GUEST POST: Lauren Wills-Dixon, Head of Privacy – Gordons LLP
Company founders have multiple priorities vying for their attention, from building products and winning customers to balancing limited budgets and resources. Reconciling these pressures with data compliance obligations can be tricky, but it’s vital. There are legal obligations on all companies processing personal data. The hard truth is that they must be taken seriously and getting it right is a continual task.
For many startups, particularly those founded by women, who are statistically underrepresented in tech leadership, building credibility, managing investor expectations, and navigating regulation simultaneously can feel like an uphill climb. Data governance might not seem urgent on day one, but it lays a foundation for resilience, trust, and scalable growth.
Data could grow to be one of your most valuable assets, so it’s worth putting safeguards in place early on. The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has over 300 pieces of individual guidance – comprehensive, but not always easy to digest!
This guide is here to distill some key risk areas and offer top tips, especially useful for founders who are building lean teams, bootstrapping, or blazing a trail in traditionally male-dominated spaces.
Privacy Notice
Data protection laws require organisations processing “personal data”, that is, any information that identifies or relates to a living individual, to provide privacy information to individuals (known as “data subjects”) in a clear and transparent way. This is the “who, what, where, when and why” of your personal data processing activities.
For female founders who are often building purpose-led or community-centric businesses, transparency can become a differentiator. Your privacy notice is not just a legal requirement, it’s also a trust-building tool. It should be placed on your website/app and brought to the attention of individuals so that they know how their information is processed.
The ICO’s free privacy notice generator is a good starting point:
Create your own privacy notice | ICO
Be mindful: a privacy notice isn’t just a legal template – it should reflect the specific data practices of your business. Take time to identify what data your business is processing and be clear about it.
Direct Marketing Compliance
When GDPR first came into force, the main concern was the potential financial penalty for serious breaches of up to the greater of €20m or 4% of annual global turnover.
However, in practice, UK enforcement (now under the UK GDPR and Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 post-Brexit) has focused more on breaches related to direct marketing.
The majority of fines in 2014 (15/18 fines) related to PECR. Amounts have varied from year to year and the average monetary value of a fine under PECR was just over £150,000 in 2024. One example of this was HelloFresh being fined for nuisance marketing by text and were fined £140,000 by the ICO.
For early-stage startups (especially those run by women founders where marketing budgets are lean), getting your email marketing strategy right is essential. It can be a powerful growth lever, but it must be compliant.
Use the “soft opt-in” rule strategically – Soft opt-in means, as someone has bought goods or services from you before, they’re likely to want to hear from you again. This can be a useful tool for businesses to grow their marketing lists. It does not allow you to market third party products and services, however; it only applies to your own.
If there is one thing to take from enforcement trends in this space, it is to take care when setting up your consent mechanism, by making sure any ‘tick boxes’ are clear and transparent.
The ICO has very recently released a direct marketing advice generator to help you with your compliance obligations. It’s still in its beta phase, but by adding the type of marketing you wish to undertake and the proposed individuals you want to target, the tool will helpfully indicate whether consent is required and suggest other regulatory considerations. You can find it here: https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/direct-marketing-guidance/
Privacy by Design and Default
GDPR includes the concept of privacy design and default. It essentially means that privacy should be ‘baked in’ to an organisation’s activities at design and development stage. As a founder, especially in the early stages of platform or app development, this mindset gives you a rare advantage: you can do things right from day one.
If you’re building a startup (and particularly if you’re the only woman in the room), proactively raising privacy considerations can also position you as a strategic thinker, not just a product or operations lead.
So, say you are setting up an online platform for your startup, you should think about:
- How to make the information sufficiently secure,
- Who the data will be shared with,
- Preparing transparent communications with individuals about their data
- Is the right data being collected, is it definitely relevant to our operations?
The ICO has a data protection impact assessment (“DPIA”) template here: dpia-template-v04-post-comms-review-20180308.pdf which is a great starting point.
A DPIA helps to map out key data protection questions. It doesn’t need to be an overly legal document or a work of art. The value is in the consideration and putting pen to paper. It also acts as an audit trail to demonstrate your thought process. Note that if you are undertaking Artificial Intelligence processing, a DPIA is likely needed to assess any impact on individuals.
Final Thought for Female Founders
Data compliance might feel like just another item on the founder to-do list. But for many women-led companies, it’s also an opportunity: to lead differently, to model best practices, and to build ventures where trust, transparency, and accountability are baked in from the ground up.
If you have questions or need further support, feel free to contact Gordons’ privacy and data expert, Lauren Wills-Dixon.
A full-service commercial law firm, Gordons LLP is based in Leeds and works with some of the UK’s biggest retail brands and most successful regional companies.
Learn more: www.gordonsllp.com