Europe’s New Data Privacy Rules Nourish U.S. Privacy Tech Sector
Take a look at this blurb for a session about data privacy at the upcoming RSA conference on cybersecurity. It sounds a polite warning:
“The importance of privacy is often alluded to in generalized, value-laden terms that, while sincere, don’t necessarily help privacy be taken seriously in the enterprise risk management process.”
That situation is changing radically, with the looming May 25 deadline for enforcement of the European Union’s General Data Protection Regulation (GDPR)—a sort of Magna Carta for the right of individuals to control the use of their own data. The sweeping new EU privacy protections apply to any company anywhere that holds data on any EU citizen—not just businesses located within the 28 EU member nations. And the maximum fine for violations—as much as 4 percent of a company’s global annual revenue—tends to concentrate the mind wonderfully on compliance.
That has created opportunities for both startups and entrenched tech companies that already address privacy issues.
GDPR, enacted in 2016, is widely recognized as a major accelerant for the growth of an existing, if relatively small, privacy-related B2B sector. Companies are pursuing a variety of ways to help their corporate customers track the personal data they collect from customers, and make sure they’re not running afoul of government regulations in any of the regions they operate in—either physically or virtually.
The privacy tech and services category overlaps with cybersecurity, because big security players such as IBM, Symantec (NASDAQ: SYMC) and Proofpoint have folded data privacy into their operations. But the goals of personal privacy protection are somewhat different from typical cybersecurity missions, such as shielding a company’s data trove from theft by hackers.
Certainly, fending off a big hack can avoid harm to the users of an e-commerce app, whose credit card numbers might have been sold to criminals, for example. But privacy laws such as GDPR also aim to shield personal data from unauthorized use by non-criminals—by the thousands of companies that vacuum up details about people who visit their sites, and that may share it with advertisers and others for profit, without the visitors’ explicit consent.
GDPR, while enabling regulators to punish privacy law violators, also puts power in the hands of individuals to limit data collection upfront, and to demand that much of their data that’s already been extracted be purged.
“EU consumers can ask a company, ‘What data do you have about me?’ and then tell you to forget it,” says Chris Babel, CEO of San Francisco-based privacy technology company TrustArc.
That kind of regulatory provision is driving the evolution of the data privacy sector from a realm dominated by privacy consultants and attorneys to an arena populated by technology companies that can automate data management and retrieval, Babel says. Tech companies are also helping clients tackle another GDPR rule that lays out guidelines for rapid corporate responses to data breaches. In some cases, GDPR would require companies to notify authorities and affected individuals within 72 hours when personal data has been stolen.
“The market is turning to tech providers,” Babel says.
Outside the EU, other countries such as Australia, Russia, and China have also beefed up their privacy regulations, which increases the complexity of compliance for companies gathering personal data as they operate in a global marketplace.
In the United States, privacy technology companies have already found niches in assisting clients to comply with domestic regulations that apply to specific populations, such as patients, whose medical data are covered by HIPAA (the Health Insurance Portability and Accountability Act of 1996); and children, whose privacy is regulated by COPPA (the Children’s Online Privacy Protection Act of 1998.) Palo Alto-based TrueVault, which was founded in 2013 to keep clients compliant with HIPAA, has now added a GDPR-related feature that “pseudonymizes” data.
TrustArc’s Babel has been a longtime participant and observer of the U.S. privacy tech scene since the late 1990s. While the United States had no comprehensive regulatory scheme to protect privacy and data security, companies arose to shore up consumer confidence in the new businesses that technology was making possible. such as e-commerce.
For 10 years, Babel was the manager of Verisign’s global SSL and Identity Authentication business. Verisign’s SSL (Secure Sockets Layer) facilitated encrypted communications between web browsers and the servers of online businesses, to protect credit card numbers, passwords, e-mails, and other personal details. In late 2009, Babel was recruited as CEO of Truste, a former non-profit that audited businesses for voluntary compliance with its privacy standards and granted them a Truste seal to reassure consumers. Truste was reorganized as a for-profit business in 2008 after a major investment by Accel Partners, and was later re-named TrustArc. The company’s suite of privacy services now encompasses compliance with government regulations including GDPR.
Babel says he moved from the cybersecurity arena into a privacy-focused business because he could tell it was a ripe field for innovation.
“I saw that it was going to need technology, and it was going to need it very soon,” Babel says. He says the privacy sector is poised to make the same transition that cybersecurity has made as it scaled up, from artisanal consulting to software-driven surveillance. Companies used to hire “white hat” hackers as consultants to test their cybersecurity defenses, he says. Now they sign up with tech companies using automated processes to patrol their data center perimeters, their Web-based data operations, their e-mail systems, and other points of vulnerability.
Global cybersecurity spending could top $98 billion worldwide in 2018, according to a Gartner forecast in December.
Privacy tech and services market size
Estimates vary for the size of the privacy-related business market, which covers categories including data management software, incident response guidance, de-identifying and data anonymizing technology, hardware, and advisory services from law firms and consultants.
