Why Startups Should Not Ignore GDPR (And What Goldilocks Can Teach About Addressing It)
A Board Observer at Comfy, DroneDeploy, Guru, Textio, and Augmedix; a Kauffman Fellow; and a Principal with Emergence Capital — Jake Saper is among the foremost thought leaders in the application of technology in environmental conservation through the Natural Resources Cloud.
Most US-based startups spend relatively little time thinking about government regulation. And rightfully so- worrying about product, team, and customers is typically a much better use of energy than fretting about bureaucrats. But now that the EU’s sweeping suite of data privacy regulations known as GDPR is going live, we are encouraging our portfolio companies to make an exception. We believe that GDPR presents a significant strategic threat and, if addressed properly, opportunity to US-based startups. Even to those that don’t directly process EU citizen data themselves.
Bottom line: Your US-based startup is very likely to be affected by GDPR. While it’s unlikely you’ll be pursued by the EU if you’re small, demonstrating GDPR compliance can provide a critical competitive advantage from a marketing and customer relationship perspective. And the beloved children’s fairytale Goldilocks provides a nice lesson on how to pursue compliance effectively.
Disclosure time: I am not a lawyer. I thought about getting a JD once and even bought an LSAT prep book but that’s as close as I came. The position I’ve laid out above and recommendations I lay out below were distilled from discussions had with a variety of lawyers (both in-house and corporate counsel) as well as a variety of startup CEOs. Please find your own counsel.
What is GDPR?
GDPR stands for General Data Protection Regulations and is focused on data that can be used to directly or indirectly identify an EU individual. It imposes a series of requirements on companies involved with the control or processing of such data. Many people much more qualified than I have produced solid summaries of these regulations. I’ve found this summary from a British law firm to be the best balance of substance and digestibility for my non-JD holding brethren.
There are a variety of fairly sweeping clauses around consent, right to erasure, data governance, and more which will require significant changes for most startups that are affected by GDPR. Which leads us to the critical question of which startups are indeed affected.
Which Startups Should Care about GDPR?
Way way more than currently seem to be caring. Many CEOs I’ve spoken with seem to think GDPR only applies to EU-based companies. This is not the case. The regulations are “extra-territorial”, meaning they apply to companies involved with EU citizen data processing regardless of where they’re based.
But the regulation don’t stop there. They also have “pass-through” components, which means that any company which processes EU data must have a fully GDPR-compliant tech stack. So if you’re a startup based in the US, which only serves US-based customers, but some of those customers process EU data, you very well may need to demonstrate GDPR compliance.
Why Should Startups Care about GDPR?
The most obvious answer is the associated penalties. The GDPR sets out penalties of up to 20 million Euros or 4% of global revenue (whichever is higher) for relevant infringements.
But potential fines are likely not the most compelling reason for startups to invest in compliance efforts. While we won’t know how the EU will enforce GDPR for some time, it seems likely that larger tech companies will bear the brunt of the scrutiny (that said, if you’re a startup processing highly sensitive EU data like health and financial info, you may also find yourself under a spotlight).
We believe the most compelling reason for startups to invest in GDPR compliance is to build a competitive moat, allowing them to serve customers who demand compliance and box out competitors who can’t. Over the past 6 months, we have heard from a growing chorus of startup CEOs whose customers have asked them to demonstrate GDPR compliance. We think this wave will accelerate after May, particularly for startups that serve more enterprise-level customers. The startups that invest in compliance now will be best positioned to drive a wedge between themselves and competitors in terms of addressable market.
How Should Startups Go about Becoming Compliant?
We believe startups should pursue a “Goldilocks” GDPR strategy: enough compliance activity to win and retain customers that demand it but not so much that the startup is consumed by the process. The reality is that GDPR is not like binary, certification-based compliance protocols (such as SOC2) in which you either get the thumbs up certification or not. GDPR is a body of regulations which will be applied and interpreted to a specific situation. In light of this, the Goldilocks GDPR strategy encourages startups to invest in enough compliance to satisfy their customers. You’ll likely find this level through an iterative process with your customers, and it may shift over time as enforcements take place.
The north star I suggest here: listen to your customers. They will ask for specific items to demonstrate compliance and you should invest to get ahead of those requests. As discussed below, it can be easy to fall into the trap of over-investing in expensive resources you may not need. I’d encourage open and constant dialogue with customers to determine appropriate investment levels, which may change over time as regulation and enforcement evolve.
Steps to Ensuring Your Compliance Porridge Isn’t Too Hot or Too Cold, But Just Right.
The first step is finding and assigning an internal champion. We’ve seen this role played by a variety of functions at startups, from general counsels to product leads. A growing number of startups are hiring compliance leads and justifying the expense in the name of competitive differentiation. Regardless of who it is, a teammate has to have GDPR compliance as a key performance objective. Tiffany Morris Palazzo, General Counsel and VP of Global Privacy at Lotame, puts it well: “It’s a mistake in this day and age to not have someone internally who is tasked with thinking about privacy. It doesn’t have to be a lawyer. It does have to be someone with strong accountability.”
Step two is conducting an assessment of current compliance. There are a variety of assessment tools out there, from entirely self-guided to full-suite service providers. This guide from the UK’s Information Commissioner’s Office is the best assessment overview I’ve come across.
If you’re looking for external help, be careful with your selection. As Morris Palazzo put it, “Don’t just spend money to have someone stress you out.” Not surprisingly, there are a plethora of GDPR consultants that have sprung up touting any number of services. Often, these consultancies are accustomed to dealing with larger companies and don’t have experience applying GDPR to startups. Further, their incentives are generally aligned with selling more services, so if you go down that path, you’re likely to end up with porridge that’s too hot and a bank account that’s too low.
We’ve counseled our startups to work with law firms that have both GDPR and startup experience. Leading Silicon Valley firms like Gunderson Dettmer and Cooley have developed GDPR practices to this end. Cooley has put together a $1,000 GDPR Readiness Assessment offering, for which you’ll get a baseline assessment and templates to address key areas of deficiency.
There are also a growing crop of startups offering tech-based compliance solutions. Companies like Evidon help startups address consent requirements. Players like Collibra, Okera, and OneTrust help address data governance requirements. And content management players like Box are rolling out tools like Zones which allow for geo-dynamic data hosting. Incidentally, I believe GDPR will create opportunities for a host of new startups focused on addressing the intended and unintended consequences of enforcement.
The key to any assessment and compliance strategy is documentation- you need to assemble a clearly labeled packet of all of the efforts you’ve taken toward compliance. This should be in whichever format you find your customers most commonly asking for. Remember, since there is no GDPR certification document, it’s up to you to convince your customers that you are compliant.
While these regulations are likely not what startup CEOs dreamed they’d be spending their time on in 2018, those that do it well will build a competitive moat allowing them to serve customers their competitors can’t. In a world of increasing startup competition, GDPR could be a blessing in disguise.
A version of this article originally appeared in Entrepreneur.