There is so much fun and sexy stuff that goes into building a start-up: hiring smart people, chasing funding, developing an exciting marketing plan, going to and hosting events, buying groovy furniture for your funky office in London’s Shoreditch or Berlin’s Friedrichshain. But however disruptive and exciting your venture, there is one area founders and young, fired-up entrepreneurs tend to forget about: compliance.
Compliance sounds like something for the grown-ups rather than the cool kids to worry about. It is a dull word and a complex subject — and one that can get you into serious trouble if you do not have as tight a grip on data protection and software licensing as you do on choosing the football table for that office.
Data protection and hacking is perhaps the scariest aspect of all this. It sometimes feels like a day never goes by without another big data breach hitting the headlines. There have been some huge breaches this year alone: Dropbox revealed in September that the login details of 68m users had been compromised in a hack that happened in 2012. In the same month, Yahoo told the world that some half a billion users’ details had been hacked and exposed.
When the focus is on large companies such as Dropbox or Yahoo, it might be tempting for the founder of a start-up to think that the complexities of data protection, security infrastructure and risk management are not something she or he needs to be concerned about.
Rune Syversen, co-founder of Crayon, the software licensing company, says small companies tend not to think about the necessities of compliance “until it’s too late”. He points out, however, that the complexity of compliance tends to increase the longer a company is in business, so it is wise to build it in from the start rather than to add it as a bolt-on later.
Syversen is talking specifically about software asset management — keeping tabs on what software is being used in your organisation, how that is licensed and whether the licences are up to date. But the same concerns apply equally to data security.
Data protection laws apply to individuals and all businesses, regardless of their size. A breach can lead to a fine; the maximum fine under existing UK data protection legislation is £500,000. That kind of sum might be small change for a big company but it could empty the coffers of a start-up relying on seed funding or early tranches of investment.
Meanwhile, Brexit notwithstanding, the new EU General Data Protection Regulation (GDPR) is due to come into force in May 2018. This is a concern not only for UK businesses — the new rules require any company that handles the personally identifiable data of an EU citizen to comply.
One of the key principles of GDPR is “privacy by design”, which says that looking after the security of personal data you are entrusted with as a business should be at the heart of your company.
The new regulation is a vast compliance exercise regardless of the size of the business — and it carries much heftier fines for non-compliance than existing UK law provides for. The exact size of any fine will depend on the severity of a breach, but if it is serious enough, a business could face a fine of up to €20m or 4 per cent of global turnover, whichever is the higher.
Data protection is as much a risk-management exercise as it is about IT. It is a common mistake in organisations of all sizes not to realise that and to leave it to the IT department, rather than making it central to general strategy.
Not all risk management around data security is as eye-catching as the news that banks have been hoarding bitcoin to pay ransomware demands. Presumably they are calculating that it is cheaper to buy the cryptocurrency now, when the volatile commodity is not being pushed up by people panic-buying it to pay off cyber crooks, than it is to spend money strengthening IT systems. Businesses grapple with the question of whether it will cost more to build up cyber defences, or whether it would be cheaper to ignore the complexity and cost of improving their data security regime and simply cough up if they suffer a breach and are hit with a fine.
Whichever you decide, that is not the sort of decision you should leave to the IT department. The young founder needs to put compliance and data security at the heart of the business: an empowered and knowledgeable chief information officer is just as important as any other C-suite executive — even if your C-suite is less a suite than a corner of a warehouse in Shoreditch.
It is here that start-ups have an advantage over bigger, older businesses, especially those that have had to make the transition from analogue to digital. Those “legacy” organisations have had to graft data security and compliance on to established ways of doing business. Or they are stuck with a less than ideal set-up that has evolved over time and would cost a fortune to replace.
A telling parable for that scenario is the saga of Hillary Clinton’s email server: the Clintons started off with a single Mac in their basement in New York state that was pressed into service as a mail server. A few hardware and software upgrades and a move to a New Jersey data centre later, and the Clintons were the owners of a ramshackle set-up, oblivious to the running and problems of it.
That this came back to haunt Clinton during her bid for the US presidency is a useful reminder that protecting the personal data you are entrusted with should be at the heart of your thinking and your company. If there is one thing a funky young business should be, it is a grown-up about data security.