Last month, GDPR celebrated its second birthday. Across the pond, CCPA has taken effect and its enforcement will start this summer. The Cambridge Analytica scandal continues to cast its long shadow, with consumers more privacy-conscious than ever before. And now, COVID-19 has created entirely new forms of public discourse on data protection.
It's clear that data privacy has never been a higher priority for enterprises and consumers alike, and this is driving a wave of startup activity. In this post, we focus on compliance tooling - a market that's growing fast as regulation proliferates, and compliance as a potential source of competitive advantage.
To mark GDPR's birthday, we assembled a small roundtable of industry experts and early-stage founders, who shared their perspectives on privacy compliance. Many thanks to the IAPP, Aircloak, Dataswift, D-ID, Metomic, Mine, Usercentrics, and WSGR for contributing to a lively discussion. They shared their perspectives on the opportunities created by data protection, and in this post we'll share our takeaways with you.
As privacy regulations expand in scope and reach, the burden of compliance grows. Every business handling personally identifiable information (PII) faces new categories of mandatory spend. Gartner estimates that global spend on privacy compliance tooling will reach $8B by 2022, and that a single data subject access request costs a typical enterprise ~$1,400 to fulfil. Compliance requires a host of new or revised business processes, each with underlying implications for the architecture, storage, and processing of personal data. Non-compliance can be costly, with GDPR breach fines reaching 4% of an enterprise's revenue - although DPAs' ability to enforce at scale is an important challenge.
Facing this complexity, enterprises have spent generously on software and services enabling regulatory compliance. GDPR was the first trigger for a wave of 'compliance-as-a-service' tools, from which OneTrust has emerged as a category leader (as have other VC-backed players like BigID and TrustArc).
But we think this is only the first chapter in the privacy compliance story. Why? There are five key forces driving expansion of the market:
With these triggers in mind, we're excited to meet founders taking a fresh approach to a growing problem, as enterprises push to achieve compliance, but also:
(a) minimise the cost of compliance (and minimise the time required for non-value-adding compliance work);
(b) minimise the impact of compliance on core business operations;
(c) build better experiences for privacy-conscious consumers, and hence turn compliance into competitive advantage.
If you're building a novel solution to this problem, we'd love to hear from you!
Bart and Chandar