Given concern around data breaches, the EU Parliament finally passed GDPR (General Data Protection Regulation) after four years of preparation and debate; it goes into enforcement on May 25, 2018. Though it originated in Europe, GDPR is a form of long-arm jurisdiction that affects many U.S. companies — including most software startups, because data collection and user privacy touch so much of what they do. With EU regulators focusing most on transparency, GDPR affects everything from user interface design to engineering to legal contracts and more.
That’s why it’s really about “privacy by design”, argues former environmental scientist and lawyer Lisa Hawke, who spent most of her career in regulatory compliance in the oil industry and is now Vice President of Security and Compliance at a16z portfolio company Everlaw (she also serves as Vice Chair for Women in Security and Privacy). And it’s also why, observes a16z board partner Steven Sinofsky, everyone — from founders to product managers to engineers and others — should think about privacy and data regulations (like GDPR, HIPAA, etc.) as a culture… not just as “compliance”.
The two break down the basics all about GDPR in this episode of the a16z Podcast — the why, the what, the how, the who — including the easy things startups can immediately do, and on their own. In fact, GDPR may give startups an edge over bigger companies and open up opportunities, argue Hawke and Sinofsky; even with fewer resources, startups have more organizational flexibility, if they’re willing to put in the work.
links mentioned in this episode (and other resources):
- GDPR compliance doc — Everlaw open-sourced this Google Spreadsheet tool, which combines documentation for GDPR Article 30: Records of processing activities; Article 32: Security of processing; and Article 35: Data protection impact assessment into one workbook (including a place to document Article 15: Right of access by the data subject)
- “Privacy by Design” foundational principles — by Ann Cavoukian, Ph.D., Information & Privacy Commissioner, Ontario, Canada
- Privacy and Security by Design: An Enterprise Architecture Approach — by Ann Cavoukian and Mark Dixon (Oracle)
- General Data Protection Regulation — a Stripe guide by Sára Gabriella Hoffman