We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

The EU’s General Data Protection Regulation (GDPR) comes into force in May and will radically change how companies collect, store, manage, and use data. A shockingly high number of businesses are still unaware or simply not ready for GDPR. As a startup investor, you can’t afford to be ignorant of the legislation.

Unlike the infamous Cookie Law of 2011, GDPR can not simply be dealt with through a few minor changes to a privacy policy. The EU has learned from the flaws in that directive and, consequently, has drafted GDPR so that businesses need to adhere to the spirit of the objectives and not simply ‘check a few boxes’.

When evaluating a startup, investors need to look carefully at whether the premise of the business breaches GDPR and, crucially, whether the expected impact of GDPR on customer behavior will affect the viability of that model.

For example, any model that involves collecting data via a free service with the idea of one day making money through advertising or selling that data, will become much more difficult to execute when consumers have granular control over how their data is analyzed and shared.

On the other hand, startups that were previously considered less than optimal could now be worth a second look. For example, subscription-based consumer apps that would have lost out to free, ad revenue-driven counterparts.

Recalibrating growth expectations

Investors also need to look carefully at whether the business development strategy a startup is using, or proposes to use, will actually be viable in a post-GDPR environment.

If, for example, a startup’s growth model is based on aggressive marketing techniques, it is unlikely to survive for long after May. This is because a startup will need to gain explicit consent to process and send marketing material to individuals using their personal data. This consent can be revoked at any time and the data must, if requested, be deleted.

Using third-party data lists for marketing will be severely limited. This means building a marketing database will become a slower process with an element of risk attached to it.

Startups will need to focus on gathering accurate and permissioned data. This data will need to be used carefully with more intelligent marketing campaigns that focus squarely on delivering personalized and meaningful content

In other words, investors and entrepreneurs may need to significantly reduce their expectations of the business’s growth potential and reach in light of GDPR. More sophisticated marketing techniques will require more money and so may call into question the entire value of the investment. This is especially true when considering the additional responsibility and liability GDPR will impose on most organizations.

The risk-versus-reward equation changes

As GDPR is wide-ranging and backed by substantial fines, the risks associated with a startup that relies heavily on data increases dramatically. Where data could previously be viewed largely as an asset, it is now, potentially, a massive liability.

Companies can mitigate this risk by implementing the privacy-by-design principles mandated by GDPR and by having robust data management, governance, and security features. Many businesses already put a premium on security, however, GDPR significantly increases the responsibility on data processors and controllers. Startups at particular risk are those that rely on data related to location, health, and finance, as well as those that aggregate profile details to optimize targeting. All child-related data will also be far more difficult to manage.

As an investor, your initial vetting of a startup should test whether it fully understands GDPR and has taken all the steps it needs to comply. If the business is data focused, look for potential gaps in security and governance and ignorance of data-related responsibilities.

GDPR as a strategic advantage

All of the above may seem to indicate GDPR will have a negative impact on startups, but that couldn’t be further from the truth. GDPR compliance will be a selling point and a strategic opportunity.

Businesses that respect data will engender the trust of their customers, opening up the door to being granted even more personal information. This will confer an advantage over competitors and, with new regulations such as e-Privacy and PSD2 opening up financial information, will facilitate new areas of business development. Startups and investors need to recognize the value of being entrusted with personal data and that complying with GDPR is at the heart of building this trust.

Undoubtedly, GDPR will result in even more profound changes no one has yet anticipated. This upheaval will present investors and entrepreneurs with new challenges and opportunities. Whatever the ultimate outcome of GDPR, it is a profound set of regulations that cannot be ignored — and it is a subject every investor and startup must understand thoroughly.

Julian Saunders is founder of PORT.im, which helps companies become GDPR compliant.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.