Roughly one month after the General Data Protection Regulation (GDPR) was rolled out across the European Union, start-ups, small and medium-sized companies are realizing that they are facing the same risks as large firms when it comes to implementing the new rules.
By Ovidiu Posirca
The legal changes are also set to generate additional challenges for internet start-ups whose business model is data driven.
In the first few weeks after the enforcement of the GDPR, the National Council of SMEs in Romania (CNIPMMR) surveyed 210 companies to find how they were coping with the new rules. Close to 30 percent of the respondents said they had been able to meet the obligations prior to the deadline on May 25, while 42.1 percent said they hadn’t adopted measures for the implementation of the GDPR. Another 28.9 percent claimed they were planning to implement the rules. More than half of the surveyed organizations were micro-enterprises. Moreover, 52.6 percent of the respondents were companies that had between one and nine employees.
The association concluded that SMEs needed assistance in covering the compliance costs for GDPR from EU funds as well as comprehensive guidance for smaller companies.
INTERNET GIANTS VERSUS MINNOWS
SMEs have grown concerned with the GDPR because of the tough sanctions stipulated by the law. Companies breaching the new rules risk fines of up to EUR 20 million or 4 percent of their turnover. Close to 98 percent of the respondents said that the sanctions were excessive and disproportionate.
There are two thresholds for the sanctions. First, fines can reach 2 percent of turnover or EUR 10 million and can double at the second level, according to specialists at law firm Musat & Asociatii.
“The rules are applied in Romania without any additional regulation of the local authorities, including on fines. Aside from the administrative sanctions, any breach of the rights of targeted individuals generates damages that will have to be covered by those who produced it, which is the data operator or its trustee,” representatives of the law firm told BR. Furthermore, the legal risks entailed by the regulation don’t depend on the size of the company, with some exceptions. “This is the case because what matters is the flow of data that is processed, not the size of the company itself. In practice, there are situations in which small companies process a bigger volume of data than large companies,” said the legal experts at Musat & Asociatii.
While smaller firms will struggle, for instance, to rebuild email lists that were decimated following the implementation of the GDPR, large internet companies might have it easier as consumers are already very used to their products. “If you are like Facebook or Google, you push that consent pop-up mainly because your users are used to you so they are in the habit of using you over and over again. Of course you’re going to accept that, even though Facebook as a big player is the one that actually abused the trust of its users, of us, the users in the EU. So, that mainly means because of their stuff, all the small companies are suffering. Not only are they suffering now, they will suffer in the future as well,” said Valentin Radu, CEO of Omniconvert, a start-up providing a real-time web personalization tool. In comments in a video that was circulated on Facebook, he added that SMEs represent 99.8 percent of all companies in the EU and provide more than 66 percent of all jobs.
WILL THE GDPR IMPACT THE ATTRACTIVENESS OF INTERNET START-UPS?
The new legal risks facing start-ups that are heavy on data operations will be taken into account by investors contemplating private early stage financing. However, GDPR compliance is just one of the factors that investors will consider.
“The fundamentals of the GDPR do not affect the attractiveness of internet start-ups, but rather reassure all the stakeholders involved. The implementation and the required actions to comply, however, could affect the way start-ups operate at first, but in the long term I do not expect disruption,” Inti Paolucci, partner at venture capital fund GapMinder, told BR.
“The GDPR sets a legal framework for the collection and processing of individual data in the EU. From this perspective, it regulates a rather controversial area, in which companies did not have clear boundaries. The framework ensures customers’ data protection and reduces companies’ risk of facing legal action,” he added. The fund has already backed 14 start-ups in Romania with the potential to grow internationally. Gap Minder looks to provide seed investments in the EUR 200,000 – EUR 4 million band. Paolucci said that GPPR compliance and the way in which start-ups process the new rules have become important parts of the investment discussions. “Non-compliance or a business model not fitting GDPR are definitely red flags for investors,” said the partner.
Meanwhile, Marius Ghenea, investment director at 3TS Capital, says the new GDPR rules impact companies across the board, including internet start-ups and early-stage IT businesses. “In terms of their attractiveness to investors, because in general the impact is fairly evenly spread, these young technology companies from Romania and the region will continue to receive the same interest from risk capital funds. There may be some exceptions, in cases where companies have relied heavily in their business model on communication tactics which are no longer allowed by the new GDPR,” Ghenea told BR.
Asked how the GDPR had been implemented in companies in which 3TS Capital has invested, Ghenea said the matter “was addressed properly, probably better than in most purely entrepreneurial companies, with no structured investors in their shareholding.”