Several business surveys suggest that the most problematic issues facing any small business or SME include cash flow management, hiring and retaining talent, and regulatory compliance. This last issue is especially relevant to tech start-ups in particular and one of the regulations with the greatest potential for causing problems through non-compliance is the UK/EU GDPR (General Data Protection Regulation) rules.
GDPR is immediately relevant to countries in the European Union, however following Brexit, UK companies still have to follow UK GDPR rules which are essentially the same regulations simply copied and pasted into UK law. If businesses breach GDPR rules, they face a substantial fine that could prove terminal for any nascent firm.
GDPR Applies to Start-Ups and Small Businesses
Companies with 250 employees or more are required to comply with GDPR rules, however, GDPR is still relevant for small businesses with fewer employees. For very small companies, separate data processing rules still apply (see the Information Commissioner’s Office ICO website for more details) but essentially, if you or any of your sub-contractors take, process, or store any personal data or identifying information in the course of your business, whether as part of product development, marketing campaigns, or dealing with staff and customers, you must comply with GDPR rules.
Compliance Risks in Using Foreign Developers
There is however an additional potential danger for SMEs in the tech space who, for reasons of cost or accessing the necessary expertise, use developers abroad. Depending on where these third-party vendors are based, they may operate in jurisdictions which lack data protection safeguards (perhaps in some cases none at all) concerning personal identifying information and personal data that meet the standard required by the UK/EU GDPR.
If these third-party vendor companies are not GDPR compliant they are also highly unlikely to have the appropriate insurance policies in place in case a breach on their part occurs. If their input and contribution are part of your product or service offer, you will be the one facing the fine for non-compliance.
Essential Contractual Protections
Smaller tech start-ups may not have the legal knowledge or staff to spare. Entrepreneurs understandably are focussed on developing their product above all else may not be aware of the commercial data and cyber security contractual protections and obligations that need to be put in place with such third-party vendors to avoid just such a potentially damaging risk.
That’s where the Motion Paradox team of start-up lawyers, based in London and Los Angeles, can advise you on the current regulations and put in place the legal and contractual provisions that can help protect your business from any risk that non-compliance with GDPR could pose to your business.