Law for startups

Why legal stuff matters to your startup

The paperwork, the contracts, the term sheets, the compliance regulations. You might have incredible tech, a team worthy of a Nobel Prize and your dream customer already in the bag, but without getting all the legal stuff sorted, you’re pretty screwed.

In the accelerator world, there’s often an expectation to see there’s a legal partner, but few actually discuss what that really means. And so after launching Collider Amsterdam in 2017, it gave us the perfect opportunity to scour the Dutch market for that dream partnership, where we landed on the folks at LXA The Law Firm.

Having now worked with over 50 startups at Collider, we can see (and totally understand!) that the legal stuff isn’t the most exciting part. But, it’s arguably one of the most important, and gives meaning to sink or swim.

An awesome law firm is a company that can support our startups with a whole host of issues, from IP to GDPR, to option pools and term sheets, but by doing so becomes an incredible, trusted advisor to our angel investors. In our eyes, that’s a win-win for all parties.

New startup, new country

As part of our deal, we expect startups to move their business to Amsterdam in order to receive investment. Innovating in fresh waters in a new country and likely going into competition with huge, multinational companies takes real bravery, which is exactly why you need a serious legal office behind you.

“LXA were right there at the start of our journey into the Netherlands,” said Rado Raykov, CEO and Co-Founder of Consent.io, a Collider Amsterdam startup which helps brands to access an always-on focus group of millions, with real-time analytics and live feedback.

“Shortly after we made the transition and became a Dutch company we had the good fortune of having to very quickly switch gears thanks to our first paying customer waiting for us to send our contract proposal.”

The many needs for a legal expert

It doesn’t take a genius to know that startup life can be tough; but until you’re faced with that next challenge, it’s not always possible to see it coming.

“Having your papers in order is a must for future investment,” said Rado. “One of our co-founders is an American. Our first client is from outside the EU. We all needed employment contracts with our own company. We had to begin our GDPR compliance roadmap. Oh yeah - and then there’s the matter of Intellectual property.”

Ultimately, we know the legal stuff isn’t the most exciting part for investors or for founders, but having this organised from the start will save you a lot of money on ibroprufen in the future.

Your tech might be great, but business wants business

Many of these things are simply the harsh realities of the real business world, and chatting to any of your startup friends over a beer will likely reveal it’s common practice. But without the security of a startup-friendly, efficient and seriously knowledgeable legal firm, you’re unable to do what you really do best – and that’s sell.

“When you say ‘innovative’, businesses hear “’unproven’. When you say ‘new’, businesses hear ‘risky’. Having to surmount to all of that is a difficult task,” said Rado. 

“But if you have the right partners on board to make sure that the law is on your side, that your contracts are rock solid, that you can step on their reputation and professionalism to mitigate and minimise the risk for your team, investors and clients - then you can venture into any boardroom. 

“Yes, you might be young, but when it comes to the lawyers and the law - you are equal with the other side of the table.”

WTF is GDPR? We have the answers

You might have heard that the General Data Protection Regulation (GDPR) was passed by the EU Commission last year. It’s pretty big news; taking effect from 2018, it effectively replaces the law we’ve had since 1998 - the Data Protection Act. Because it’s a regulation, it comes into force as it was passed by the EU Commission, and it has been made clear that it will not be impacted by Brexit.

But what on earth does it mean for businesses, and more specifically, MadTech startups? Our legal partners Lewis Silkin were on hand to clarify that for us and our alumni.


Enough about me, back to me

The whole law is built around protecting the individual ‘data subject’ – that is, the person whose data you are collecting. Businesses are being put in the data subject’s shoes, and need to think of data collection and usage from their point of view.

Who am I?

You need to understand if you are a Data Controller or Data Processor. A Data Controller determines the purposes for which, and the manner in which any personal data is processed or is to be processed, and is directly responsible for compliance with the law.

A Data Processor processes that data on behalf of the Data Controller, and the Data Controller must have a written contract in place for this. A big change however, is that the Data Processor will now have direct obligations and liability under the law.

It is important to understand which you are as this will determine your obligations and what standard you will be held to. Just to muddy the waters a bit, you can actually be both; any suppliers you engage will be Processors, but if you sell to a client, you may well become the Processor. Clarify this and your liability at the outset, and record in written, signed form.

Get consent!

In line with the individual focus being push through the new law, the definitions of Personal Data and Sensitive Personal Data are expanding.

Sensitive Personal Data

The new rule of thumb is thus – if you are gathering and using sensitive personal data – GET CONSENT! Even more importantly, do not bundle this up in your Ts and Cs. This needs to be obvious, clear, visible, shouting from the rooftops.

Personal Data

This must be processed for a ‘fair and lawful’, i.e. particular, use. If it isn’t on the list of what’s fair and lawful you can’t do it! Generally the conditions here are – with consent, necessary for the purposes of the contract with the data subject, or in the Controller’s legitimate interest. Transparency is key – you need to provide a privacy notice (again, as obvious and as clear and debunked from anything else as possible) and don’t do anything with the data that might surprise your subject!

One thing to point out here is that you don’t always have to have consent as your ground for processing data – but if you do, your Data Subject has to demonstrate their consent, and be free to withhold or withdraw it.

What’s your profile?

Another big area of impact is ‘profiling’. The regulations have introduced a new definition of profiling, with some pretty big requirements for any profiling that constitutes having a ‘legal effect’ – that is, an irreversible impact on the Data Subject. At the moment it doesn’t seem as though behavioural profiling, targeted advertising and the like will be scooped up by this, but it’s subject to more clarification and guidance.

It may be helpful to think of profiling in two ways –

  1. Does your profiling have a ‘legal effect’ – if it does, you MUST have explicit consent
  2. Does your profiling not have a ‘legal effect’ – you must inform the Data Subject of it and allow them to object to it (if it’s already happened, you need to be able to reverse it)

Don’t you forget about me, except, please do

Rights being extended under the GDPR are the Data Subject access request and the right to be forgotten. The new one, however, is the right to data portability – Data Subjects will be able to request all of their data and are free to move it to other accounts, including that of any competitors. It’s worth bearing this is mind as you will need to be able to provide them with all of the information you hold about them.

So what can I do?

This may all seem pretty daunting, and with one of the biggest changes being enforced by the legislation being the serious increase in fines for breaches, feel like you’re fighting an uphill battle. There are however, steps you can take to start getting yourself compliant.

• If you’re early stage, the words ‘privacy by design’ are your new best friend. Build the requisite data security measures into your systems early, and get your privacy notices, consent buttons and the like clear and ready from the outset.

• If you’re later stage, you will need to build an audit trail – think when you gathered data, how it was used, all date stamped and demonstrably proven. You’ll also need to reach out to all of your Data Subjects and tell them what information you are holding, with an option for them to ask you to remove it.

• All businesses will need to review their reporting procedures should they find themselves on the wrong end of a breach, and make sure that their processes are adequately set up to manage that breach in accordance with the regulations.

• A good place to start will be to ask yourself – what data am I holding; how did I get it; and where did I get it from? Work back from there and start to unpick the audit trail and how it needs to be collected in the future.

New guidance is due to be issued this Spring, and for anybody who is still a bit stuck, some good starting points are the Information Commissioner's website and the European Commission's website. Our legal partners Lewis Silkin are also on hand to support our network with queries they may have.