GDPR Top of Mind at RSA

This week we attended the RSA Conference, one of the largest security conferences in the world with over 45,000 attendees, 650 exhibitors, and 550 sessions. As active investors in the security space, we are always on the lookout for new trends and threat vectors. The themes we observed at RSA 2018 included: data privacy/GDPR, block chain, IoT Security, and application security. With the overhang of Facebook/Cambridge Analytica and GDPR enforcement going into effect in less than 50 days, data privacy was top of mind for many attendees, so we wanted to double click on the category.

General Data Protection Regulation (GDPR) requirements will force U.S. companies to change the way they process, store, and protect customers’ personal data. GDPR requires: the consent of subjects for data processing; anonymizing collected data to protect privacy; providing data breach notifications; safely handling the transfer of data across borders; and requiring certain companies to appoint a data protection officer to oversee GDPR compliance. GDPR places equal liability on data controllers and data processors. A third-party processor not in compliance means an organization is not in compliance.

The GDPR allows for steep penalties of up to €20 million or 4 percent of global annual turnover for non-compliance. Management consulting firm Oliver Wyman predicts that the EU could collect as much as $6 billion in fines and penalties in the first year.

IDC forecasts the total market opportunity for GDPR solutions will be over $3.5 billion in 2019. IDC predicts about a 50/50 split between security software and GDPR-related storage software. According to a PwC survey, 68 percent of U.S.-based companies expect to spend $1 million to $10 million to meet GDPR requirements. Another 9 percent expect to spend more than $10 million. Companies’ investments to become GDPR compliant take four forms: 1) hiring employees to manually catalog and monitor data, 2) investing in R&D for homegrown solutions, 3) paying consultants, and 4) purchasing third-party solutions.

Timely, BigID, a start-up offering a PII discovery, mapping, and governance solution, won the 2018 RSA sandbox competition. In addition to incumbents, software-based solutions from start-ups like BigID, OneTrust, Wirewheel, Integris, etc. provide an alternative to manual data cataloging and governance in addition to automating the right to be forgotten.

GDPR is not just a regulatory hurdle but also a business issue. Cisco surveyed nearly three thousand security professionals in 25 countries and found that data privacy concerns are causing significant sales cycle delays for up to 65 percent of businesses worldwide. For businesses with ad hoc privacy maturity the average sales delay was 16.8 weeks. Businesses with higher privacy maturity levels expressed delays but to a lesser degree. For example, companies with optimized privacy processes reported 3.4 weeks of sales delay, which is an 80 percent less than businesses with ad hoc privacy posture. Start-ups like Panorays, which assesses suppliers’ security posture, can help minimize delays.

On May 25, 2018 GDPR goes into effect and its influence stretches far beyond the continent itself. We believe data privacy concerns are a global issue evidence by South Korea’s Personal Information Protection Act and Personal Information Protection Commission in Japan. We are excited by software-based privacy management solutions because they ameliorate a pressing security concern and appeal to an international audience.