Data protection and tech startups: The need for attention, support, and scrutiny

Though discussions of data protection have focused on the larger, more established organisations, startups also warrant attention. This is particularly so for tech startups, who are often innovating at ‘cutting-edge’—pushing boundaries technologies that typically lack best-practices. Initial decisions taken by could well long-term impacts, and their actions may inform (for better or worse) how particular applications they support implemented, deployed, perceived years to come. Ensuring innovations practices sound, appropriate acceptable should therefore be a high priority. paper explores attitudes preparedness issues protection. We interviewed series UK-based emerging as EU's General Data Protection Regulation (GDPR) came into effect, which revealed areas in there disconnect between approaches nature requirements GDPR. discuss misconceptions associated risks facing innovative offer number considerations firms supervisory authorities alike. In light our discussions, given what stake, we argue needs done help ensure companies operate them align with regulatory obligations. conclude increased attention, support, scrutiny raise standard benefit us all. 尽管关于数据保护的辩论一直聚焦于更大型的、更有名的组织，但初创企业也值得关注。这对科技初创企业尤为如此，它们经常在“前沿”进行创新—突破往往缺少数据保护最佳实践的技术的边界。初创企业的最初决策能产生长期影响，并且其行动能（不论好坏地）影响未来几年里这些科技如何被实施、部署和感知。因此，确保科技初创企业的创新和实践是健全的、适宜的、可接受的，这应是首要重点。 本文探究了科技初创企业在数据保护议题上的态度和准备。我们在《欧盟数据保护通用条例》（GDPR）开始生效时采访了一系列英国的新兴初创企业，结果显示了初创企业的方法与GDPR的性质及要求之间存在不衔接的那些领域。我们探讨了创新科技初创企业面临的错误观念和相关风险，并为企业和监督机构提供了一系列应考量的因素。鉴于关键议题，我们在探讨部分中论证认为，需要付出更多来帮助保证新兴科技（以及使用这些科技的企业的实践）更好地与监管义务保持一致。我们的结论认为，科技初创企业值得更多的关注、支持和监督，以提高数据保护标准，造福所有人。 Si bien las discusiones sobre la protección de datos se han centrado en organizaciones más grandes y establecidas, nuevas empresas también merecen atención. Esto es particularmente cierto para tecnológicas, que menudo están innovando "vanguardia", superando los límites tecnologías generalmente carecen mejores prácticas establecidas. Las decisiones iniciales tomadas por podrían tener impactos largo plazo, sus acciones pueden informar (para o mal) cómo implementan, despliegan perciben estas próximos años. Por lo tanto, garantizar innovaciones tecnológicas sean sólidas, apropiadas aceptables debe ser una alta prioridad. Este documento explora actitudes preparación ante problemas datos. Entrevistamos serie tecnología emergente con sede el Reino Unido cuando entró vigor Reglamento Protección Datos UE, reveló áreas existe desconexión entre enfoques naturaleza requisitos del . Discutimos conceptos erróneos riesgos asociados enfrentan innovadoras ofrecemos consideraciones autoridades supervisoras igual. A luz nuestras discusiones, dado está juego, argumentamos necesario hacer ayudar emergentes (y hecho, operan) alineen mejor obligaciones regulatorias. Concluimos mayor atención, apoyo escrutinio elevar estándar beneficio todos nosotros. Reports high-profile misuse placed firmly spotlight (Isaak & Hanna, 2018). law an important tool scrutinising data-driven holding account where harms occur expectations not met. such instances, investigate, punitive result. Naturally, compliance laws has become priority many technology companies, threat significant penalties noncompliance growing public discourse data-related issues. There much discussion (rightly) focuses ‘tech giants’, Facebook Google, these mean users services (e.g., see Houser Voss, Comparatively, little attention startups. However, it will drive development, commercialisation, application (artificial intelligence/machine learning [AI/ML], Internet Things [IoT], blockchain, augmented/virtual reality, etc.). this way, influence new come designed, perceived, used—and can shape industry process. Yet doing relatively constrained resources, limited expertise, driven desire disrupt establish themselves marketplace. It follows working technology's ‘cutting-edge’—who rapidly grow ‘next big thing’—can implications going forward. currently information about general, let alone approaching We, therefore, undertook semistructured interviews explore opinions toward before coming force.1 first use thematic analysis transcripts identify themes from interviews. then guiding point conducting legally grounded following research questions: How do perceive approach GDPR within organisation? What under GDPR? steps regulators, policymakers mitigate effective practices? These questions understanding challenges being faced regard regulations. turn, identifying ways supporting meeting legal reassure efforts sufficient users' customers' protected. Through interviews, find several For example, felt was unclear how, some cases, if reconciled observed questioning whether aspects applied them, indicating complacency, waiting enforced acting. The rationale belief regulators were likely focus larger organisations rather than noted instances where, rush comply, pursuing potentially unreliable sources