Photo: WOCinTech Chat via Flickr

How to Win Users and Influence Investors: A Startup’s Guide to Making Data Protection Work to Your Benefit

New data protection rules were introduced this past May in the EU; here’s a rundown of how they affect startups, and how to make the most out of them.

This post was written by Mahmud Hamdi, data protection expert and CEO of Detracker, the first online privacy advisory firm working only with startups. Say hello to Detracker on Twitter.

Data protection. Users love it, and early stage funds and VCs won’t move forward without it. But for tech companies, online privacy and data protection have historically posed an oftentimes mysterious challenge. Some startups have overlooked them in favor of developing cool new tools; others outright violate privacy to increase profits. The bottom line? Privacy has been an afterthought.

We have advised startups in all sectors, and the smart ones took privacy seriously. The really smart ones incorporated it into their unique selling proposition (USP). These startups realized that getting data protection wrong could destroy their brands or negatively affect their abilities to deliver a return to investors. Consequences of non-compliance include fines, or worse yet, data protection regulators ordering you to delete your database of users, early adopters and hard earned customers.

The New Laws of Data Protection

Fast forward to now: There are new data protection laws in Germany and across Europe. The General Data Protection Regulation (GDPR) replaces Germany’s Bundesdatenschutzgesetz and enforces stricter measures on all companies that have European users — regardless of where a company is based.

The GDPR was enacted on May 24, 2016, and less than two weeks later Adobe, PepsiCo, and Unilever were fined by the local data protection authority in Hamburg. These companies had not properly complied with the new laws.

The first responsibility for companies, according to the GDPR, is to obey new rules surrounding users and personal data. Consent consolidation has been restructured and companies should now strive to gain direct and unambiguous consent. Profiling is now prohibited, and customers can sue companies that violate this principle. Companies that engage in profiling activities (AdTech, Big Data, machine learning, etc.) will need to think in terms of privacy before proceeding. Personal data must not leave the EU — a point that concerns all companies with contractors, coders, and developers around the globe. Finally, the minimum age of users without parental consent has been raised to 16.

The second responsibility for companies is that the entirety of their staff should be familiar with data subject rights. In other words, staff trainings are now part of being compliant. It is very important to have a privacy and security-conscious team, since 80–91% of data leaks happen due to staff errors.

Next is data privacy breach notifications. Companies must report any such incident within 72 hours. This is a very critical obligation; startups in the Netherlands have already filed more than 1500 of these.

Perhaps the most significant change of the new data protection rules is the requirement to choose compliant data processors. Companies now must review and assess their third parties before choosing them —that includes any cloud providers, email marketing solutions, analytics, etc. (see full list here). On average, a company uses between 100–1100 third parties and recent reports show that 75–99% of them are non-compliant with the new rules. This means that your startup might end up in trouble because of someone else’s unpreparedness.

The last obligation I’ll outline here is drafting privacy policies. There is now a requirement for these policies to be simple and straightforward. Language should be easily digestible for users to understand how their data is going to be used, and so they can confirm the company has complied with GDPR regulations. Otherwise, users might report companies for violating their online privacy.

A Positive Spin on Data Protection

Let’s consider the following scenario: You launch a very promising startup. You (and maybe your co-founders) are running on savings. Life is easy. But soon the end of the savings runway approaches, and you decide to raise funding.

You deliver a kickass presentation to potential investors and get the green light that will keep you and the startup alive for the next 12 months. But when a potential investor runs due diligence on your business, they spot a small problem: the data handling you have been doing is illegal, and the data and emails of early adopters you’ve already obtained were actually obtained illegally. Your business is now going nowhere and you have no money left. You might even be forced to erase your entire user database.

So, life lesson learned. The common denominator in investors is that all of them do their research and due diligence before pouring out any of their cash. A partner at an early stage $2.6 billion firm said, “ We end up investing very early in most of our companies. We’re usually the first institutional capital in. And on the board, we do ask a lot of these privacy questions. Privacy is entering the conversation much earlier, and data privacy is very strongly tied to the overall information security.”

Venture capitalists want growth and a clean exit strategy. They don’t want a data privacy mishap to impede either of those things with a public relations disaster or 20-year consent decree. Steve Herrod, a partner at General Catalyst, which has funded the likes of Snapchat and Kayak. said that “when we have companies that are storing customer data, like public cloud services…[data protection] is definitely part of our due diligence.”

How can you ensure you’ve covered your bases? The solution is ingraining Privacy by Design into the development of a product.

First, write (or review) your business plan with consideration for social and legal aspects that might affect the business — such as privacy compliance. Think about whether or not you should have a data protection officer overlooking your development. It doesn’t have to be a full time role as long as you are small, but they should be in the picture to guide you. Also consider revisiting information about your target markets and assessing their online privacy regulations. Lastly, get your documentation, registration, and compliance in order.

The next step is to take another look at the technical design of your product or service. Conduct a privacy risk assessment to make sure that your MVP stays viable. When you dig deep into the vulnerabilities you might face, figure out ways to approach them. Engineer for the right level of privacy as you grow. Don’t just ignore it.

Users love privacy friendly startups and reward them more than the competitors. Across the EU, 20% of users will pay more for a service that offers privacy guarantees over a competitor that doesn’t. Coupled with the general distrust for online services (some estimates by PEW rate it at 91%) — this is a prime opportunity for startups to make the most out of this gap.