Compliance as a Service. Ethyca: “End-to-End user data privacy: Ethyca is Privacy Infrastructure for developer teams to automate compliance with and management of User Data Privacy”SaaS API Privacy Tech Developer Tools
B2B Privacy Tech consists of all the tools (SaaS, APIs, SDKs…) that enable businesses to build privacy-friendly and compliant products.
I’m very bullish on this trend as privacy-related regulation is growing (GDPR in Europe, CCPA in California), and users are increasingly concerned with what companies do with their data. At the same time, being compliant and integrating privacy-friendly technology is not an aspect on which businesses should spend too much internal resources (privacy will become table stack, like having your SaaS hosted in the Cloud today). Hence, it makes a ton of sense for a new generation of B2B tools to provide this “privacy technology and compliance as a Service”.
The field is booming. To illustrate this trend I’ve started a landscape covering 25 startups in this space:
When I did my research, I saw three approaches emerging:
Compliance as a Service
Verticalized Privacy tools
Compliance as a Service. It’s probably the most straightforward approach. Products in this category help businesses comply with the law on topics such as DSR (Data Subject Requests) consentment management, data audit, data breach reports and more.
Data Transformation. The approach of products in this category is to target the “layer below” and transform your sensitive data (encrypt, anonymize or pseudonymize) in order to protect it. This is a very interesting field driven by exciting technology.
Verticalized Privacy tools. Privacy-related requirements can be very different from one industry to the other (Fintech, Healthcare, Logistics, Legal etc.) and it makes a ton of sense for startups to build privacy tech products that answer the specific needs of these sectors.
In that perspective, Ethyca is a very interesting product in the "Compliance as a Service" category.
👍I’m personally bullish on the B2B privacy tech market.
When it comes to this market, it’s very important to distinguish SMB from enterprise customers:
SMBs: generally have no/low budget dedicated to privacy compliance. It’s often done “diy” style - an internal employee, who is not a privacy specialist, is assigned to work on the most important aspects such the cookies and consentment management - with sometimes the help of external services such as attorneys or specialized agencies. For instance, the vast majority of SMBs are still not GDPR compliant.
Enterprises: they deal with more complexity when it comes to privacy implementation and face more risks (big fines). As a consequence, they are much more educated about this problem, have specialized staff in the Legal & Compliance department working on it, and a significant budget to implement and maintain compliance.
According to several studies, the budget dedicated to implementing GDPR regulation (for the enterprise segment) is on average $3M. It’s only an average, this budget varies a lot depending on the size of the company and its industry (ex: banks versus manufacturers). This figure includes everything from labor costs (hiring, training, salaries…) to software spending and external services (attorneys etc.)
When it comes to SMBs, the budget varies greatly depending on the size and industry of the businesses and ranges from zero dollar to a couple of tens of thousands of dollars.
According to Fortune, “the total amount spent by US companies with more than 500 employees (there are 19 000 of them) on GDPR compliance reached $150B.”
“Ernst & Young reported that the world’s 500 biggest corporations are on track to spend a combined total of $7.8 billion to comply with GDPR.”
You get it, the overall market is big if you take into account all customer segments + different regulations.
It’s important to notice that the budgets shared above are initial investments. Once privacy compliance programs are launched, companies spend a lower budget for ongoing “maintenance” over time (but it’s a recurring spending).
The trend is clear: four of the world’s 10 largest economies (Europe, California, India and Brazil) have rolled out new data protection laws in the past year. So there’s no doubt that others will follow.
👍I find the approach of Ethyca extremely interesting as it wants to solve the privacy compliance problem at the code level (unlike the majority of other products in the same category which are more pure “front-end” products). Basically, Ethyca acts as a layer that you install on top of your data infrastructure (like a middleware), and which will help you deal with the major privacy regulation requirements through their API.
Let’s take a concrete example to illustrate how it works:
You set up Ethyca
A user sends you a “Subject Access Request” (or DSR Data Subject Request) as he wants to see all the data related to him that your service stores.
You simply achieve an API call to Ethyca with the user ID (see pic below) and it will automatically retrieve the corresponding personal data that you have about this user.
And you can achieve a bunch of similar actions (right to be forgotten, user deletion, data mapping) simply by doing API calls.
👍An aspect that I like about this approach (compliance integrated at the code level) is that once you have Ethyca installed, you potentially don’t have anything to do to comply with other regulations (GDPR, CCPA…) as it will be the middleware which will be in charge of it.
👎Obviously, the major drawback to this ”deeply integrated” approach is that only developers can set up the tool, which takes time and resources. The key for Ethyca will be to remove as much setup friction as possible. In a way, it reminds me of the beginning of tools like Intercom which were made for marketers, but who couldn't install it themselves and needed to convince developers first. Convincing developers was key.