regarding Our findings argument need proactive, only specific obligations but broader aims intentions results indicate urgent firms—through guidance, advice, oversight, technology—as navigate landscape. concern; foundations human rights,2 seen society widely. Organisations must complacent, properly findings, require terms enforcement, bring better, accountable technology. May 2018, European Union's (EU) (European Union, 2016) effect throughout 28 member states. binding legislative act applies processing personal data: ‘any relating identified identifiable natural person’.3 strengthens rights subjects (those whose processed)4 while simultaneously reinforcing responsibilities controllers responsible determining means purposes data).5 places controllers, including obligation ‘implement technical organisational measures able demonstrate performed accordance Regulation’.6 Supervisory Authorities—those enforcing regulation, appointed each state—have event noncompliance. found breach face penalties, fines up greater €20 m 4% annual global turnover, bans processing,7 among others—many prove fatal principles-based regulation. Such regulations defined Black et al. (2007) ‘high-level, broadly stated rules Principles set standards regulated conduct business’. contrast prescriptive detailed rules-based regulations, quickly obsolete dynamic contexts (Maxwell, 2015), those involving technologies. allows flexibly across sectors, business models, applications, technology-specifics. practice, required comply seven principles (Table 1). ‘Accountability’ principle requires controller ‘shall for, with’ other principles. words, both position identify, operationalise provides various rights, access, rectify, delete held controller. Similarly, implementing mechanisms facilitate exercising fulfil best implementation trivial; tensions privacy security concerns (Norval al., 2018; Singh Cobbe, 2019; Veale, Binns, Ausloos, generally does entail prescriptions particulars do, comply. Some, criticise lacking precision clarity (Deloitte, Presthus Sirur without expertise even skills (such cybersecurity expertise), always immediately obvious met organisations—a common theme raised interviewees. run-up immediate aftermath Regulation's commencement, subject large-scale surveys IBM Institute Business Value, ISACA, NetApp, SAS, explored readiness broad range sectors organisation sizes (these mostly considered well-established none specifically startups). Despite substantive similarities previous regime—the Directive 1995)—these suggested majority did expect compliant commencement date. Deloitte (2018) reported three main reasons ‘time left achieve compliance’, ‘ambiguity text’, ‘the difficulty fulfilling requirements’, 62% respondents initially aiming ‘risk-based, defensible’ level compliance. SAS 49% said would significantly impact AI projects. conducted qualitative 12 (a mix small medium enterprises [SMEs] organisations—though focusing tech-startups per se), emphasis cybersecurity. most largest nontechnical issue GDPR, implemented. ‘qualitative’ uncomfortable, timely guidance Authority unable implement suitable Their difference language, tone, perceptions security-related SMEs when compared non-security-related SMEs, former appearing confident corroborate been struggling Compliance requirement all data, regardless sector target customer base (B2B, B2C, otherwise).8 date study timely, relevant, and, discuss, wider landscape Startups ‘younger 10 years’; ‘feature (highly) and/or models’; ‘have (strive for) employee sales growth’ (Kollmann 2016). They described ‘work solve problem solution success guaranteed’ (Robehmed, 2013), ‘start weak market resource positions’ (Katila 2012). here accord above definitions work developing applying (AI/ML, IoT, UK, rising average rate one every hour (Prosser, forefront consideration. First, any consider meet GDPR's requirements; however, part innovation process, push boundaries. prior knowledge, over reconcile requirements. As result, willing undertake (data protection) mission ‘disrupt’ gain position. Second, involved inspire define (and practices) implemented used follow. bearers respective technologies—laying down markers remain ingrained decisions, sound questionable, potential shaping And same time, well-placed accounting ‘by design default’.9 Third, grow, effects actions, scale. seen, might eventually acquired large firms, whereas others go giants themselves. such, deal now, later. From societal angle, scales, prospect incidents. far difficult expensive retrofit systems, datasets processes track—and retrofitting challenging resources (Urquhart, 2019). necessary actually undertaken, nascent organisations. short, far-reaching landscape, possibly systemic consequences. Addressing sooner, later, play key role countering bad misconceptions, betterment To possible forward, improve factors laws; implementing; assisted challenged. semi-structured invited (as FOCUS ON TECH