Last month, GDPR celebrated its second birthday. Across the pond, CCPA has taken effect and its enforcement will start this summer. The Cambridge Analytica scandal continues to cast its long shadow, with consumers more privacy-conscious than ever before. And now, COVID-19 has created entirely new forms of public discourse on data protection.

It's clear that data privacy has never been a higher priority for enterprises and consumers alike, and this is driving a wave of startup activity. In this post, we focus on compliance tooling - a market that's growing fast as regulation proliferates, and compliance as a potential source of competitive advantage.

To mark GDPR's birthday, we assembled a small roundtable of industry experts and early-stage founders, who shared their perspectives on privacy compliance. Many thanks to the IAPP, Aircloak, Dataswift, D-ID, Metomic, Mine, Usercentrics, and WSGR for contributing to a lively discussion. They shared their perspectives on the opportunities created by data protection, and in this post we'll share our takeaways with you.

As privacy regulations expand in scope and reach, the burden of compliance grows. Every business handling personally identifiable information (PII) faces new categories of mandatory spend. Gartner estimates that global spend on privacy compliance tooling will reach $8B by 2022, and that a single data subject access request costs a typical enterprise ~$1,400 to fulfil. Compliance requires a host of new or revised business processes, each with underlying implications for the architecture, storage, and processing of personal data. Non-compliance can be costly, with GDPR breach fines reaching 4% of an enterprise's revenue - although DPAs' ability to enforce at scale is an important challenge.

Facing this complexity, enterprises have spent generously on software and services enabling regulatory compliance. GDPR was the first trigger for a wave of 'compliance-as-a-service' tools, from which OneTrust has emerged as a category leader (as have other VC-backed players like BigID and TrustArc).

But we think this is only the first chapter in the privacy compliance story. Why? There are five key forces driving expansion of the market:

• User experience. Compliance does not in itself guarantee a positive experience for the increasingly privacy-conscious consumer. We're excited by new products that provide a more transparent experience for the end user, and helps consumers navigate the complexity of the consents they routinely give. Business are increasingly likely to treat good privacy posture as an area of competitive advantage, and this may lead to growing discretionary spend over time.
• Regulation. The European regulatory landscape continues to evolve. Notably, the EU's proposed ePrivacy regulation is in draft, and likely to come into force in 2021. It will broaden GDPR's scope, and enforce further-reaching compliance obligations (on cookies, spam, and communications metadata).
• Global reach. New privacy regulations are emerging outside the EU, sharing many of the principles of GDPR. This isn't just in the US, but also in large markets like Brazil and India. Since the introduction of GDPR, more than 60 jurisdictions around the world have enacted or proposed new data protection laws. European startups, having enjoyed a head start with GDPR, are well positioned to serve these newly addressable markets.
• The SME opportunity. Lightweight SaaS tools are emerging that better serve the SMEs and the mid-market. To date, there has been relatively little dedicated tooling for SMEs, whose buying needs differ from those of large enterprises. SMEs are less likely to hold dedicated internal privacy expertise. This, along with smaller ticket sizes of spend, makes us believe that there's a need underserved by the incumbent enterprise-focused compliance products. We expect the most attractive startups will be those offering lightweight, functionally-specific, usable SaaS products at a price point that SMEs can bear - displacing spend on local law firms and consultants.
• Privacy-preserving technologies are emerging to support data science and machine learning applications in the enterprise. Data-intensive workflows present a high risk of processing personal data inappropriately. Elegant solutions might be found via synthetic data, homomorphic encryption, and other means: more to come in our next post.

With these triggers in mind, we're excited to meet founders taking a fresh approach to a growing problem, as enterprises push to achieve compliance, but also:

(a) minimise the cost of compliance (and minimise the time required for non-value-adding compliance work);
(b) minimise the impact of compliance on core business operations;
(c) build better experiences for privacy-conscious consumers, and hence turn compliance into competitive advantage.

If you're building a novel solution to this problem, we'd love to hear from you!

Bart and Chandar