The EU’s General Data Protection Regulation (GDPR) is a sweeping piece of legislation that will fundamentally change how data is used, protected and controlled. It has teeth – manifested by its big fines for breaches which the ICO are indicating they intend to exercise. However, GDPR is nothing to be feared. As has been discussed at length, it is a force for good, empowering people, promoting transparency and accountability, and a mechanism to improve marketing, customer service and a host of other business processes.
A little talked about aspect of GDPR is how it could change how startups raise funding. There are three areas it could impact. The first is how investors assess the risks and benefits associated with a company. Particularly, how will it collect, store, manage and use private Data.
For example, if a consumer-focused app proposes to eventually use customer data to monetise via ads, the simple question would be how likely is this to be achieved in a post-GDPR world where customers need to explicitly opt-in to marketing and can easily request for their data to be deleted? A business model that fails to consider the new marketing reality would be unlikely to gain investor confidence.
Added to this is the expertise and experience a business has with ensuring proper security and management of data. With significant fines for breaches, the risks associated with a startup that has no experience with data management could be a big red flag. This will be a particular point of focus if the business is planning to provide services to other businesses as many enterprises will demand self-certification of GDPR compliance and contracted liability for data breaches and mismanagement.
The second aspect, linked to the first, is using GDPR to differentiate a company. If your startup can prove that it is fully GDPR compliant and has been built on privacy by design principles it could confer numerous benefits. It could be a selling point to support business development – essentially a public vote of confidence that boosts the brand. For investors it is a clear indication of forward-thinking and maturity. It basically says that the company can deal with complicated pieces of legislation and understands the future demands of businesses in a consumer empowered world.
The final area worth considering is how GDPR will impact the ability of the investor community to hold, analyse and use data. There are many avenues through which information on a prospective investment are collected and used. For some firms this involves mining of online data sources. Like every other organisation impacted by GDPR, VCs and private equity firms will need to think carefully about when consent is needed to collect data and the security arrangements around holding it. They will also need to invest in data management solutions to enable data to modified, sent to or deleted if requested.
What I have discussed above is only a very brief overview of how GDPR could change startup-investor relations. The simple message to entrepreneurs is to seriously think about how to turn GDPR compliance into a selling point for their companies. This involves taking into account how the effects of GDPR will potentially change the behaviour of their target audience, as well as how their business will function. For investors, GDPR cannot be ignored when assessing the viability and potential of a business. It also cannot be ignored when considering their own data governance.