In an estimate based on aggregate payments to privacy technology companies alone, the International Association of Privacy Professionals (IAPP) gives a ballpark market size of about half a billion dollars. The IAPP estimate is based on an average expenditure of $206,000 a year among the roughly 2,200 global companies whose revenue is $1 billion or more. The IAPP, a not-for-profit organization that provides resources and training to privacy professionals, based its estimate on data collected in June. Its ballpark figure doesn’t include expenditures by the global ranks of mid-sized companies and startups that are also scrambling to reach compliance with GDPR. IAPP expects the market size to grow quickly, says a spokesperson for the group.
Fortune’s Global 500 companies could spend as much as $7.8 billion over a multi-year period to achieve compliance with GDPR, IAPP and EY concluded. That estimate includes spending on items in addition to technology, such as consultants, modifications to company products, and new hires to fill privacy protection roles.
Many of the tech companies offering data privacy services have sprung up in Europe, where the number of people protected by GDPR is greatest, according to IAPP. Those companies include the Dublin, Ireland-based firm EuroComply, a compliance software provider. Ireland’s foreign development agency, IDA Ireland, has been counseling U.S. companies on the GDPR as part of its mission to foster the expansion of the American tech industry into Ireland, an EU member.
Paraic Hayes, a West coast representative for IDA, says the most eye-opening thing for U.S. companies is learning about the cultural foundation for the EU’s adamant stance on personal privacy, which is considered a fundamental human right. That stems from the region’s experiences with authoritarian regimes that amassed information about their own people, he says.
“There’s still a cultural stigma to it,” Hayes says.
While IDA finds that big companies such as Facebook are well-prepared for GDPR, Hayes says most of its guidance discussions on the new regulations are with “newer, less mature” companies.
A cruise around the privacy-related business landscape in the United States illustrates the variety of companies vying to help clients cope with the intensifying regulatory environment.
The Bay Area hosts a sizeable cluster of companies either focused primarily on data privacy work, or including it among its offerings in cybersecurity and other core functions. They include the San Francisco startup Privacera, founded in 2016, which maps and monitors the flow of sensitive information through a customer’s network; and TrustArc, which adds to those mapping functions an array of other services including website scanning, risk assessment for compliance with GDPR and other government regulations, the management of cross-border data transfers, ad-compliance features, and mechanisms for user consent to allow cookies on their devices.
Sunnyvale, CA-based cybersecurity company Proofpoint has long had a presence in the privacy field, starting with its e-mail privacy protections, says Ryan Kalember, a cybersecurity strategy leader at Proofpoint. The company’s scope on the privacy front now extends to tracking sensitive data in client data centers as well as data captured by Web-based software, and helping clients conform to standards set by GDPR, HIPAA, COPPA, and other regulations.
“While we don’t disclose our revenue for privacy specifically, it is a meaningful contributor to our archiving/privacy/governance segment, which represented 23 percent of our Q4 2017 revenue ($145.4 million),” Kalember says. “We see the movement of data from on-premises into the cloud as being a significant driver of future opportunities.”
Among the specialized Bay Area privacy companies are Wickr, which operates a secure messaging system for companies, and CipherCloud, which concentrates on the movement of sensitive information from client networks into the Web-based storage and software environment.
A U.S. privacy tech mini-tour
Other companies in Xconomy’s coverage areas that are part of the privacy tech and services sector are:
—Cambridge, MA-based Resilient Systems, which was acquired by IBM Security in 2016, specializes in helping companies respond to data breaches and other incidents. The unit, now named IBM Resilient, has incorporated GDPR’s guidelines into its incident response platform to prepare clients to quickly make the required breach notifications.
—Seattle-based Integris Software is a startup founded in 2016 to focus on privacy compliance by mapping the data held by clients, and automating record-keeping to conform to GDPR standards. Its early investors include Madrona Venture Group, Amplify Partners, Ignition Partners, Keeler Investments, Antecedent VC, and Sian Ventures.
—New York risk assessment firm Security Scorecard, founded in 2013, rates companies and their vendors for their strength in cybersecurity protections, and also for their compliance with GDPR and other privacy regulations.
—Cary, NC-based SAS had its origins in a North Carolina State University project to analyze agricultural research. Founded in 1976, it grew into a global business analytics software company with more than 14,000 employees and 2017 revenue of $3.24 billion. SAS now offers wide-ranging privacy services that map personal data across client networks and produce audit reports.
—Boulder, CO-based 3PHealth manages secure communications between patients and healthcare providers. It gives patients control over the personal information they submit, and how it is shared within the healthcare system.
—San Antonio, TX-based Vysk takes a hardware approach to securing the privacy of smartphone conversations. It sells a smartphone case that jams the phone’s internal microphone, routing speech instead through the microphone in the case. The audio is encrypted and transmitted through Vysk’s private network to the receiver of the call.