Take a look at this blurb for a session about data privacy at the upcoming RSA conference on cybersecurity. It sounds a polite warning:
“The importance of privacy is often alluded to in generalized, value-laden terms that, while sincere, don’t necessarily help privacy be taken seriously in the enterprise risk management process.”
That situation is changing radically, with the looming May 25 deadline for enforcement of the European Union’s General Data Protection Regulation (GDPR)—a sort of Magna Carta for the right of individuals to control the use of their own data. The sweeping new EU privacy protections apply to any company anywhere that holds data on any EU citizen—not just businesses located within the 28 EU member nations. And the maximum fine for violations—as much as 4 percent of a company’s global annual revenue—tends to concentrate the mind wonderfully on compliance.
That has created opportunities for both startups and entrenched tech companies that already address privacy issues.
GDPR, enacted in 2016, is widely recognized as a major accelerant for the growth of an existing, if relatively small, privacy-related B2B sector. Companies are pursuing a variety of ways to help their corporate customers track the personal data they collect from customers, and make sure they’re not running afoul of government regulations in any of the regions they operate in—either physically or virtually.
The privacy tech and services category overlaps with cybersecurity, because big security players such as IBM, Symantec (NASDAQ: [[ticker:SYMC]]) and Proofpoint have folded data privacy into their operations. But the goals of personal privacy protection are somewhat different from typical cybersecurity missions, such as shielding a company’s data trove from theft by hackers.
Certainly, fending off a big hack can avoid harm to the users of an e-commerce app, whose credit card numbers might have been sold to criminals, for example. But privacy laws such as GDPR also aim to shield personal data from unauthorized use by non-criminals—by the thousands of companies that vacuum up details about people who visit their sites, and that may share it with advertisers and others for profit, without the visitors’ explicit consent.
GDPR, while enabling regulators to punish privacy law violators, also puts power in the hands of individuals to limit data collection upfront, and to demand that much of their data that’s already been extracted be purged.
“EU consumers can ask a company, ‘What data do you have about me?’ and then tell you to forget it,” says Chris Babel, CEO of San Francisco-based privacy technology company TrustArc.
That kind of regulatory provision is driving the evolution of the data privacy sector from a realm dominated by privacy consultants and attorneys to an arena populated by technology companies that can automate data management and retrieval, Babel says. Tech companies are also helping clients tackle another GDPR rule that lays out guidelines for rapid corporate responses to data breaches. In some cases, GDPR would require companies to notify authorities and affected individuals within 72 hours when personal data has been stolen.
“The market is turning to tech providers,” Babel says.
Outside the EU, other countries such as Australia, Russia, and China have also beefed up their privacy regulations, which increases the complexity of compliance for companies gathering personal data as they operate in a global marketplace.
In the United States, privacy technology companies have already found niches in assisting clients to comply with domestic regulations that apply to specific populations, such as patients, whose medical data are covered by HIPAA (the Health Insurance Portability and Accountability Act of 1996); and children, whose privacy is regulated by COPPA (the Children’s Online Privacy Protection Act of 1998.) Palo Alto-based TrueVault, which was founded in 2013 to keep clients compliant with HIPAA, has now added a GDPR-related feature that “pseudonymizes” data.
TrustArc’s Babel has been a longtime participant and observer of the U.S. privacy tech scene since the late 1990s. While the United States had no comprehensive regulatory scheme to protect privacy and data security, companies arose to shore up consumer confidence in the new businesses that technology was making possible. such as e-commerce.
For 10 years, Babel was the manager of Verisign’s global SSL and Identity Authentication business. Verisign’s SSL (Secure Sockets Layer) facilitated encrypted communications between web browsers and the servers of online businesses, to protect credit card numbers, passwords, e-mails, and other personal details. In late 2009, Babel was recruited as CEO of Truste, a former non-profit that audited businesses for voluntary compliance with its privacy standards and granted them a Truste seal to reassure consumers. Truste was reorganized as a for-profit business in 2008 after a major investment by Accel Partners, and was later re-named TrustArc. The company’s suite of privacy services now encompasses compliance with government regulations including GDPR.
Babel says he moved from the cybersecurity arena into a privacy-focused business because he could tell it was a ripe field for innovation.
“I saw that it was going to need technology, and it was going to need it very soon,” Babel says. He says the privacy sector is poised to make the same transition that cybersecurity has made as it scaled up, from artisanal consulting to software-driven surveillance. Companies used to hire “white hat” hackers as consultants to test their cybersecurity defenses, he says. Now they sign up with tech companies using automated processes to patrol their data center perimeters, their Web-based data operations, their e-mail systems, and other points of vulnerability.
Global cybersecurity spending could top $98 billion worldwide in 2018, according to a Gartner forecast in December.
Privacy tech and services market size
Estimates vary for the size of the privacy-related business market, which covers categories including data management software, incident response guidance, de-identifying and data anonymizing technology, hardware, and advisory services from law firms and consultants.
In an estimate based on aggregate payments to privacy technology companies alone, the International Association of Privacy Professionals (IAPP) gives a ballpark market size of about half a billion dollars. The IAPP estimate is based on an average expenditure of $206,000 a year among the roughly 2,200 global companies whose revenue is $1 billion or more. The IAPP, a not-for-profit organization that provides resources and training to privacy professionals, based its estimate on data collected in June. Its ballpark figure doesn’t include expenditures by the global ranks of mid-sized companies and startups that are also scrambling to reach compliance with GDPR. IAPP expects the market size to grow quickly, says a spokesperson for the group.
Fortune’s Global 500 companies could spend as much as $7.8 billion over a multi-year period to achieve compliance with GDPR, IAPP and EY concluded. That estimate includes spending on items in addition to technology, such as consultants, modifications to company products, and new hires to fill privacy protection roles.
Many of the tech companies offering data privacy services have sprung up in Europe, where the number of people protected by GDPR is greatest, according to IAPP. Those companies include the Dublin, Ireland-based firm EuroComply, a compliance software provider. Ireland’s foreign development agency, IDA Ireland, has been counseling U.S. companies on the GDPR as part of its mission to foster the expansion of the American tech industry into Ireland, an EU member.
Paraic Hayes, a West coast representative for IDA, says the most eye-opening thing for U.S. companies is learning about the cultural foundation for the EU’s adamant stance on personal privacy, which is considered a fundamental human right. That stems from the region’s experiences with authoritarian regimes that