Should Australian startups skip the EU because of GDPR?

The CEO of an Australian FinTech startup says he is considering excluding the EU from his business plan, because the upcoming new EU regulation on consumer data protection, the General Data Protection Regulation (GDPR), brings challenges that would outweigh potential business benefits in the EU region in the short term.

I recently got privy to a passionate debate on the subject of GDPR held within an Australian FinTech startup community (hint: I’m a resident of Stone&Chalk). The improvised email debate started with a call for help from a startup looking at getting into the EU market, but concerned about best managing the GDPR requirements coming into effect on the 25th of May 2018.

Key GDPR challenges

The CEO of an Australian FinTech startup replied and shared his own assessment, where he would face the following two biggest GDPR challenges:

1. ‘Right to be forgotten’, “which causes all sorts of issues when trying to design systems where payments (for which data must be kept) and non-payment information (which users can demand to be deleted) is involved”; and
2. ‘Access to own data’, “you have to give people access to their own data. Sounds easy, right? Unless you transform their data in a way that reveals internal business processes, and even worse if you create data that joins individuals who can both demand their data be released yet are required to have their data kept secret.”.

The startup assesses that “Both of the above will require you to create new interfaces, new business processes and new security systems to prevent abuse (e.g. when someone asks for all their data, how do you give it to them if they can’t access their account for whatever reason?)”.

EU Privacy Compliance vs AU Startup Business Priority

Challenged on his assessment, “can you really *afford* not to care about the privacy of your customers as a priority?”, the CEO then added:

“I care about my user’s privacy deeply, to the point of making it harder for me to develop my product.”, but  “the ‘right to be forgotten’ adds substantial overhead to the management of legitimate collection and use of data (it might even make it impossible to legally run some businesses!).”. 

He also added that the EU only represented 10% of his target market globally.

I give credit to the CEO for having conducted a thoughtful assessment of the implications of GDPR compliance on his business, and for tested those implications against potential business return in EU. He made an informed business decision to de-prioritise the EU market, for now, in view of the cost of complying with the upcoming regulation.

Should AU startups skip EU because of GDPR?

The question is worth asking on a case by case basis. The decision made by the quoted startup CEO to skip EU for now in the above example makes a lot of business sense.

AU startups should consider the impact of GDPR compliance in view of their market positioning in EU and make an informed decision:

1. Assess the cost of GDPR compliance to you startup, especially considering the 2 key challenges above;
2. Assess the potential business benefits of serving the EU markets sooner than later (and the drawbacks not to);
3. Make a priority call and review later.

I would strongly advise against the option to ignore GDPR when managing EU residents data, because the EU has a history of enforcing data protection regulations with hefty fines. For example, in France, the CNIL is enforcing EU data protection locally and has hit at Facebook in 2017 with €150,000, fined Darty €100,000 in early 2018 and there are many other examples also including smaller companies. As a comparison, in Australia the OAIC has a poor record of enforcing privacy regulation. They have not made any good example of it (e.g. Telstra was fined only $10,200 in 2014). The EU takes the subject of data protection regulation very seriously.

I would also highlight the bright business side of privacy and consumer data protection, and advise to make the compliance choice when you can afford it.

The Bright Side of Consumer Data Protection

It is not free to comply with consumer data protection and privacy regulations, such as the EU GDPR or the Australian Privacy Act (incl. recent amendment for data breach notification). It may come at a cost of changing processes, technologies and importantly organisational cultures.

The compliance can be required or it can be a choice.

In Australia, most organisations including startups with annual turnover greater than $3M, are simply required to comply with the Australian Privacy Act, because it is the law. When the turnover is lower than $3M, the compliance is a choice in most cases (more in How to Comply with the Australian Mandatory Data Breach Notification Requirement?).

Australian businesses doing, or contemplating to doing, business overseas have also the choice to comply with local regulations or forfeit doing business locally. It is a business decision to the point of the above example.

When the option is available, choosing voluntarily to comply with regulation and choosing to invest in better consumer data protection practices has a very bright upside, because customers have growing privacy concerns and business is simply lost over privacy concerns (more in From Privacy Weakness to Business Strength).

Mounir Mahjoubi, who was hailed as the ‘geek’ who saved Emmanuel Macron’s French presidential campaign from cyber attacks and now French Secretary of State for Digital, brilliantly called the opportunities that GDPR and better consumer data protection practices provide to businesses. Mahjoubi suggests (in a speech) to make the most of compliance requirements. With better data protection, businesses can:

1. Serve their clients in better ways;
2. Build new services and innovative ways to manage data;
3. Optimise the usage of data; and very importantly
4. Improve data security and better manage business risk.

A critical example to better business risk management is about protecting reputation. If large and well established organisations face consequential impacts to data breaches over deficient protection and deficient incident handling, such as Equifax, the reputation impact on smaller organisations or startups could be fatal.

When given the choice, and when it can be prioritised and afforded, complying voluntarily to consumer data protection and privacy regulations can be a very valuable business risk management practice and a valuable business differentiator at the same time.