How startups can ensure CCPA and GDPR compliance in 2021

Data is the most valuable asset for any business in 2021. If your business is online and collecting customer personal information, your business is dealing in data, which means data privacy compliance regulations will apply to everyone — no matter the company’s size.

Small startups might not think the world’s strictest data privacy laws — the California Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR) — apply to them, but it’s important to enact best data management practices before a legal situation arises.

For example, failing to comply with the GDPR can result in legal fines of €20 million or 4% of annual revenue. Under the CCPA, fines can also escalate quickly, to the tune of $2,500 to $7,500 per person whose data is exposed during a data breach.

If the data of 1,000 customers is compromised in a cybersecurity incident, that would add up to $7.5 million. The company can also be sued in class action claims or suffer reputational damage, resulting in lost business costs.

It is also important to recognize some benefits of good data management. If a company takes a proactive approach to data privacy, it may mitigate the impact of a data breach, which the government can take into consideration when assessing legal fines. In addition, companies can benefit from business insights, reduced storage costs and increased employee productivity, which can all make a big impact on the company’s bottom line.

Challenges of data compliance for startups

Data compliance is not only critical to a company’s daily functions; if done wrong or not done at all, it can be quite costly for companies of all sizes. For example, Vodafone Spain was recently fined $9.72 million under GDPR data protection failures, and enforcement trackers show schools, associations, municipalities, homeowners associations and more are also receiving fines.

GDPR regulators have issued $332.4 million in fines since the law was enacted almost two years ago and are being more aggressive with enforcement. While California’s attorney general started CCPA enforcement on July 1, 2020, the newly passed California Privacy Rights Act (CPRA) only recently created a state agency to more effectively enforce compliance for any company storing information of residents in California, a major hub of U.S. startups.

That is why in this age, data privacy compliance is key to a successful business. Unfortunately, many startups are at a disadvantage for many reasons, including:

• Fewer resources and smaller teams — This means there are no designated data privacy officers, privacy attorneys or legal counsel dedicated to data privacy issues.
• Lack of planning — This might be characterized by being unable to handle data privacy information requests (DSARs, or “data subject access requests”) to help fulfill the customer’s data rights or not having an overall program in place to deal with major data breaches, forcing a reactive instead of a proactive response, which can be time-consuming, slow and expensive.
• Lack of knowledge — Smaller companies and startups might not even be aware of all the different data privacy regulations across territories or, if they are aware of them, they might not think those rules apply to them as a smaller company. In addition, being a seemingly “small fish” in a big pond, they do not think they could be the target of a data breach and, according to the GDPR, may not be able to identify a lawful basis to use someone’s information.
• Prohibitive cost — If it would cost the startup more money to safeguard against data compliance issues than it would cost to deal with compliance violations over the course of a year, then most startups and other small companies do not bother with staying in compliance. However, especially if the small company contracts with a larger company, they might be required to agree to the same data privacy compliance terms as the bigger company. If the smaller company fails to meet those compliance obligations and there is a breach or other violation, the contract will be canceled, and the startup will not only lose important business and incur reputational damage, but it will also be responsible for hefty fines.

Why ‘blaming the intern’ won’t save startups from cybersecurity liability

Four steps to attaining data compliance

Every startup should have a compliance system in place that effectively achieves all of these actions:

1. Search and find. If your company’s data is not properly centralized or if it is otherwise scattered in unstructured data silos, you run the risk of being unable to find specific information about a customer in order to respond to DSARs within the 30- to 45-day time limit. A lack of clear organization and structure in your data and an inability to easily and quickly find data will be detrimental to your compliance goals.
2. Classify and categorize. If your company’s data has no automated classification system in place and nothing is precise in its categorization, you might have to export it to another system to achieve such classification. This is an impediment to the goals of GDPR and CCPA compliance because it prevents organizations from doing all the following with personally identifiable information (PII): Knowing where the PII is stored; knowing who has access to the PII; and implementing additional security protocols like encryption, pseudonymization or redaction over the PII.
3. Organize and optimize. If the data is not optimized, meaning there is a complete lack of organization and too much budget wasted on useless ROT (redundant, obsolete, trivial) data, then GDPR and CCPA compliance is nearly impossible. Data disorganization and wasted storage make it difficult to maintain an adequate level of transparency. By optimizing your data through an automated system, you can more easily develop and enforce a privacy policy and data retention policy, critical to data privacy compliance and transparency.
4. Analyze and exploit. Upon meeting the aforementioned three objectives of compliance, you will be able to search, classify and act on your company’s data. Doing so will help you cultivate analytics that will provide data insights, improve company productivity and give your company a true competitive advantage.

Why automate data compliance

The easiest and most affordable way for smaller companies and startups to achieve CCPA, GDPR and other data-compliance regulations is to invest in an automated data discovery and classification solution. Good automated data discovery and classification solutions should be able to do the following:

• Reduce risk. A well-designed and automated data discovery and classification program will index and organize all data, eliminate human error, dispose of ROT data, constantly monitor data for high-risk incidents and much more, thereby reducing risks that could result in compliance violations.
• Discover data. Such a system will also be able to centralize all data, making it easily searchable for PII and DSARs as needed.
• Demonstrate compliance. Finally, this type of program will stay on top of all new data privacy laws and apply the regulations needed for each region and customer, saving time, effort and expenses needed to maintain adherence to compliance protocols.

Startups should embrace data automation

With CCPA and GDPR, data compliance is already ubiquitous in today’s business world, meaning startups need to be prepared to handle this growing trend of protecting against violations. As the U.S. federal government and numerous other regions continue to develop new data compliance regulations, startups, small companies, medium-sized companies and enterprises alike need to embrace data automation to affordably simplify the process.

One CMO’s journey with risk management and compliance