Common misconceptions about GDPR compliant deal flow processes

“We only collect company data so we are not affected by GDPR.”

This is a statement we hear on a regular basis. It is true that the GDPR does not make any mention of company data. But this unfortunately does not mean you’re not also processing personal data. Which of course is the subject matter of the GDPR.
Let’s take a look at a typical company application. This will include many personal elements. For example name, e-mail address or telephone number. Even if you make an argument that the latter two are company data, you are still left with the name. Obviously personal data.
Furthermore when cooperating with early phase startups you may not even realize that you’re processing personal data. But you’re still liable. Remeber the tale of famous founders launching their companies in their garage. Well what kind of address do you think entrepreneurs give you in the early days? More often than not this will be their personal home address.
Collecting an Entrepreneur’s biography, re-targeting their application to push them to finish it, collecting e-mail addresses for marketing purposes. Lot’s more examples come to mind.

Complying with GDPR when you’re sent a pitch deck via e-mail

Either which way you look at it, you had better be GDPR compliant. Collecting pitch decks via e-mail, distributing them to a mailing list or sharing Excel sheets full of contact details, just doesn’t cut it anymore. It will be all but impossible to track the flow of data to which person in your organisation. How will you create a realistic directory of data procedures? How will you ensure the right of each person to have her or his information deleted? Delete the pitch deck you received and ensure all people you forwarded it to delete the pitch deck as well? Then check all Excel files that you copied the information into and remove the data? Good luck with that.
And that’s only one of the many rights a person has thanks to GDPR after they share personal data with you.
You probably haven’t applied for a job recently. But try sending a CV via e-mail to any larger company today. It’s very likely that you will get an automatic answer telling you to apply via a web form. And by the way the email you sent will be automatically deleted. Why do they make you run through this extra hoop? Because HR obviously involves personal data. In order to keep the data flows under control they use an applicant management system. And this allows them to comply with any GDPR requests.

You need a deal flow management platform to help you comply with GDPR

If we agree that you might get personal data when you collect company information, then you need to apply the same rigor to your deal flow. From our data we know that you will receive one GDPR request for every 200 applications. This can be anything from personal preference or the company closing down. It may a retraction of incorrect information or information that was never meant to be published. We even had a case where a breach of quiet period had to be rectified.
It’s not a matter of IF you’ll be hit by GDPR or any other kind of data request, more a matter of WHEN.
This is where DealMatrix was born. Only few people know that before GDPR was a main stream media topic the rules and regulations were already in place. We identified the issues that every company now faces early on and built a GDPR compliant deal flow and innovation management system.
With DealMatrix you can
  • track who has access to received data,
  • how long you have held on to data and consequently which data to delete,
  • prevent mass downloads of data, and
  • comply with deletion, update and any other GDPR request quickly and efficiently.
On top of GDPR features the DealMatrix platform is your innovation master store for storing company data, entrepreneurs, ideas and patents. All in one place.

„GDPR has to be taken seriously as a breach might have grave consequences for a company. If a corporation can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves not only open to fines, but also risk their customers’ trust. Other than receiving pitch decks with GDPR related content by e-mail, DealMatrix provides us a system to run the process fully compliant and with minimum efforts to focus on our core business.”

Alexander Rapatz, MBL, Head of Legal and Compliance at Venionaire Investment

Newsletter Subscription

Sign up to get our latest news, updates and special offers available right in your inbox.