Being GDPR perfect as a start-up

What is it like to be a start-up in a gold-rush? What about if that start-up has succeeded in niching the privacy space in the EU?


I am back to blogging after taking a break -well not complete- during at least 2 years. Not a complete break, because I have been posting on LinkedIn. These posts have now been migrated to this blog. A break because I’ve been busy as founder of startup Privasee. 18 months ago it was just me, and now we are 12.

I will be blogging about life as a start-up. I am the CEO and founder of Privasee. I will be airing the challenges we face ourselves, not just the normal stuff like cash-flow and getting brand recognition, but how do we at Privasee work with GDPR compliance internally? We must be perfect after all?

That we are privacy advocates by heart, it has created some dilemmas. On the one side are those who say we must practice what we preach to the book, i.e. do not use cloud services if they are not GDPR-compliance, which incidentally is just about all of them today. Yet, as a 12 employee company, it really does not make any sense to host internally.

This view versus, that in order to understand and advise better our clients, we need to do the same as them, fix it and then we can advise beyond what we could otherwise by being ‘pure’.  The fact is if we look at a fundamental flaw to aspire ‘perfection’ although we all strive for perfection for ourselves, when we see it in others it doesn’t inspire any kind of longing or respect. It is through our imperfections that we learn, if we see them, acknowledge and remediate them.

I wrote a post in the Autumn GDPR Paralysis? Originally posted to LinkedIn. It is a story not just of what I had observed happening in the market but of the challenges we have internally in Privasee. What we realised is that we were marketing ourselves almost as ‘purest’ when we are not. We want to help our clients to take this elephant and get it working, and we don’t help them by acting in anyway righteous on how we are operating internally, we help them by being realistic. For example, for a cloud service I am looking to see if they are based in the EU, where is data stored? I want to see on their website, or I ring them and ask about GDPR, are they prepared to work with us? If they are saying the right things, then we can make an intelligent guess that they are on their way.

For example, our website sucks. It is using Wix which is horrible, but it’s easy to use, and we are not web design experts, and free-lance web designers seem to lean towards WordPress, which has not earned any awards for privacy either. It is the dilemma of usability versus privacy. So as a startup we have had some heated conversations internally concerning the website during at least half a year. Yes we must do this right, but how? We will be launching a new website next week, and yes, it will be hosted by Privasee using ELITs platform. ELITs and Privasee are working together to make the GDPR compliance work, but we are not done yet.

Our learning platform was another challenge. Up until end of 2017 we were using Curatr. Which is a social learning platform, and is really a cool learning experience. However, there were privacy defaults which were not following Privacy by Design best practices, and from an Admin angle, it was really difficult to configure in order to be able to respond to requirements such as the ‘right to be forgotten’ part of GDPR. There was more, over which I voiced my concerns on several occasions, which were not taken seriously. We have now retired this platform and are working together with ICE Malta. They are not perfect yet, a DPIA is about to be initiated. But what is great is that if I see something, they act quick. I ring, and they fix, no questions asked.

I’m going to be setting up a webpage on all products/services which Privasee is using in Q1 2018. On this page will be how we find them as a provider on the GDPR scale. Are there some we use because we have no choice, e.g. Office365, but maybe some features should be disabled? Are there some choices we’ve made, e.g. our learning platform and website, because the alternative choices were limited?

Do you have any stories to share where you have contacted cloud providers? Would be great to hear…

All this and more, i.e. the thinking behind our choices I will post here. So watch this space 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.