It takes "thousands of hours" to comply with GDPR, says one tech CEO

Jun 12, 2018

The European Union's new privacy rule, called the General Data Protection Regulation, is officially in effect. To comply with it, some small businesses and startups have had to put other work on hold. The GDPR requires companies that have European customers to get clear consent to gather their information, make data available to correct and even delete data if the customer asks. And the fines for not complying are huge. Lawrence Coburn is CEO of a company called DoubleDutch that makes mobile apps for conferences. The apps collect location information, demographic data and sometimes contacts and job information from attendees from all over the world. Coburn spoke with Marketplace Tech host Molly Wood about how much stress the GDPR has caused him. The following is an edited transcript of their conversation. 

Lawrence Coburn: It's been super intense, and I don't think we're alone in that. It's just been a very intense and scary period for a lot of companies, I think because the stakes are so high.

Molly Wood: Can you give us a ballpark of maybe how much money you've put into compliance efforts?

Coburn: Oh, man, it's probably been thousands of hours. So you have to make sure that you're set up as a software company for if one of your end users of your software decides that they want to be forgotten, that they want all of their records to be deleted, you have to be set up to do that. In the old world, that was kind of an unusual thing, because most software companies, most marketing departments, don't want to make it super easy to delete somebody completely. And so that's been a new sort of product development thing that's kind of gotten bumped to the top of everybody's road map.

Wood: And so, you don't have to give us a dollar amount, but when you look at your budget, did you have to allocate money specifically to this, substantial money?

Coburn: Yeah, it was substantial. So GDPR is something that because it had a hard date associated with it, you kind of had to bump everything down on your road map to make sure that you got done with the GDPR compliance things. And so that's expensive. Any time you start taking 20 Silicon Valley engineers and putting them on something that is not related necessarily to your core business, the costs get very high. You know, we're talking probably high hundreds of hours if not thousands of hours.

Wood: So how does this affect, for you and for anybody else, any other company your size, how does that affect how you think about growth?

Coburn: So I think you have to make the decision do you want to serve the kinds of customers for whom GDPR is important? And there's an interesting point there where GDPR is positioned as sort of this European thing where if you want to do business in Europe you have to comply. It's actually bigger than that. So most of the enterprise customers that we do business with are choosing to comply with GDPR globally. And the reason is pretty simple. Let's say that you're a company in San Francisco that is hosting a conference and one of your attendees is from Germany. You need to treat them in compliance with GDPR. So in order to do that, you just have to be bigger. Maybe you have to raise more venture funding or maybe you have to wait longer to sell into the enterprise.

Wood: Broadly, I've heard that same argument applied to marketing, the idea that actually this could end up concentrating marketing dollars, say on Facebook and Google, where you just kind of know that they've got it figured out.

Coburn: Yeah, and I think that's true not only in marketing, I think that's in all software. I think we're going to see consolidation on a handful of trusted vendors where there's confidence that they have the legal and product and engineering resources to be buttoned up on GDPR. So there's intense pressure on these companies to simplify their external relationships. The winners are going to keep winning. I think it's going to be that the rich get richer and the smaller companies have a harder bar to break through.

Wood: Why is that always the answer? So then when you talk to other entrepreneurs and when you do all this work yourself and delay parts of your product road map, what's the feeling about GDPR? How do you feel about this development?

Coburn: You know, I think entrepreneurs are optimistic in general, and if they weren't they wouldn't be in this line of work. So I generally feel what I said, which is that if this is good for attendees and consumers, if it gives them more confidence in logging into more software because they know there are strict laws protecting them, overall that's going to lead to more usage. So I think that long term, especially as people start to figure out how GDPR is going to get enforced, this is probably going to be a net positive for the overall software industry. I think short term it's just going to be there's a lot of uncertainty. Nobody really knows how it's going to be enforced. The stakes are super high. Somebody is probably going to have to swallow a giant fine and start to set some precedent for what is acceptable behavior, because right now there's just a lot of gray out there and it's scaring folks a lot. I mean, the stakes of 4 percent of global revenue, 20 million euros. These are substantial fines, and nobody wants to get dinged with that.

Related Getting "terms of service" updates lately? Here's why 5 things you need to know about the GDPR