In a month with two gargantuan fines levied at tech companies for data breaches, the full effects of Europe’s General Data Protection Regulation (GDPR) are coming into focus.
GDPR, which took effect last May, requires companies to report data breaches to the appropriate European authorities within 72 hours of discovery and stipulates that local data protection agencies across the EU bloc can fine a company up to 4% of its total annual revenue if authorities determine it took insufficient measures to protect data.
Until this month, the vast majority of GDPR fines amounted to tens or hundreds of thousands of euros — with the one notable exception of Google, which was hit with a €50 million ($57 million) fine by French data privacy body CNIL back in January. Then a few weeks ago British Airways (BA) was slapped with a provisional £183.39 million ($230 million) fine over a 2018 security lapse that compromised the personal data of around 500,000 customers, and a day later hotel giant Marriott was hit with a £99 million ($123 million) fine for similar breaches.
By contrast, Facebook received a paltry £500,000 ($644,000) fine for the Cambridge Analytica episode — arguably one of the biggest data-harvesting debacles in recent times — because it fell under pre-GDPR regulations. If nothing else, GDPR means companies that work with large pools of customer data now have to treat it with kid gloves.
Aside from GDPR, Europe is also weighing up a new ePrivacy Regulation, which covers individuals’ privacy in relation to electronic communications. Elsewhere, countries and jurisdictions around the world are increasingly adopting their own privacy-focused regulations, with the likes of China and Russia already instilling local data residency requirements for citizens. And the California Consumer Privacy Act (CCPA) designed to enhance privacy rights of consumers living in the state will take effect on Jan 1, 2020.
Amid all this turmoil, companies are emerging to capitalize on the growing demand for data privacy tools, both for regulatory compliance and consumer peace of mind. In the past month alone, at least five such companies have raised sizable sums of cash for various data privacy, protection, and compliance products. Here’s a quick look at the companies and what they do.
InCountry touts itself as a “data residency-as-a-service” platform that helps international companies store customer data locally. It offers the global infrastructure to store and retrieve data in its country of origin, serving up an API that funnels data between InCountry’s local datacenters, which are provided by Amazon’s AWS, Microsoft Azure, Google Cloud Platform, and Alibaba Cloud.
The InCountry platform is not so much about replacing an application’s own data store as it is adding an extra local repository for specific regulated data. For now, InCountry offers a single product called Profile, which enables compliance around user profile and registration data, but plans are in place to expand this to cover payments, transactions, and health data.
“We’re witnessing more countries signing in data laws each week, and we’re only going to see those numbers increase,” noted Sundeep Peechu, managing director at InCountry seed investor Felicis Ventures.
Atlanta-based OneTrust is a data privacy management compliance platform that, similar to InCountry, was established to help businesses adhere to the growing array of regulations around the world, including GDPR and CCPA.
The OneTrust platform includes a template-based self-assessment tool that allows companies to see how close they are to complying with GDPR, Privacy Shield, and other legal frameworks, while “data mapping” helps companies understand how data is flowing through the organization and across borders.
OneTrust also offers various tools for marketers, including cookie compliance, mobile app compliance, and consent management, in addition to risk-management and breach response tools.
Earlier this month, OneTrust raised its first round of funding — $200 million at a $1.3 billion valuation, a clear indicator of the growing value being placed on data privacy compliance services.
“New privacy regulations, like the CCPA and GDPR, are a direct market reaction to consumer demand for improved data privacy protection,” noted Richard Wells, managing director at Insight Partners, which invested in OneTrust’s series A round.
TrustArc, which raised a $70 million round of funding a few weeks back, develops data protection, certification, and compliance products for enterprises — its platform is about helping companies monitor risk around regulations and identify gaps across various regulatory frameworks.
Similar to OneTrust, TrustArc can also handle cookie consent preferences for GDPR and facilitate processes for marketing campaigns, including user consent for outbound emails.
The San Francisco-based company has actually been around since 1997, when it was founded as a nonprofit called TRUSTe, but it evolved into a VC-backed for-profit company in 2008. It changed its name to TrustArc in 2017 to “reflect its evolution from a privacy certification company into a global provider of technology-powered privacy compliance and risk management solutions,” the company said at the time.
The emergence of GDPR played a part in TrustArc’s evolution — at the time of its rebrand, the company carried out a survey of “privacy professionals” and found that 83% intended to invest a six-figure sum in GDPR compliance, while one-quarter anticipated spending more than $1 million to meet privacy standards. “The survey data validates the growing market demand TrustArc has experienced for new technology solutions and consulting services to help businesses address global privacy compliance and risk management challenges,” the company said at the time.
London-based Privitar, which raised $40 million last month, helps enterprises engineer privacy protection into their data projects, allowing them to leverage large, sensitive data sets while complying with regulations and ethical data principles.
“The world is increasingly aware of the importance of protecting private information, and privacy engineering is becoming intrinsic to the way organizations manage and share data,” said Privitar CEO Jason du Preez.
Among the company’s products is Privitar Lens, designed to help companies build “privacy-preserving access to sensitive data sets.” Then there is Privitar Publisher, which offers “privacy engineering” smarts such as data-masking and k-anonymity — helping non-technical users create and manage data protection policies. It can also embed invisible watermarks in protected data to help trace unauthorized data distribution back to the responsible party.
Privitar also offers SecureLink, a data-linking system designed to circumvent data silos among organizations and encourage companies to share information securely with each other.
BigID was founded in 2016, just as Europe was finalizing GDPR.
The New York-based startup helps enterprises protect customer and employee data, using machine learning to automatically find sensitive data held on internal servers and databases, analyze it, de-risk it, and ensure that organizations are complying with data protection regulations. The platform makes it easier for large companies, which may hold petabytes of customer information, to uncover “dark” or uncatalogued data and correlate it to a specific user identity.
The BigID platform also helps companies track cross-border data flows and can generate customized data access reports.
BidID raised a $30 million series B round of funding last year. Last week, news emerged that it has now raised an additional $50 million — though the round isn’t closed yet, so the final tally could end up being more.
The bigger picture
Meanwhile, all of the major cloud companies have been investing heavily in local infrastructure for a while. While this promises lower latency and faster data transfers to attract new customers, another core reason the likes of Amazon, Google, and Microsoft are expanding their datacenter coverage comes down to data sovereignty. The basic idea is that digital data should be subject to the laws of the country in which it is located — that’s why Google is shifting control of European data from the U.S. to Ireland, and it’s why Amazon has opened datacenters in India.
Barely a day goes by without data breaches, regulations, or general privacy issues grabbing the headlines. Yesterday alone, the Federal Trade Commission (FTC) announced that Equifax would pay at least $575 million in a settlement for a 2017 data breach, while over in Asia news emerged that China’s Bytedance, which owns the popular short video app TikTok, would open its first Indian datacenters ahead of new data protection legislation.
The broader data protection market, which covers everything from cybersecurity to disaster recovery and compliance, will reportedly be worth $120 billion by 2023. But the recent flurry of investment in the data privacy and compliance realm, specifically, highlights the shifting regulatory landscape globally. With that comes big opportunities for companies such as InCountry, OneTrust, TrustArc, Privitar, BigID, and countless others that take a product-based approach to managing data privacy.
“Privacy has become a defining 21st-century social and corporate issue, but it’s hard to ensure — even for the most sophisticated companies,” said BigID CEO Dimitri Sirota during the startup’s raise last year. “Managing privacy to date has been based on policies and processes, not product.”