in your company must be knowledgeable and accountable for GDPR compliance. According to Google (or Looker), companies that process or handle personal data and have more than 10-15 employees must appoint a DPO.

  • To receive comments and questions from data subjects related to the processing of their personal data and the GDPR.

  • To inform an organization and its employees of their obligations under the GDPR and any other applicable EU member state data protection provisions.

  • To monitor an organization’s compliance with the GDPR and any other applicable EU member state data protection provisions, train staff on compliance, and perform audits.

  • To perform data protection impact assessments (Article 35).

  • To cooperate with the data protection supervisory authority.

  • To act as the focal point for the data protection supervisory authority on matters relating to the processing of personal data and other matters, where appropriate.

• Update your privacy policy -  A privacy policy informs your clients about the types of data you’re collecting, how you’re collecting and storing this data, what you’ll be using it for, who can access it, and how long it’ll be in your possession. Make sure to update your customers about any changes you’ll be making in your privacy policy—and if your company doesn’t have a privacy policy yet, you should draft one NOW. 

• While there’s no such thing as a one-size-fits-all privacy policy, here are some things you should check:

  • Your privacy policy should live on your website and should be accessible from any webpage. Most websites have a link to their privacy policy in the footer. Your privacy policy should also be accessible in all places where customer data will be collected, including:

    • "Create Account" forms

    • Email newsletter sign-up forms

    • "Contact Us" forms

    • Payment information collection screens

    • Checkout screens

    • Cookie consent notices

  • Your privacy policy should detail what the company will do in the event of a data breach. According to Article 33 of the GDPR, the company will notify and cooperate with the proper authorities within 72 hours of the company becoming aware of the data breach. The company may also contact the affected EU residents.

  • Your privacy policy should have the pertinent contact details in case the customer has questions about the security of their personal information.

  • Your privacy policy should clarify your system for transferring data to non-EU countries.

  • In your privacy policy, your customers should be able to give and modify their consent for the collection, retention, and erasure of their data.

  • Your privacy policy should have defined policies regarding personal data retention. you don’t need to give an exact number, as long as you are able to assure your customers that you won’t keep their information for longer than necessary. 

  • In your privacy policy, your users must have the ability to request that their data be deleted. Have an email address where your customers can send their inquiries and requests regarding their data—something like privacy@[company].com.

• Update your website’s cookie preferences.

  • Your cookie policy pop-up must have genuine options and should not steer your customers toward any choice in particular. A lot of companies have a “this site uses cookies…” FYI banner, with only one “option” (usually “got it” or “i agree”) and that’s not GDPR compliant. I’ve added some good examples below.

So, Does Your Startup Really Need To Invest in GDPR Compliance?

The short answer is YES. GDPR is extraterritorial, so you’ll need to be compliant if you’re handling data from people who are in the EU. 

It doesn’t matter if you’ve got a headcount of 5 or 5,000: Though the biggest penalties have been imposed on large companies like Google and Facebook, the regulation has not spared tiny companies, government officials, and even homeowners associations. It should be noted, however, that no US companies have faced fines as of writing. 

My recommendation (not legal advice) is to get GDPR-compliant as quickly as possible: keep the scope very narrow, follow the above checklist, ship it fast, and move on—and actually do everything you can to ensure that your customers’ data is kept private and secure.