There is so much fun and sexy stuff that goes into building a start-up: hiring smart people, chasing funding, developing an exciting marketing plan, going to and hosting events, buying groovy furniture for your funky office in London’s Shoreditch or Berlin’s Friedrichshain. But however disruptive and exciting your venture, there is one area founders and young, fired-up entrepreneurs tend to forget about: compliance.
Compliance sounds like something for the grown-ups rather than the cool kids to worry about. It is a dull word and a complex subject — and one that can get you into serious trouble if you do not have as tight a grip on data protection and software licensing as you do on choosing the football table for that office.
Data protection and hacking is perhaps the scariest aspect of all this. It sometimes feels like a day never goes by without another Big Data breach hitting the headlines. There have been some huge breaches this year alone: Dropbox revealed in September that the login details of 68m users had been compromised in a hack that happened in 2012. In the same month, Yahoo told the world that some half a billion users’ details had been hacked and exposed.
When the focus is on large companies such as Dropbox or Yahoo, it might be tempting for the founder of a start-up to think that the complexities of data protection, security infrastructure and risk management are not something she or he needs to be concerned about.
Rune Syversen, co-founder of Crayon, the software licensing company, says small companies tend not to think about the necessities of compliance “until it’s too late”. He points out, however, that the complexity of compliance tends to increase the longer a company is in business, so it is wise to build it in from the start rather than to add it as a bolt-on later.
Syversen is talking specifically about software asset management — keeping tabs on what software is being used in your organisation, how that is licensed and whether the licences are up to date. But the same concerns apply equally to data security.
Data protection laws apply to individuals and all businesses, regardless of their size. A breach can lead to a fine; the maximum fine under existing UK data protection legislation is £500,000. That kind of sum might be small change for a big company but it could empty the coffers of a start-up relying on seed funding or early tranches of investment.
Meanwhile, Brexit notwithstanding, the new EU General Data Protection Regulation (GDPR) is due to come into force in May 2018. This is a concern not only for UK businesses — the new rules require any company that handles the personally identifiable data of an EU citizen to comply.
One of the key principles of GDPR is “privacy by design”, which says that looking after the security of personal data you are entrusted with as a business should be at the heart of your company.
The new regulation is a vast compliance exercise regardless of the size of the business — and it carries much heftier fines for non-compliance than existing UK law provides for. The exact size of any fine will depend on the severity of a breach, but if it is serious enough, a business could face a fine of up to €20m or 4 per cent of global turnover, whichever is the higher.
Data protection is as much a risk-management exercise as it is about IT. It is a common mistake in organisations of all sizes not to realise that and to leave it to the IT department, rather than making it central to general strategy.
Not all risk management around data security is as eye-catching as the news that banks have been hoarding bitcoin to pay ransomware demands. Presumably they are calculating that it is cheaper to buy the cryptocurrency now, when the volatile commodity is not being pushed up by people panic-buying it to pay off cyber crooks, than it is to spend money strengthening IT systems.
