Securing a startup in the GDPR age

Data breaches have become a common occurrence for businesses worldwide. In fact, crooks stole around 1.9 billion data records in the first half of 2017, while the number of incidents between 2016 and 2017 grew by 13% - costing companies millions.

Cyber attacks are thought to cost the global economy around $400 billion (291 billion) annually, according to the Center for Strategic and International Studies, while a study from security firm Bitdefender puts the individual cost of breaches to companies at $1 million.

Then there's a company's reputation to consider. When large firms such as Equifax are hit by breaches, they often have sizeable budgets and sophisticated crisis management systems to mitigate the fallout. But for small and medium-sized enterprises, being targeted by attackers can easily put them out of business.

Start-ups tend to be the most vulnerable in this regard. They often don't have the financial resources to invest in fancy cyber security systems, and rarely have the luxury of a loyal customer base. This, coupled with the added pressure of the General Data Protection Regulations, which have overhauled a company's responsibilities towards data retention, means startups face harsh challenges when it comes to improving their security.

The question is, how can startups do this effectively?

Teamwork is essential

GDPR aims to tighten up data protection practices, effectively handing back control of personal information to the data subject. For large companies that have dedicated security teams, adhering to the regulation is relatively easy.

However, Jason Hill, executive partner of business development agency Reply Group, says the changes present an "overwhelming challenge" for smaller companies, particularly startups, given the complexity of the regulations and the need for specialised knowledge.

When it comes to implementing systems to comply with the ruling, Hill says firms should "assess all relevant parties and ensure they are involved in the process. From legal representatives to IT managers, everyone should be responsible for improving data protections."

"The next step is to evaluate your current privacy organisational model and assess which parts need to be changed," says Hill. "Develop a framework based on this and apply it to all the relevant countries and legal entities of the enterprise.

"Make sure you can show accountability for all the processing activities and that the cross-border data flows are compliant with GDPR. Once this has been achieved, it's critical you give your employees the time and resources they need to be trained and become familiar with the changes."

Rushing doesn't help

Andy Barratt, who heads up the UK operations of cyber security firm Coalfire, believes that startups don't need to spend huge amounts of cash to comply with GDPR. In fact, he argues that rushing to adhere to the regulation can be more expensive.

"Lots of people are talking about the price of not complying being high, but so could the cost of rushing in. One of GDPR's requirements is that firms assign a dedicated data protection officer (for those processing customer data on a large scale)."

"In the case of most startups, that won't mean hiring an extra member of staff and, for many others, it's a requirement they don't need to meet. However, the confusion and haste can sometimes lead to poor decisions," says Barratt.

Instead, he believes GDPR should act as a "catalyst for some good data governance", particularly as the Information Commissioner's Office has gone to lengths to position the regulations as an opportunity to garner trust from customers.

"Start-ups should take time to work with the ICO, using the assistance it offers and seeking external advice where needed, rather than rush in and make mistakes they may come to regret," says Barratt.

Importance of good data practice

There's no denying the fact that consumers are becoming increasingly aware of their data privacy rights. While users may be happy to share personal information with companies in return for a valuable service, there's always an opportunity for firms to abuse their position.

The revelation that some 87 million Facebook users may have had their data improperly shared through analytics firm Cambridge Analytica was cause for alarm for many. Trust in the social media giant has waned, and it's unclear whether senior management will emerge unscathed. Yet, it's likely to survive an incident that would otherwise prove fatal for a startup.

"(There's) an increasing awareness of the power of consumer data and the nefarious or even destructive uses to which it can be applied," says Sheryl Kingstone, an analyst at 451 Research.

This has proven particularly problematic for fledgeling businesses, as she believes "everything from selecting and implementing technology vendors, customer engagement strategies, data partnerships and advertising campaigns" will be affected by the need for increased transparency.

Embracing the cultural shift

Dan Vartanov, chief technology officer of Swansea-based e-commerce start-up Veeqo, agrees, arguing that SMEs need to be paying close attention to their new responsibilities under GDPR, because even "a single data breach could see them going out of the business".

If there's one thing that's certain, it's that companies - no matter how big or small - cannot shy away from GDPR - even if smaller firms aren't lucky enough to have large security budgets.

The biggest change, however, is a cultural one, as many smaller firms are now being forced to prioritise the expense of data security over maximising profits. As Vartanov posits, "smart and responsible startups should make sure they exercise information security best practices, even without regulations forcing them to do so."

Image: Shutterstock

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, the Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan. You can follow Nicholas on Twitter.