GDPR: Life Post Enforcement

Published in

LocalGlobe Notes

4 min readAug 22, 2018

After all of the build up prior to the ominous new GDPR regulation which came into enforcement in late May (a deadline we’re led to believe few companies will have actually met! ) we thought we’d share some of the ongoing measures we, at LocalGlobe, are taking to ensure full compliance.

So, how is life different post GDPR?

**We are very familiar with the 6 lawful basis for processing data**

A lot of companies got hung up on the need for consent when thinking about processing personal data. However, Explicit Consent is only one of six lawful basis you can rely on for doing so. In reality, if you’re not a marketing company it’s unlikely you’ll be using this as your main justification.

We had the same initial panic as most with regards to obtaining consent. Our concern being that we would no longer be able to send event invitations (or other useful resources) to anyone without having first having had opt-in from everyone in our network that they were happy to be contacted. A myriad of questions followed this initial uninformed assumption; what if someone missed the email asking for consent or didn’t opt in in time? Were we forbidden from ever inviting them to events again? (This would be such a shame considering a big part of our value add as a VC is in our events schedule.) If we don’t have a CRM capable of logging opt-in what tool should we be using in addition to our current product suite to do this? etc.

Luckily, in almost all instances that we would wish to contact (on mass) founders and others from our network we would be covered by Legitimate Interest. However, proving this is the right basis to use is hugely important as it’s scope is very wide. Which leads me to…

We keep a record of everything

It’s best practice to document any steps you take prior to processing data to show you’ve undergone the necessary consideration before doing so. Doing this as you go rather than having to retrospectively look back on the processes you underwent will save so much time should you ever be required to demonstrate compliance.

This is especially the case with regards to exercising legitimate interest which is the lawful basis with the widest variety of applications. An LIA (Legitimate Interest Assessment) should be done in each instance to show that you’ve properly evaluated the need to process a person’s data. The ICO have a handy template for this.

We regularly review and send out our privacy policies

All ways in which you are processing people’s data should be referenced in your privacy policy and this must be regularly reviewed to ensure it is up to date. We make sure that this is easily accessible to anyone whose data we may process and where necessary have separate ones for different purposes (the generic one on our website won’t necessarily cover the processing of people’s data in other ways).

It’s best practice to share these policies at any stage of data processing to make it as apparent as possible to people how their data will be used. Being transparent is key — if in doubt, over-communicate! It’s also important that privacy policies are easily understood. Whilst it’s wise to get a lawyer to review and check that it’s legally accurate, writing the policy yourself is the best way to make sure that it makes sense to the average person and that it still has your company’s tone of voice and reflects your unique communication style.

We check our 3rd party tools are GDPR compliant

Getting your own house in order is one thing but knowing the tools and suppliers you use are compliant as well is also important. We keep updated using Torii’s handy GDPR SaaS index.

We make sure our portfolio companies are taking the necessary precautions

Whilst our own GDPR requirements are relatively light that’s not the case for many of our portfolio companies. From co-hosting events on GDPR to facilitating peer to peer knowledge sharing between founders on our whatsapp groups, making sure our companies are set up for success in this area, as much as any other, is something we’re always trying to achieve. With such a diverse portfolio LocalGlobe companies’ requirements and approaches varied hugely.

Preparation for SODA, for example (who have email marketing and all that comes with that to contend with) included a two hour GDPR session with a lawyer introducing all of the key points and working through what they could do in-house and what they needed legal help to do. Drafting an updated privacy policy and a GDPR paragraph to add to all of their pre existing contracts. As well as updating T&Cs, creating an opt in process for their newsletter and an internal GDPR plan of action outlining how Soda looks after Data and what precautions are in place in time for the new legislation. (Phew!)

Then there’s Beamery a talent acquisition software company which processes personal data daily and took the opportunity to write an extensive guide for recruiting teams. The variations are extensive.

Needless to say it’s been a stressful few months for all the data protection officers out there — existing and newly appointed — but hopefully most are almost there with their compliance plans and we can rest in the knowledge that companies are (finally) having to be transparent about how they are using our data.