For many startups, complying with European data protection laws is at the bottom of the priority list.
Sure, the EU levied €1.5bn in fines to companies who didn’t comply with the European General Data Protection Regulation — commonly known as GDPR. But those were just big companies, right?
Rapidly growing startups can also be sanctioned, even retroactively. Take US social network Clubhouse, which was audited by France’s privacy watchdog. Or French healthtech Alan, which faced a data compliance audit just before becoming a unicorn. And given the potential costs as well as reputational and legal risks, it’s more important than ever to be on the right side of GDPR. Here’s the GDPR rulebook for startups.
Why startups should pay attention to GDPR compliance
Startups often operate in regulatory grey areas, with many founders preferring to execute now and ask for forgiveness from regulators later.
But for successful startups, it’s only a matter of time before a GDPR compliance audit comes. And there's reason to pay attention; fines can be as much as €20m or 4% of the previous financial year’s revenue.
Compliance can be more complicated than at first glance because companies are responsible for the whole customer data lifecycle — even outside of their infrastructure. In other words, organisations should ensure that the third-party companies they share customer data with are also in compliance.
More investors are seeing poor GDPR compliance as a red flag in growing companies, putting a startup’s ability to fundraise at risk. “If a startup doesn't understand the need to invest in compliance and security, then I will have a hard time seeing how it will grow its SaaS offering,” says Oren Yunger, VC at GGV Capital.
Last but not least, reports of non-compliance can be made public, causing an unmeasurable PR nightmare. And while governments initially drove data security concerns, consumers are stepping up. Given that 95% of Apple customers opted out of tracking given the choice, it’s clear where their priorities lie.
How to start tackling data compliance at your startup
Any startup with a product processing personal data should consider starting a Data Protection Impact Assessment (DPIA or PIA). It is a process to identify data compliance and security risks.
A bulk of the work is to analyse the product data flows: what, why, how. Companies must ensure that the personal data they collect is actually a requirement, that it is stored just for the time it is needed and that the right level of protection is put in place depending on the sensitivity of that data.
The DPIA is typically the responsibility of the data protection officer (DPO) or head of privacy. Most startups won’t have one on staff but there are plenty of agencies to hire, costing on average €1,500 per day. A DPIA can be done in less than a day for straightforward projects and can take weeks for something more complicated. Countries' data regulators generally provide good guidance via their websites. France’s regulator went the extra mile by providing an open-source tool to carry out the process. While companies can do most of the process alone, it is recommended to get a legal expert to review the work.
Who should startups hire to look after privacy?
Founders need to remind themselves of the fact that data privacy is not just about complying; it’s a right. And consumers are increasingly caring about it. Company-wide meetings, online courses or training from data compliance agencies are ways to ensure your team feels confident with the concept.
Startups should staff depending on the risk and stage. For example, a startup processing highly sensitive data such as medical information will need to hire data security and privacy experts early on. They will need to work closely with the product team to ensure that data compliance is a core element, not an afterthought.
If the product isn't processing large volumes of personal or sensitive data, bringing in a consultant or agency who can provide a blend of security, risk and data protection experience is ideal. The startup can then have the expert transfer knowledge to them.
What tools can startups use for privacy?
It tends to be engineering teams that handle data compliance at startups. While they're familiar with collecting, storing and manipulating user information, they lack legal knowledge. That's why putting in place developer-friendly tools and automating data compliance as much as possible is the way to go.
There are a wealth of tools to get your data house in order. For smaller companies who are looking to figure out what data they store, where they store it and which third-party services receive it, Bearer is a good first step.
For larger organisations that have multiple products and want to be proactive by embracing “privacy-by-design” at the product level, TerraTrue is a good option. Another tool to look at is OneTrust, which has 40% of the privacy and data compliance space, but can be a bit overwhelming for small organisations and is best when a data privacy offer is already in place.
Over 130 countries have some sort of data protection law, so startups should be baking data privacy into their processes from day one. This is a trend that is here to stay. And while it may look complicated from the outside, stellar data compliance can actually be a selling point, not a headache, when it’s part of a company’s culture from the beginning.