Data Protection: What you can and can’t do

A Trust Keith x SeedLegals event 

Tom Gell, Head of Delivery at Trust Keith talks to Anthony Rose, Founder of SeedLegals, to help startup founders navigate the dos and don’ts of data protection. 

Watch the full video here.



DO: Factor data protection in early to reap future benefits

Many start-up and scale-up businesses fail to consider data protection in the early days of business. Doing so means they miss out on not only legal benefits, but the positive financial impact that comes with building customer trust, winning enterprise accounts and building brand equity and differentiation from competitors.

Tom, part of the founding team at Trust Keith, stresses the importance of building data protection into your business foundations, as early as possible.



DO: Utilise lead generation lists for sales

In a B2B context, you are able to contact leads with a business email address, as long as you have a legitimate reason to contact. Often, the legitimate reason is wanting to do business together as you have a solution to a problem you believe they face. Obtaining a list of contacts is a legitimate way to acquire data for B2B companies. If you’re asking the question: Can I still use lead generation lists to find new contacts? The answer is yes.

Image showing two email screenshots with guidance on complying with the GDPR. You can send email to business email addresses with a legitimate business reason. You cannot send emails to personal addresses without consent, even those found on LinkedIn.

The rules start to change when we talk about personal email addresses. You cannot contact someone on a personal email address without their permission. This includes email addresses that may be scraped from a LinkedIn account. 

Quote from Tom, Head of Delivery at Trust Keith: “If it looks like a personal email address, treat it like one. I.e. do not use it to send unsolicited business communications. What you can do is use professional platforms like LinkedIn to send outreach messages within the messaging function.”

Tom’s disclaimer: These rules apply to the UK and may differ by country. Germany, for example, is stricter.



DON’T: Use email addresses gathered for one purpose for other reasons

For any communication, you rely on consent. The rule for which is that it must be specific and informed. Simply: what they are signing up for is clear and not hidden in a dense privacy notice. 

Once you move outside of explicitly stated communications, you’re on shakier ground. If someone provides you their email address because they want X and you give them Y, they are unlikely to be happy about it. 

No matter how clear you’ve been, you should always make it easy to unsubscribe. Individuals should have the opportunity to change their mind about what communications they receive at any time - and with ease.



DON’T: Ignore ‘right to be forgotten’ requests 

Depending on the frequency of which you receive these requests, a conversation to understand the motivation behind it can go a long way. Under the GDPR rules, any customer can write to you and request a record of all the personal data you hold for them. 

This can be an onerous task - particularly if you store data in multiple systems, like a customer management system, email marketing software and across social platforms. The law is clear, you must be thorough with these requests. It’s an example where prevention is better than a cure - setting up good systems from the off makes it far easier to process these requests easily and compliantly. 

There are other factors in a request to be forgotten - there is no absolute as it’s balanced across a lot of different laws. Anything that is considered to be necessary to defend against future legal claims for example, does not need to be deleted. 

Time is of the essence for these requests, you want to act quickly so you are not seen to be deliberately delaying. However, you can go back to the individual making the request to understand what they are specifically looking for - they may not want 20 years of data for example, but rather everything relating to a specific instance. 



Looking for specific help navigating data compliance? Reach out to the Trust Keith team today to find out how we can help you scale your business with confidence.


About Trust Keith 

Trust Keith helps founders save the time, energy and ambiguity of managing data protection themselves. We know first hand the importance of getting it right and at the same time not allowing it to overtly impact business-as-usual. We’re here to change the conception that data compliance is “boring” and “unsexy”, helping fast-growth scale-ups effortlessly navigate the complex world of compliance and focus on scaling their business with confidence.


About SeedLegals 

SeedLegals is the UK market standard for companies raising investment, incentivising teams with share options, applying for SEIS/EIS, and managing their cap table. With 1 in 6 early-stage funding rounds closed on SeedLegals, and more cap tables and EMI option schemes set up and managed on SeedLegals than on any other platform in the UK, we're proud that we've transformed the way companies start, grow and scale.