Securing a startup in the GDPR age

Without the vast budgets of corporations, startups need to be savvy with security spending

Data breaches have become a common occurrence for businesses worldwide. In fact, crooks stole around 1.9 billion data records in the first half of 2017, while the number of incidents between 2016 and 2017 grew by 13% - costing companies millions.

Cyber attacks are thought to cost the global economy around $400 billion (291 billion) annually, according to the Center for Strategic and International Studies, while a study from security firm Bitdefender puts the individual cost of breaches to companies at $1 million.

Advertisement - Article continues below

Then there's a company's reputation to consider. When large firms such as Equifax are hit by breaches, they often have sizeable budgets and sophisticated crisis management systems to mitigate the fallout. But for small and medium-sized enterprises, being targeted by attackers can easily put them out of business.

Start-ups tend to be the most vulnerable in this regard. They often don't have the financial resources to invest in fancy cyber security systems, and rarely have the luxury of a loyal customer base. This, coupled with the added pressure of the General Data Protection Regulations, which have overhauled a company's responsibilities towards data retention, means startups face harsh challenges when it comes to improving their security.

Advertisement - Article continues below

The question is, how can startups do this effectively?

Teamwork is essential

GDPR aims to tighten up data protection practices, effectively handing back control of personal information to the data subject. For large companies that have dedicated security teams, adhering to the regulation is relatively easy.

Advertisement - Article continues below

However, Jason Hill, executive partner of business development agency Reply Group, says the changes present an "overwhelming challenge" for smaller companies, particularly startups, given the complexity of the regulations and the need for specialised knowledge.

When it comes to implementing systems to comply with the ruling, Hill says firms should "assess all relevant parties and ensure they are involved in the process. From legal representatives to IT managers, everyone should be responsible for improving data protections."

"The next step is to evaluate your current privacy organisational model and assess which parts need to be changed," says Hill. "Develop a framework based on this and apply it to all the relevant countries and legal entities of the enterprise.

"Make sure you can show accountability for all the processing activities and that the cross-border data flows are compliant with GDPR. Once this has been achieved, it's critical you give your employees the time and resources they need to be trained and become familiar with the changes."

Rushing doesn't help

Andy Barratt, who heads up the UK operations of cyber security firm Coalfire, believes that startups don't need to spend huge amounts of cash to comply with GDPR. In fact, he argues that rushing to adhere to the regulation can be more expensive.

Advertisement - Article continues below

"Lots of people are talking about the price of not complying being high, but so could the cost of rushing in. One of GDPR's requirements is that firms assign a dedicated data protection officer (for those processing customer data on a large scale)."

"In the case of most startups, that won't mean hiring an extra member of staff and, for many others, it's a requirement they don't need to meet. However, the confusion and haste can sometimes lead to poor decisions," says Barratt.

Advertisement - Article continues below

Instead, he believes GDPR should act as a "catalyst for some good data governance", particularly as the Information Commissioner's Office has gone to lengths to position the regulations as an opportunity to garner trust from customers.

"Start-ups should take time to work with the ICO, using the assistance it offers and seeking external advice where needed, rather than rush in and make mistakes they may come to regret," says Barratt.

Importance of good data practice

There's no denying the fact that consumers are becoming increasingly aware of their data privacy rights. While users may be happy to share personal information with companies in return for a valuable service, there's always an opportunity for firms to abuse their position.

Advertisement - Article continues below

The revelation that some 87 million Facebook users may have had their data improperly shared through analytics firm Cambridge Analytica was cause for alarm for many. Trust in the social media giant has waned, and it's unclear whether senior management will emerge unscathed. Yet, it's likely to survive an incident that would otherwise prove fatal for a startup.

"(There's) an increasing awareness of the power of consumer data and the nefarious or even destructive uses to which it can be applied," says Sheryl Kingstone, an analyst at 451 Research.

This has proven particularly problematic for fledgeling businesses, as she believes "everything from selecting and implementing technology vendors, customer engagement strategies, data partnerships and advertising campaigns" will be affected by the need for increased transparency.

Embracing the cultural shift

Dan Vartanov, chief technology officer of Swansea-based e-commerce start-up Veeqo, agrees, arguing that SMEs need to be paying close attention to their new responsibilities under GDPR, because even "a single data breach could see them going out of the business".

Advertisement - Article continues below

If there's one thing that's certain, it's that companies - no matter how big or small - cannot shy away from GDPR - even if smaller firms aren't lucky enough to have large security budgets.

The biggest change, however, is a cultural one, as many smaller firms are now being forced to prioritise the expense of data security over maximising profits. As Vartanov posits, "smart and responsible startups should make sure they exercise information security best practices, even without regulations forcing them to do so."

Image: Shutterstock

  • startups
  • General Data Protection Regulation (GDPR)
Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


Policy & legislation

US Rep. Bill Johnson introduces the Advancing Tech Startups Act

22 May 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020