Law for Startups: Privacy + Data Protection

8th Sept 2015

7th October is the kick-off date for our Law for Startups at THECUBE event! THECUBE will join forces with qLegal, Queen Mary University’s legal incubator for startups, and Aphaia, a regulation and CSR consultancy, to host a series of legal workshops for startup owners. Our aim is to provide entrepreneurs with the legal essentials they need in order to make the right business decisions.

So why Privacy and Data protection? 

Smart compliance with the UK and EU data protection regulations is strategic, and goes way beyond simply avoiding fines and civil liability. Breaches of such regulations can severely affect your business model, and therefore the value of your startup. Whereas startups often assume they would ‘own’ any data they gathered in the course of business, this assumption could be severely undermined by data protection laws.

Want to learn how and why?

The workshop will give entrepreneurs the opportunity to:

  • Get an idea of the key UK and EU privacy concepts: personal information, data processing, data controllers and data processors
  • Learn about the conditions a business has to meet in order to process personal data
  • Find out about the essentials of drafting website privacy terms

The workshop will be conducted by Dr Bostjan Makarovic, Aphaia’s founder, who teaches EU Telecommunications Law at Queen Mary, University of London DL LLM programme. He is a IAPP CIPP/E-certified privacy expert.

9th October 2015

We spent an evening talking to startups about privacy and data protection – more or less synonyms both referring to legal regulation of anything we do to data about individuals as we conduct our business. Remembering of course that data about customers and their behaviour is often perceived as startups’ core asset: as the first dotcom bubble burst, the only thing left after some of those companies was a customer database.

But is data really an asset in commercial sense? Yes and no. Data collected in breach of the data protection laws is more a hot potato than an asset. You cannot confidently use it and it might get you in serious trouble if you do. Most importantly for startups, betting on a company that harvests data illegally might not be investors’ top choice.

On the other hand, if the rules and principles of the Data Protection Act 1998 and the corresponding 1995 EU Directive have been complied with, your business model is likely to be fit for the market.

So when we say compliance, which are the main issues to consider?

1. Determine whether your business model involves the processing of personal data. Keep in mind that the definition comprises any data relating to an identified or identifiable individual and that processing includes mere storage. You might be dealing with data that is fully anonymised and therefore not personal. However, this is unlikely when you are gathering data directly from individuals who get in touch with you directly.

2. Are you in control of the purpose of data processing and means used? If you are simply performing data operations on someone else’s behalf you might be data processor, not data controller. But if you are in control, you must register your activities with the Information Commissioner.

3. Have you obtained consent from individuals to gather and process their data? Unless you are doing it purely for the purposes of performing a contract or concluding one at their own initiative (not yours), that is likely to be necessary. You can do it online but make sure you bring to their attention at least your identity as the data controller and the purpose of data gathering.

4. If you intend data to leave the UK and the EU, you may need to comply with additional rules. Keep in mind that even using a cloud service might comprise an overseas data transfer.

Want to find out more? Feel free to send your questions to