25th May 2018 marks the enforcement date of EU’s General Data Protection Regulation. This new regulation strives to increase privacy for individuals and penalize businesses in breach. The complexity organizations face in managing consumer data is driving the growth of privacy tech solutions that decisively address a slew of privacy compliance challenges.
2. Source: European Union: ECJ Inv alidates Data Retention Directiv e by Theresa Papademetriou | EU General Data Protection Regulation
and what it means f or SaaS companies in 2017 and 2018 by Megan Lozicki, Niklas Skog, Diego Checa | GDPR – Timeline by Bird & Bird | A v isual timeline f or implementing the GDPR in the UK
EU Data Protection Reform
The EU 1995 Data Protection Directive was archaic and non-legally binding for
every member state; reform was necessary to improve data protection and privacy
1995: The Data Protection Directive
(DPP), officially Directive 95/46/EC is
passed.
The directive establishes that the
ownership of personal data belongs to
individuals, who have legal rights over the
collection and processing of personal data.
2000: The US-EU Safe Harbour Framework are created
as an addition to the 1995 DPP.
US companies that comply with the principles and
register their certification, such that they fulfill EU
requirements, are allowed to transfer data from the EU
to the US.
2011: Viviane Reding,
the VP of the European
Commission,
introduces the EU data
protection reform.
2012: The legislative
proposal of the new General
Data Protection Regulation
(GDPR) is published and
negotiations begin amongst
European parliaments.
2015: The Safe Harbour
framework is invalidated
by the CJEU as a result
of the Schrems vs Data
Protection Commissioner
case.
2016: The new GDPR is
approved on 14th April.
The EU-US Privacy Shield
framework is approved on
12th July, to replace the
Safe Harbour agreement.
2018: The GDPR
will officially replace
the 1995 DPP on
25th May.
3. General Data Protection Regulation
The new regulation is expected to increase privacy for individuals and provide
regulators with more power to take action against businesses in breach
Extended Jurisdiction
• Applies to all businesses processing personal data of
data subjects who are in the EU, regardless of
company location and where the processing is carried
out
Consent
• Requests for consent must be
intelligible and easily
accessible, using clear and
plain language
• An affirmative action signalling
consent is required
• Consent should be as easily
withdrawn as to give it
• Requires parental consent for
processing children’s personal
data
Right to Access
• Data subjects have the right to obtain confirmation
from the data controller as to whether their personal
data is being processed, where and for what purpose
Right to be Forgotten
• Data subjects have the right to demand the data
controller to erase their personal data, cease further
dissemination of the data, and potentially have third
parties halt processing of the data
Breach Notification
• Mandatory to notify authorities
within 72 hours of first having
become aware of a data breach
• Data processors must notify their
controllers
Source: EU GDPR | Top 10 operational impacts of the GDPR: Part 1 – data security and breach notif ication by Rita Heimes | MANAGE THE TOP 4 GDPR OPERATIONAL
IMPACTS (PART I) by Donna Recchione | MANAGE THE TOP 10 GDPR OPERATIONAL IMPACTS (PART II) by Donna Recchione
4. General Data Protection Regulation
Including hefty penalties for violations - fines of up to 4% of the company’s
worldwide annual turnover or EUR 20M, whichever is higher
Penalties for Violations
• Fine up to 4% of the company’s
worldwide annual turnover or EUR 20M,
whichever is higher
Cross-border Data Transfers
• Personal data transfers permitted
to a third country or international
organization will be subject to
compliance
• In the absence of an adequacy
decision, transfers are still
allowed under certain
circumstances, such as by use of
standard contractual clauses or
binding corporate rules
Data Protection Officers
• Large firms and companies that process specialized
data must assign a qualified DPO for GDPR
compliance
Data Portability
• Data subjects have the right to receive their personal
data in a commonly used and machine readable
format
• They have the right to transmit that data to another
controller
Restricted Profiling
• Data subjects have the right not to
be subject to a decision based
solely on automated processing,
which produces legal effects or
significantly affects them, without
human intervention
Source: EU GDPR | Top 10 operational impacts of the GDPR: Part 1 – data security and breach notif ication by Rita Heimes | MANAGE THE TOP 4 GDPR OPERATIONAL
IMPACTS (PART I) by Donna Recchione | MANAGE THE TOP 10 GDPR OPERATIONAL IMPACTS (PART II) by Donna Recchione | Top 10 operational impacts of the
GDPR: Part 4 - Cross-border data transf ers by Anna My ers
5. Source: 2018 Tech Vendor Report by iapp
Privacy Tech Industry
Driving the need for an array of solutions to decisively address a slew of privacy
compliance challenges
Activity Monitoring Consent Manager
Data Discovery
Data Mapping
Pseudonymity
Enterprise
Communications
Incident Response
Website Scanning
Assessment Manager
6. Privacy Tech Industry
Leading to robust vendor growth and increase in solutions offered; with products
targeting core compliance requirements accounting for >75% of the industry
Source: 2018 Tech Vendor Report by iapp | 2017 Tech Vendor Report by iapp
• Vendors are currently focusing on meeting core compliance
requirements (via activity monitoring, assessment managers, consent
managers, data discovery and data mapping)
• Solutions targeting these areas make up 77% of the industry
• They are integral to achieving primary regulatory compliance
• Other aspects of privacy compliance remain largely untapped,
presenting potential market opportunities for startups
• The privacy tech industry is booming as
evidenced by the robust vendor growth last
year
• Existing vendors have also built out new
privacy technology services in the last year,
adding to industry dynamics
43
51
67
98
122
0
20
40
60
80
100
120
140
Q1 2017 Q2 Q3 Q4 Q1 2018
Number of Vendors
Website
Scanning
4%
Incident
Response
8%Enterprise
Communications
4%
Pseudonymity
7%
Data Mapping
19%
Data Discovery
16%
Consent Manager
11%
Assessment
Manager
16%
Activity Monitoring
15%
7. Looking Ahead
• Reform of the archaic EU 1995 DPP was necessary to improve data protection and privacy
• The new regulation is expected to increase privacy for individuals, provide regulators with more power to take action
against businesses in breach
• Complexity in managing data is driving the need for solutions to address privacy compliance challenges
• Existing vendors are primarily focused on producing solutions revolving around assessment managers, activity
monitoring, data discovery, data mapping, consent managers
• Other aspects of privacy compliance remain largely untapped, presenting potential market opportunities for startups
• Whilst most solutions target resolving compliance issues within client datacenters, a small minority have identified the
need for data management in the cloud as well as in mobile applications
• Privacy technology tools certainly look interesting but companies need to be careful as these external solutions may
introduce new enterprise risks
About Vertex Ventures
Vertex Ventures is a global network of operator-investors who manage portfolios in the U.S., China,
Israel, India and Southeast Asia.
Vertex teams combine firsthand experience in transformational technologies; on-the-ground
knowledge in the world’s major innovation centers; and global context, connections and customers.
Yanai Oron
General Partner
Vertex Ventures Israel
yanai@vertexventures.com