2 March 2018 Courier Weekly

Even tiny ice-cream brands aren’t safe from the perils of GDPR

Dealing with data – Getting prepared – Patient data – selling GDPR – VC wobbles

GDPR is a big deal.

The General Data Protection Regulation – which kicks in on 25 May – will change the way every business with EU customers operates, regardless of its size.

And it doesn’t just apply to tech or marketing firms. GDPR requires all businesses to get to grips with exactly what personal data they collect — on customers, employees and suppliers — and empower those people to access and even remove the data at their request. (This explainer goes into more detail on exactly what’s required.)

The small businesses doing their homework.

Reports suggest as many as two-thirds of new businesses aren’t prepared for GDPR, with the scope of work required varying greatly from business to business.

Mailing lists could pose problems for many small companies – something healthy ice-cream brand Oppo’s brand manager, Kitty Walker, says is a big issue.

Until recently, Oppo offered subscribers ice-cream vouchers in exchange for their email address – an incentive that will now be deemed improper under GDPR. As a result, the brand must now ask its subscribers to ‘re-opt in’ to receive communications. It’s expected a big chunk of subscribers will drop off as a result.

Walker also says a lot of time has been spent making sure staff laptops are encrypted and contracts drafted up for suppliers with updated specifications on how personal data must be handled. In total, she reckons a solid week will be lost getting GDPR-ready.

Meanwhile, Cambridge-based creative agency The District not only has to make its own website GDPR compliant, but also the websites it has created for clients. Fortunately, it can charge a day rate (£600) for this work. The most complicated websites can take around three days to make ‘GDPR ready’.

More data protection for NHS-focused businesses.

Naturally, healthcare businesses are already pretty good at data protection (the NHS requires them to be).

But when it comes to GDPR, companies are reportedly still waiting for clarification on some major issues, despite it coming into effect in less than two months.

Echo, an app that posts medication for NHS patients, says the main problems involve consent and the right to be forgotten:

  • In the UK, if a clinician believes a patient is a risk to themselves or others, they are within their right to inform the patient’s next of kin about their medical status. This conflicts with GDPR requirements to protect an individual’s privacy.
  • If Echo sent medication to a patient who then requested to have their data scrubbed from its system, it would be unclear how Echo could contact them in the unlikely scenario of a medication recall or other concern.

Right now, Echo co-founder Stephen Bourke estimates he spends 20% of his time sorting out data security (including GDPR preparation).

Niche businesses cashing in on data worries.

A handful of businesses have begun offering services targeting confused business owners who want to get GDPR-compliant.

Among them are Port.im, Contractbook and Egnyte.

Port was founded in 2015 ago by Julian Saunders. The startup offers a platform where a business can store its personal data, and access it ‘live’ rather than hosting it on its own computers. Port shoulders the responsibility of making sure data is held in a GDPR-compliant way, so the business doesn’t have to. Port charges up to £300 per month for the service.

‘We see a situation in the future where lots of small business won’t want to store personal data themselves,’ Saunders says. ‘They’ll want to use it live and leave it where it was, to maintain security and reduce liability.’

Contractbook, a Danish business, allows users to create, sign and store contracts on its platform. California-based Egnyte, founded in 2007, is using GDPR as an opportunity to market its data-storage solutions.

GDPR’s implications on fundraising. 

There’s potential for GDPR to impact the appetite among VCs for funding new data-driven firms. On the flip side, businesses that have their houses in order may see a bump in their valuations.

Meanwhile, firms focused on data privacy have drawn healthy amounts of funding in recent months. Privitar, a UK-based company that anonymises data, raised £12m in July 2017, while Privacy Labs raised £3m in February 2017 for its mission to allow customers to ‘regain control’ of personal data.

‘Startups that are far more explicit about what they’re doing with data will be able to distinguish themselves,’ Steve Herrod, managing director at General Catalyst, told The International Association of Privacy Professionals.

Businesses that have growth plans based around aggressive marketing tactics – for example, by buying email marketing lists – will appear less attractive to VCs after May, Port’s Saunders argues in the Global Banking & Finance Review.