What Tetris Teaches us About Data Privacy and Protection
Getting it right is one of the most challenging games ever created.
Tetris is one of the most addictive games on the planet. It’s arguably the best-selling video game in history with over 175 million copies sold. Challenging? You bet. Entertaining? Of course. It’s also one of the most frustrating games too. No matter which version you play we all have come to the sudden realization that trying to win is futile; all you can do is try your best to improve upon previous results.
In Tetris, the goal is to drop blocks called tetriminos down into a playing field to create solid lines. There are different types of tetriminos — some are L-shaped, some are square while others are t-shaped. You advance to the next level when you make a certain number of solid lines and lose the game when the tetriminos stack up and hit the top of the playing field — also called “topping out.” So what’s the point of all this nerdy Tetris talk? Well, many companies “top out” as they navigate the choppy waters of data protection, privacy, and regulatory compliance within the US and abroad.
I’ve experienced these challenges first hand while building Docstur; a SaaS-based document automation platform. For example, I initially had a myopic view of regulatory compliance and focused on meeting the expectations set within the General Data Protection Regulation (GDPR). The general rule of thumb is that if your business offers goods and/or services to citizens in the EU, then it’s probably subject to GDPR. Running afoul of compliance could result in hefty fines which equate to 20 million euros or up to 4% of total global turnover, whichever is greater. After extensive research and guidance from outside counsel, I implemented a five-step approach:
- revisit all data sources
- identify what personal data can be found in each source,
- govern and define what personal data means through documentation,
- establish the correct levels of protection (e.g., encryption, pseudonymization, anonymization); and
- implement a plan to audit
And yet, if you take similar action, your organization may find they are still “topping out” just like in Tetris because of the proliferation of data protection and privacy regulations over the last three years. It’s easy to implement a solution when GDPR is the only regulation in town. However, the opposite is true when companies are forced to comply with multiple regulations across multiple territories and regions.
For example, on June 28th, 2018, California became the first U.S. state with a comprehensive consumer privacy law when it enacted the California Consumer Privacy Act of 2018 (CCPA), which becomes effective January 1, 2020. This GDPR-style law gives the state’s 40 million residents the right to view the data that companies hold on them, make corrections to it, and request that it be deleted and sold to third parties.
Other states such as Colorado and Massachusetts recently passed similar laws because of the lagging efforts at the federal level. Implementing privacy regulations at the federal level is a herculean effort as it would require massive resources including a governing body that could actually identify and enforce violations. Despite bipartisan interest in placing a federal law on the books by the end of 2019, there’s an ongoing debate as to whether federal legislation should preempt and weaken state standards. In other words, the tetriminos are falling; we just don’t know where and what the full impact is going to be. Perhaps legislation for data privacy and protection at the state and federal level will be successful or perhaps it will be a complete nightmare and end like this:
The main takeaway here is that it’s almost a guarantee additional states will enact similar regulations in the near future even as the U.S. moves forward with national privacy legislation, and as a result, organizations will be forced to address heightened data regulations both at home and abroad especially if they qualify as a multi-national entity.
So now that data privacy and protection are much more than just the flavors of the month what else can we expect going forward? First, we can expect different companies to be at different levels of compliance as varied as the levels in Tetris; some are barely pushing past Level 1 while others are on Level 29. Second, it is probably safe to assume the proliferation of regulations will also usher in a new wave of startups focused on data protection, privacy, and compliance.
We’re starting to see more funding being allocated towards such companies as it becomes apparently clear that software in this space is much more than backend functionality hidden behind the scenes; it’s now the star of the show. Gone are the days when solutions providing data protection are categorized as mere feature enhancements.
In fact, the broader data protection market, which covers a wide array of solutions from cybersecurity and disaster recover to compliance, will reportedly be a $120 billion industry by 2023. Venture capitalists are taking note of this growth as demonstrated by investments in companies such as InCountry; a San-Francisco based start-up founded in 2019 which recently raised a Series A round in the amount of $15 million to help companies mitigate compliance risks by storing and retrieving data in its country of origin. The data is also protected through heightened encryption such as SHA-256 and AES-256.
And things are just starting to heat up. On the other side of the investment spectrum, you have OneTrust; an Atlanta-based company founded in 2016 which recently received a Series-A round in the amount of $200 million to build tools focused on helping organizations effectively manage online privacy and protection of data. It’s also worth pointing out that this hefty investment comes with a $1.3 billion valuation despite the company only being around for about 3 years.
At first glance, this amount of funding seems disproportionate to the series and begs the following question: If the mean Series A funding amount is $13 million what could possibly justify this mega round investment and valuation at such an early stage in the company’s lifecycle?
The answer is pretty simple even though the problem is quite complex. In order not to “top out” you need to make sure all of your bases are covered in regards to your company’s infrastructure and operational procedures. This is no small undertaking, requires tremendous capital to deploy at scale, and is exactly where companies like OneTrust come in. It’s SaaS and on-premise based Privacy Management Software helps organizations manage how it collects data while a secondary solution enables end-users to set preferences for how they would like their data to be handled on different sites. Finally, a third service assesses data protection risks posed by third parties.
No matter how you look at it there’s no one-size-fits-all approach to data privacy and protection. A solution that works for one company might not be a good fit or even necessary for another. At the end of the day, each organization will need to figure out what level it’s on and try it’s best to improve upon previous results.
