Julian Saunders, founder of data management and GDPR compliance solution PORT.im, discusses how GDPR will impact investment considerations for tech companies
Debate has been raging for some time on how the EU’s General Data Protection Regulation (GDPR), which comes into force in May, will change various industries. From prophecies of doom to rejoicing at the prospects of trust, control and transparency returning to data – GDPR splits opinion. However, the consensus is that it will have a profound impact on how most organisations operate and how consumers behave. It is therefore surprising that there has been little consideration of how GDPR could radically change how startups receive investment.
From the viability of a business model and potential liabilities, to its growth strategy and security arrangements – every element traditionally used to assess the prospects of a company will need to change in light of GDPR.
At a basic level, investors will need to look carefully at whether the premise of the startup breaches GDPR, and crucially, whether the expected impact of GDPR on customer behaviour will affect the viability of that model.
This change will be most apparent in the value chain of personal data monetisation. Put another way, the model of hoovering up data via a free service with the idea of one day making money via advertising or selling on that data, will become much more difficult to execute. This is because consumers will have much more power over their data, from the ‘right to be forgotten’ to granular control over how their data is analysed and shared.
Investors will then need to look carefully at whether the business development strategy a company is using, or proposes to execute, will be viable in a post-GDPR environment.
If, for example, a startup’s growth model is based on aggressive marketing techniques, it is unlikely to survive for long after May. This is because a startup will need to gain explicit consent to process and send marketing material to individuals using their personal data. This consent can be revoked at any time and the data must be, if requested, completely deleted.
Using of third party data lists for marketing will be severely limited. This means that building a marketing database will ultimately become a slower process and an element of risk attached to it. In other words, the expectations that many investors and entrepreneurs have regarding the growth potential and reach of a startup may need to be significantly reduced in light of GDPR.
Assuming a startup’s business and marketing strategy could survive, it could still run into trouble when assessing risk. It is no secret that GDPR is backed up by substantial fines. Whereas, once data could largely be viewed as an asset, it is now, potentially, a massive liability. Startups that could have investors running for the door are those that rely on access to personal data or sensitive data such as location, health and finance.
Of course, as I’ve mentioned, because of its complexity, GDPR divides opinion. As much as the above seems to indicate that it’ll have a negative impact on investment, the reality is likely to be very different.
For example, GDPR compliance could be viewed as a selling point and a strategic opportunity. Its main goal is laudable – readdressing the balance of control of personal data back in favour of individuals. Businesses that respect data will engender trust of their customers will open up the door to being granted even more personal information. This will confer an advantage over competitors and, with new regulations such as e-Privacy and PSD2 liberalising financial information, will undoubtedly enable new areas of business development.
In a nutshell, investors and entrepreneurs need to be acutely aware of both the provisions of GDPR and its practical implications. Simply viewing it as a compliance exercise is short sighted. Investors need to look for startups that live and breathe the principles behind GDPR and are positioned to take advantage of its opportunities.