STARTUPS) participate interview (see Table 2). variety communities frequent, entrepreneur centres (which provide business-related startups), online ‘meetup’ groups), cluster’ network directories geographic region. Recruitment continued until authors believed saturation occurring (O'Reilly Parker, resulted 15 (self-selecting pool 48 invitees total).10 Participating ranged prototyping prelaunch phases products/services having recently introduced industries markets. Companies less members staff), young (most 4-years old). Information participating presented 2. Each startup provided representative take hour-long, (then) incoming representatives selected founder Chief Executive Officer Operating question (in cases doubling organisation's Officer). Interviewees advance, included clarification researcher GDPR-related advice answers, completed consent form. Interviews took place either via VoIP, phone, in-person December 2017 2018 commencement) audio-recorded. transcript pseudonymised lead sent interviewee, giving opportunity review further redact, clarify, correct answers. received approval institutional ethical board interactions taking place. Interview inductively coded using analysis; relevant quotes assigned themes, process identifying, merging, refining happened iteratively coding (Braun Clarke, 2006). Related grouped subcategorised together, resulting ‘thematic map’11—a hierarchical tree-like structure maps out relationships themes. summary Figure 1. Using point, answers (outlined Introduction) legally-grounded against its materials recitals, ICO—the UK's Authority). led interesting trends, risks, supported commitments present paper. line RQ (i), discussed interviewees’ they—as startup—were experiences insights, now discuss. It's there, it, business, you that? No gives guide say ‘actually, this, this’. (Company 1) like no tells address exactly means. So solution, you're sure right not. 3) You're decide do. it's quite shift mindset understand. You can't just ‘tick, tick, tick’, that's done. 11) Interestingly, Company 11 ‘take responsibility do’, tools make own decisions’. recognises assistance GDPR—understanding informed, reasonable defensible position, assisting specifics, request. needing pressed 11, wasn't step predecessor, Act 1995) (DPD), ‘you weren't [DPD] place’. accorded arguments DPD ‘interpreted, enforced’ ‘not fully objectives protecting subject's respect data’ (Robinson 2009). raised, ambitions largely positive. 7 ‘massive pain’, reflecting ‘for all’. Another thought forcing think steer good expressed views Commissioner's Office (ICO) materials. Some praised ICO ‘do[ing] great job’ 9), producing ‘very explicit’ 15), ‘essential [the startup's] comfort’ 7). though had positive things criticisms. ICO's advisory ‘too vague [being from] official government body’ 3), ‘a open interpretation’ 8), ‘late’ 15). Going further, 1 argued providing (what saw as) adequate ‘actually trying kill [small businesses] us’. website place, understand exists, isn't enough public. Largely, wanted trustworthy source actionable approached, maintained sectors. startups—because ‘they're guys UK goes’ 8). proximity enforcement wariness; 9 spoke wanting contact multiple occasions didn't fear ‘opening worms’ presenting all, startups' multifaceted complex. repeatedly indicated evolving certain case discussing rights. trivial—such access (allowing obtain data)12—other conflict irrelevant nonapplicable organisation, despite making allowances. erasure13 mechanism deleted controller) ‘easy’ (Companies 1, 4, 5). interviewees agreed. particular, blockchain referred conflicts erasure Bacon 3 biggest challenge because cannot remove data], way unavailable’. 12, ‘transparency good; two coexist time’, referring ongoing ‘whether blockchains inherently ever compliant’. viewpoints appear misinformed; produced CNIL—the French Authority—has since outlined implementations made compliant, offering ‘concrete solutions actors wish data’, (CNIL, Nevertheless, conflict, appeared undeterred technologies, perhaps put forward CNIL. AI/ML. clear machine-learned models (the concerning encoded topical; Edwards, 2018), affect automated made. Further, absolute. health-tech startup) receiving exempt requests,14 planning allowing (patients) deciding don't want gardening company send e-mail anymore’ 9). get huge CSV file full meaningful system. 15) Overall, right—to promote competition, consumer choice, control one's data—did seem understood appreciated. Applicability rights: portability, had—rightly wrongly—deemed organisation. (or incompatibilities) operationalising products example above). Yet, obliges responsibilities, surface exemptions exist, onus nonfulfilment legitimate (perhaps undertaking, related compelling interests16), consequences incorrect. If wrongly concludes applicable, incidents noncompliance, subjects, diminished trust, repercussions difficult, impossible, obligations, current form; they're doing. Indeed, itself, arguab