It is no coincidence that OneTrust’s announcement of a $200 million Series A investment, which values the 2016-founded privacy tech vendor at $1.3 billion, came on the heels of the U.K. Information Commissioner’s notice of intent to fine Marriott International and British Airways $130 million and $230 million respectively under the EU General Data Protection Regulation.
With mega fines come heightened responsibilities for companies, directors and officers. And this means larger budgets for privacy programs and data governance, which require systems and technologies to be managed at scale. Investors are watching this new sector intently and streaming cash not only to OneTrust, the first privacy tech "unicorn," but also to its competitors, such as TrustArc, which announced a $70 million Series D round Wednesday, Privitar ($40 million Series B round in June), BigID ($30 million Series B round last year), WireWheel ($10 million Series A round in October), and more.
To any skeptics, the last few days have been a stark reminder that GDPR compliance is real. And with a multibillion-dollar privacy settlement imminent at the U.S. Federal Trade Commission, California Consumer Privacy Act implementation inching to the finish line, and German antitrust regulators beating the privacy drum, it is clear that enterprisewide privacy management is here to stay.
The ICO announcements immediately raised the bar for data protection regulators in the other 27 EU member states. Now that Wilmslow has made its move, all eyes are on regulators from Paris and Dublin to Munich and Dusseldorf to counter.
Importantly, the companies targeted were not even the American tech giants that have been a lightning rod for advocates, policymakers and regulators. British Airways is as British a brand as they get, and Marriott is the leader in an industry with roots in the Old Testament.
This sends a strong message to the industry: GDPR is for everyone, not just for big tech.
As the GDPR enters its second year, gone are the days when companies could manage privacy from legal departments, which drafted policies and contracts on Word documents and Excel sheets. To scale data governance and manage sprawling privacy programs, companies such as Marriott and British Airways must turn to automated governance systems and tools, which map and classify data flows, lakes and reservoirs; assist data protection impact assessments; manage consent and cookie interfaces; rationalize data storage and retention; deploy user authentication and identity management; and more.
They must do so in ecosystems spanning thousands of systems, tens of thousands of vendors, hundreds of thousands of employees, and millions of consumers, which are spread out all over the globe and transfer data 24/7 to fuel every conceivable business practice and activity.
Not only investors are recognizing the new industry sector.
The IAPP’s Privacy Tech Vendor Report, which was launched in 2017 listing only 51 companies, now has 192 listed in the 2018 version (the IAPP will be releasing the 2019 report in the coming weeks). In November last year, Forrester issued a New Wave report on GDPR and Privacy Management Software. Gartner too must be watching.
Last month, the Future of Privacy Forum and Israel Tech Policy Institute launched a new trade group, the Privacy Tech Alliance, intended to promote the market for privacy-protective technologies, facilitate the development of new tech, and maximize value for innovators and investors. The Privacy Tech Alliance further recognizes the key role that privacy-enhancing technologies can play in mitigating privacy risks for consumers and organizations. It seeks to connect researchers, scientists and entrepreneurs who are innovating PETs, including tools for deidentification, encryption, obfuscation and blockchain.
The GDPR derives from the EU’s rich underpinnings of fundamental rights. But when it comes to implementing lofty principles in practice, lawyers must collaborate with — and, at some point, pass the baton to — IT professionals, engineers and data governance experts who not only discuss policies, but also deploy them into systems, databases, products and services.
In other words, where lawyers touch contracts and policies, engineers ultimately “touch the data.” And privacy management in an organization requires direct manipulation of data flows.
The venture capital community’s nod to privacy tech vendors is telling.
As GDPR and privacy enforcement come into focus, companies will invest heavily in privacy-protection technologies, including both enterprise privacy program management tools and innovate PETs for deidentification, encryption and obfuscation. This new industry sector of privacy-protection technologies will sit at the intersection of law, engineering and IT, exactly like the problems it sets out to solve.
Photo by Chiara Daneluzzi on Unsplash