Investing in the Future of Privacy Automation with DataGrail
Dan Moskowitz October 12, 2022
The collection and use of internet consumer data is a big part of what has fueled the growth of internet businesses, especially the free internet services as well as e-commerce platforms. Google, Meta, and ByteDance would not exist the way we know them if they were not able to leverage information about users, and likewise the Amazon shopping experience would be vastly worse if Amazon was not using profiles built on PII (personal identifiable information) to power its recommendation engines. The collection of ever-increasing volumes of consumer data has generally made the internet a better experience. But there is a dark side that consumers are only recently becoming aware of: what happens when companies are negligent stewards of consumer data? What happens when data is stored poorly and invites thieves? What happens when it's provided to third parties without your consent? And what happens when a company creates a profile that is so specific that it borders on creepy? Consumers around the world are beginning to demand better from the companies that we do business with, and regulators are starting to wake up to the need for codified data protection laws with strong penalties and broad authority.
The Start of a Golden Age for Data Privacy Regulation
A Timeline of Major Global Privacy Laws1
Expand image here.
It was the 2016 introduction of the General Data Protection Regulation, or GDPR, that kicked off what we are now experiencing as the Golden Age of data privacy laws. Prior to 2016 there were patchwork laws in various countries that were generally toothless for international enforcement and did not provide frameworks built for a modern internet. GDPR was revolutionary in both scope of enforcement and in penalties – up to 4% of annual revenue for the global entity. After its enforcement began in 2018, GDPR ruled that any global business dealing with EU residents must abide by the following:
Businesses must obtain opt-in consent from EU website users to be able to track them and share their collected data with third parties
Companies storing EU resident data must adhere to data security standards of encryption, anonymization, and audits
EU residents may request to access their personal data held by those businesses, the retention policies of that data, the sharing policies among third parties, and other pertinent information about their data, at any time. This is known as a data subject access request, or DSAR. Businesses then have 30 days to complete the request
EU residents may request modifications or even deletion of their personal data. This is known as a data subject request, or DSR. Businesses have 30 days to complete the request
Shortly after GDPR was implemented, California introduced the California Consumer Protection Act, or CCPA, which is generally structured similarly to GDPR. California has since passed an amended version of CCPA, known as CPRA, which further tightens the rules for compliance. Meanwhile several other countries including Canada, South Korea, and Brazil are in the process of passing or implementing their own strong consumer data protection laws. There is also bipartisan support in the US to create a federal policy (American Data Privacy & Protection Act) and though it may not pass in 2022 or even 2023 without significant debate, it does create a baseline in Congress and shows that the topic is top-of-mind for legislators.
Comply With Data Regulations, or Get Fined (a lot)
With the introduction of GDPR and many GDPR-similar laws, businesses that rely on consumer data cannot afford to be non-compliant. Studies from the law firm DLA Piper showed that regulators are heating up:
GDPR fines are increasing ($1.2bn fined in 2021 versus $332M fined for all of 2018-2020)
GDPR violation investigations are increasing (~8% increase in daily average breach notifications per day, 2021 vs 2020)
The biggest fines span every company from big tech (Google, Amazon, Meta) to e-commerce (Sephora, H&M), to British Airways, Vodafone, and more – since most types of businesses collect PII, most types of businesses must remain compliant or get fined. Again, with the introduction of GDPR, these fines are not slaps-on-the-wrist. The fine structure for GDPR and CCPA is as follows:
GDPR: Up to 4% of annual revenue of the global entity, or 20M EUR, whichever is bigger, per infraction
CCPA & CRPA: $7,500/consumer impacted (willful offenses); $2,500/consumer impacted (negligence). Note – while CRPA doesn’t increase the fines from CCPA, it does vastly broaden what constitutes an “offense”
In practice, this has resulted in fines as large as $758M (2021 – Amazon).
Recent Large Fines (GDPR & CCPA)2
Expand image here.
Many Regulations (and more on the way) + Large Penalties (and more on the way) = Help!
Many businesses are understandably concerned with these recent developments. As well they should be, because complying with data protection laws is not easy. It requires overhauling not only the culture of data collection itself but also a legacy IT stack that was designed to collect and use data to sell more products, not protect it or provide it to customers on-demand. Consider what needs to happen when a business receives a DSAR:
Validate that the requester (the “data subject”) is a who they say they are
Figure out which are the relevant systems in your environment where the data subject’s information resides
Pull out the information specific to the DSAR (the data subject may have specified what they want to see)
Provide the information back in a readable format
Sounds simple? Consider that the average enterprise has hundreds of SaaS applications and data spread across multiple storage formats, data warehouses and data lakes. And consider that in the course of responding to a single DSAR, you will certainly end up having to redact other parties’ PII or you may get fined anyway! Or consider that some businesses, depending on consumer footprint, may receive hundreds of DSARs per month, each with its own 30-day (or 45 for CCPA) ticking clock. Finally, consider “shadow IT,” or systems and applications that lie outside the central IT purview (perhaps something that an engineer downloaded on their laptop without permission). The complexity becomes exponential and so does the cost – dollars and man-hours pulled away from other parts of the business.
That is why more and more businesses are seeking help.
Announcing Our Lead Investment in DataGrail’s Series C Funding
Enter: DataGrail, the automated data privacy control center. The key innovation for DataGrail is that it removes the complexity around privacy compliance. With 1,400+ integrations, DataGrail automatically builds and updates a live data map that understands where a data subject’s PII resides across the enterprise and manages the DSAR and DSR request process. Customers like Salesforce, New Balance, The Motley Fool, and many others with large consumer footprints have found success managing their privacy programs with DataGrail. Customers come to DataGrail because they need help. They stay because they realize that DataGrail not only saves them money and time (both in terms of insurance against fines as well as the cost of responding to data requests), but it also improves their brand value. Customer trust in the way a brand handles their data will become an increasingly important competitive differentiator in an era where we have all become jaded by constant data leaks and fines (by companies not using DataGrail!).
It is for all these reasons that we are excited to lead DataGrail’s $45M Series C fundraise alongside new investors Thomson Reuters Ventures and Sixty Degree Capital and previous investors Felicis Ventures, Operator Collective, and Cloud Apps Capital. We’ve personally known the founder & CEO Daniel Barber for a few years now and have watched the company and the market grow during that time, and I couldn’t be more optimistic joining him and joining the board at this stage of their journey.
References
https://fpf.org/blog/california-privacy-legislation-a-timeline-of-key-events/
https://iapp.org/news/a/cpra-regulations-delayed-past-july-1-deadline-expected-q3-or-q4/
https://www.orrick.com/fr-FR/Insights/2022/08/Revised-ADPPA-The-Top-10-Takeaways
https://www.nytimes.com/2022/09/05/business/meta-children-data-protection-europe.html
https://www.forrester.com/blogs/ccpa-penalties-are-here-sephora-hit-with-1-2-million-fine/