Why data privacy and compliance software could be a winner in 2021
Steve Sloane, Partner at Menlo Ventures @badtothesloane
The current political environment could bring a demand surge for startups in the data privacy and compliance space. With every new administration/batch of newly elected officials at the federal and local levels, businesses large and small across the country will need to ensure that they are set up to seamlessly course-correct their operations to prepare for the possibility that regulations affecting their business will change.
In California specifically, voters just approved a ballot measure augmenting the requirements in the California Consumer Privacy Act (CCPA) which has already been in effect since the beginning of this year.
For all companies, particularly those in highly regulated industries, compliance is a major pain point. Importantly, this is not only a back-office issue but also impacts sales velocity. A Cisco study from Jan. 2019 showed that 87% of respondents experienced delays in sales cycles due to customers’ data privacy concerns. The COVID pandemic has also created even larger roles for security and compliance in purchasing decisions and as concerns around data privacy intensify, organizations can expect more red tape.
The regulatory policies CIOs need to comply with can be vague and confusing, making it difficult to get a comprehensive understanding of where processes and technology may be out of compliance. To make matters worse, far too much time and money is spent preparing for audits. Now more than ever, there is a case to be made for increasing investment in technology that will help businesses better catalog, track, and manage their data and associated risks. CIOs who take this approach will not only save time and money by reducing the complexities of audits, but they’ll also harden their systems against exploits and vulnerabilities.
As a venture capital investor, we’ve been focusing on data privacy and compliance software for these reasons. The market for these tools has experienced extreme growth recently but is still in its early stages. I believe there will be many more winners in the coming years, as the underlying technology infrastructure for compliance improves, and companies ride a smoother wave of adoption.
CIOs are faced with competing priorities: not just security, privacy and compliance, but also giving attention to product development and adapting to changes in customer needs and expectations. Because of this, compliance can sometimes be viewed as a nuisance, or a roadblock, to more innovation. In fact, this nuisance reputation may historically have been compounded by the fact that privacy and security solutions are still in their early days — — with 63% of respondents in an IAPP survey citing that immaturity of privacy tech solutions are at least somewhat of a barrier to adoption.
The market is racing to meet this need, however, and innovative startups are leading the way. From 2017 to 2019, there was a nearly 330% increase in the number of vendors tracked by the IAPP, and Venture-Capital funding picked up at a similarly aggressive pace, with over $1B invested into data privacy and regulatory compliance companies in 2019 (up from $408M in 2017). While we’ve seen larger companies like OneTrust truly start to reach significant scale in the space, many of the large fundraising rounds have been raised by companies of modest scale that are betting aggressively on the future.
Interestingly, the privacy and compliance tech market represents a bit of a throwback to “old-school” enterprise software selling, in which the IT department is a key stakeholder. Much of the growth in cloud-software that we’ve seen over the past five years has resulted from an expansion of stakeholders and budgets, everything from developers adopting software directly, to heads of HR buying tools. For a company to have success in the compliance space, however, it requires an understanding of the vast and complex data flows present in the organization, a task that almost always requires IT expertise.
I believe there will be a virtuous cycle of innovation and growth in the space. For example, as companies continue to adopt tools in the data-mapping and discovery plane, it will be easier for tools selling data governance and monitoring to successfully integrate and add value. As a result, while we’ve seen the first wave of growth come from these sort of “foundational companies” in the data mapping, discovery, and governance space, the second wave of growth will likely come from Governance, Risk management, and Compliance (GRC) and workflow platforms that may be distinct from their close-cousins. We are excited about companies that provide broad, modularized solutions in the GRC space like LogicGate, as well more specific vertical workflows for financial services such as Unit21 or Persona.
In our opinion, the most successful companies in the space will leverage workflows, data, and integrations to eventually bring automation to compliance processes. However, this will take time, and workflow insertion points around particular areas, with dedicated teams and partial automation are likely the most effective ways of going to market in the near-term. Over time, however, as software is able to seamlessly identify, move, and properly handle data within systems, value creation will accelerate across the sector. Much as we’ve seen companies like Segment achieve success by orchestrating customer data for marketing purposes, I believe we will see companies like Transcend and Aptible take a similarly compelling ecosystem approach to routing and enriching customer data for privacy purposes.
The privacy ecosystem has been accelerating since GDPR became effective in March of 2018 and companies raced to adopt solutions to prevent themselves from potential fines due to non-compliance. While this “gold-rush” fueled the rise of a number of winners, I believe that as companies build more sophisticated compliance stacks on top of existing infrastructure the second wave of companies within privacy and compliance will also create significant value.
