The EU Data Privacy Regulation Vexing Mark Zuckerberg Is a Huge Opportunity for Your Startup
Odds are, your personal data was stolen in the past year. With more than 87 million Facebook profiles breached in the now infamous Cambridge Analytica debacle and 145 million credit profiles stolen in the Equifax breach, well over half of Americans are recent victims of data theft. (Of course, you might have been hacked in both breaches, not just one.)
During the recent congressional grilling of Facebook CEO Mark Zuckerberg, there was much discussion of regulation to strengthen data privacy in the US. While this would no doubt represent a step forward, the reality is that there is already a sweeping suite of data privacy regulation that will go into effect on May 25th, 2018 known as General Data Protection Regulations or GDPR. While the regulation comes from the EU, it will -- contrary to popular belief -- effect tens of thousands of US-based companies. Zuckerberg himself was grilled on GDPR and, in a revealing candid shot taken of his notes, indicated that Facebook is not yet GDPR compliant.
Becoming GDPR compliant requires meaningful investment, but failing to do so could jeopardize your customer relationships while doing so efficiently will help you pull ahead of competitors. Bottom line: GDPR compliance can provide meaningful competitive advantage from a marketing and customer relationship perspective whether required for your startup or not.
Disclosure time: I am not a lawyer. I thought about getting a JD once and even bought an LSAT prep book but that’s as close as I came. The advice below is distilled from discussions with lawyers and startup CEOs.
What is GDPR?
GDPR is focused on data that can, directly or indirectly, identify an EU resident. It imposes a series of requirements on companies involved with the processing of such data, whether they are controlling the use of that data or merely acting on behalf of another. Here’s a substantive but digestible summary from a British law firm.
There are a variety of fairly sweeping provisions around consent, right to erasure, data governance and more which will require significant changes for most startups that are affected by GDPR. Which leads us to the critical question: which startups should care about GDPR?
Many CEOs I’ve spoken with think GDPR only applies to EU-based companies. This is not the case. The regulations are “extra-territorial,” meaning they can apply to companies involved with the processing of EU personal data in the context of marketing goods or services and/or monitoring EU individuals, regardless of where they’re based.
But the new regulations don’t stop there. They also have “pass-through” components, which means that any company which processes EU data must have a fully GDPR-compliant tech stack. So if you’re a startup based in the US which only serves US-based customers, but some of those customers process EU data, you very well may need to demonstrate GDPR compliance. The GDPR sets out penalties of up to 20 million Euros or 4 percent of global revenue (whichever is higher) for relevant infringements, and regulators with their increased enforcement powers show a keen urge to use them.
But potential fines are likely not the most compelling reason for startups to invest in compliance efforts.
The most compelling reason for startups to invest in GDPR compliance is to build a competitive moat, allowing them to serve customers who demand compliance and box out competitors who can’t. Over the past six months, I have heard from a growing chorus of startup CEOs whose customers have asked them to demonstrate GDPR compliance. This wave may accelerate after May, particularly for startups that serve more enterprise-level customers. The startups that invest in compliance now will be best positioned to drive a wedge between themselves and competitors in terms of addressable market.
How do startups get compliant?
GDPR is a body of regulations which will be applied and interpreted to a specific situation. There is no binary “have it or not” certification program. There is no stamp of approval provided by a third party governing body indicating compliance. As such, startups have to use judgment to determine when they have invested sufficiently to become compliant.
The North Star here is, listen to your customers. They will ask for specific items to demonstrate compliance and you should invest to get ahead of those requests. Don't fall into the trap of over-investing in expensive resources you may not need. Open, ongoing dialogue with customers will help you determine appropriate investment levels, which may change over time as regulation and enforcement evolve.
The first step to GDPR complians is assigning an internal champion. This role is played by a variety of functions at startups, from general counsels to product leads. A growing number of startups are hiring compliance leads and justifying the expense in the name of competitive differentiation. Regardless of who it is, a teammate has to have GDPR compliance as a key performance objective. Tiffany Morris Palazzo, general counsel and VP of Global Privacy at Lotame, puts it well: “It’s a mistake in this day and age to not have someone internally who is tasked with thinking about privacy. It doesn’t have to be a lawyer. It does have to be someone with strong accountability.”
Step two is conducting an assessment of current compliance. There are a variety of assessment tools out there, from entirely self-guided to full-suite service providers. This guide from the UK’s Information Commissioner's Office is the best assessment overview I’ve come across.
If you’re looking for external assessment help, be careful with your selection. There is a plethora of GDPR consultants touting any number of services. Often, they are accustomed to dealing with larger companies and don’t have experience applying GDPR to startups. Further, their incentives are generally aligned with selling more services, so if you go down that path, you’re likely to end up with porridge that’s too hot and a bank account that’s too low. If you decide to hire legal help, work with a lawyer who has both GDPR and startup experience.
The key to any assessment and compliance strategy is documentation. You need to assemble a clearly labeled packet of all of the efforts you’ve taken toward compliance. This should be in whichever format you find your customers most commonly asking for. Remember, since there is no GDPR certification document, it’s up to you to convince your customers that you are compliant.
While these regulations are likely not what startup CEOs dreamed they’d be spending their time on in 2018, those that do it well will build a competitive moat allowing them to serve customers their competitors can’t. In a world of increasing startup competition, GDPR could be a blessing in disguise.