We spoke about Data Regulation for online businesses at Blooming Founder’s event

On April 19th Aphaia was invited to speak at Blooming Founders’ conference. We presented all the key steps on Online Privacy that every business should take.


Screen Shot 2016-04-22 at 14.22.23

We introduced the main features of the new European Data Protection Regulation (GDPR) that will enter into force on 2018, and compared it to the current online privacy requirements. Whether you are a startups or a medium sized Company, It is essential for all to undergo Privacy Impact Assessment (PIA) to assess how online privacy can affect a business model. You’ll become aware of all the privacy requirements and you will be able to insert them in your everyday management, adjusting some methodologies when necessary, but also discovering some extra potential in your data sources.

Throughout the Q&A, it emerged how the law reform will affect every business that has a digital platform: from mobile apps to cloud services, from third parties that manage your data to your social media marketing strategies.

We would like to share some questions with you, because they really show how privacy is becoming a key feature in every online businesses.


  • Can I use my role as an administrator in a Facebook group to advertise my business?
  • What if my company is based in Brazil and I deal with EU customers?
  • I have an E-commerce platform and I have no European customers, am I safe from stringent rules?
  • What happens if my company infringes privacy regulation?
  • Can individual customers raise complaints in the law reform scheme?
  • Am I responsible for third parties I signed a service contract with?
  • What are the first steps to comply with data regulation?

Any questions, do not hesitate to drop us an email at info@aphaia.co.uk. We also have a special rate for Start-ups of 50 pounds an hour, to give you all the essential information to address online privacy standards without risking your organisation’s strategic goals and revenues.

10 privacy mistakes that Startups can avoid

Supporting many brilliant Start-ups that are ready to launch their new services, we also noticed that there are similar misconceptions on privacy and data.

We thought it will be useful to share this with you, hoping it will be useful to avoid the most common mistakes.


1) “It is all anonymized”

If you think that your Startup does not deal with personal data, it probably does.

Personal data is not simply an email address, and there is no such thing as anonymization if a data scientist can retrace back the original information in due time.

In most case, anonymization is impossible, or economically inefficient. So here is the first point: it is much better to have a good privacy policy that spending money and time to “try” to anonymize data.

2) “Business first, privacy afterwards

Many Startups think they can pass unnoticed to privacy regulators in their early stages. Beware: just because you run a small business does not mean you cannot cause big damage. Often it is the procedure that you put in place- and not the amount of data you are dealing with- that triggers the infringement of data protection rules.

Regulators do have their eyes wide open, but you should know that the first ones to object to a breach are your own customers. Apart from fines, loosing clients’ trust is ultimately one of the biggest damage you can do to your business.

Moreover, a successful Start-up may receive an offer from a larger company. A contract of this type will require the Startup to be compliant with current regulations: adapting a business model that is built on inadequate privacy standards will prove to be hard. Sometimes the business plan is so engrained in a unlawful data management that its structure cannot be adjusted: and that is why to get advice from a privacy professional before hand is a very smart idea. Don’t have the money? Read below.

3) “We don’t have the money”

A Startup at its early stages needs just some legal guidance from a privacy expert, and not necessarily a full on consultancy that will emit an expensive privacy policy. It is much more economically efficient to be advised at this stage than having to adjust- if at all possible- your business model because of privacy inadequacy.

For example, Aphaia starts with a special rate for Startups at 50 pounds an hour, that will allow a new born company to assess its privacy needs. Basically, a compass to put a business on the right direction.

4) “Let’s copy paste a privacy policy

Sometimes copy-pasting privacy policy written for a similar looking business is a real temptation.

However, a small difference in a business model can translate in a very big difference in legal terms.

Moreover, the services that you may outsource will not come necessarily from the same providers; the use of data that you will put in place may be different in scale or scope, and your customers may be different as well. Like spectacles, you want your privacy policy to be the rigth focal length: it will allow you to extend your business model as far as you can.

5) “Let’s collect all the data we can, it will be useful”

In legal terms, there is a balance to be struck between privacy and business interests. Collecting every personal information you may gather is not necessarily a smart move: you may be asked to justify why you did so.

6) “All data published on social media are the same”

No, they are not! It is important to draw a distinction and to master it: it will allow you to avoid “sensitive” data and to collect more data that you think on other realms.

7) “I use a cloud provider, I am not responsible”

Your choice of a cloud provider, as well as the level of safety you can offer in sorting data, can be crucial for compliance.

8) “I don’t understand privacy regulation, my lawyer does”

Although privacy may seem- we agree – a painful headache for no-experts, the key concepts are easy to grasp, and a good consultant will first and foremost empower you.

He/She will give you the tools to understand when a new move could entail a privacy risk- basically, you’ll be able to ask yourself the right privacy questions.

9) “I am outsourcing services to third parties, so I am not responsible”

Many Startups think that outsourcing some services means also transferring the responsibility of treating their data lawfully. This is not the case. The company who first collects the data remains responsible for the data.

If at all, other companies involved in the data process may gain responsibilities too: but it does not mean that your Startup is not liable in case of inadequate use.

10) “Privacy is just a cost”

Last but not least, Start-ups tend to think that drafting a privacy policy is a just a cost.

Let us surprise you: a good privacy policy does not just stop you from sourcing “bad” data: it also enables you to make full use of the data you gather and process.

We call this approach ‘smart compliance’: be in compliance allows you to extend your business model even further.