Data protection and tech startups: The need for attention, support, and scrutiny
Though discussions of data protection have focused on the larger, more established organisations, startups also warrant attention. This is particularly so for tech startups, who are often innovating at the ‘cutting‐edge’—pushing the boundaries of technologies that typically lack established data pro...
Saved in:
Published in | Policy and internet Vol. 13; no. 2; pp. 278 - 299 |
---|---|
Main Authors | , , , |
Format | Journal Article |
Language | English |
Published |
01.06.2021
|
Subjects | |
Online Access | Get full text |
ISSN | 1944-2866 1944-2866 |
DOI | 10.1002/poi3.255 |
Cover
Abstract | Though discussions of data protection have focused on the larger, more established organisations, startups also warrant attention. This is particularly so for tech startups, who are often innovating at the ‘cutting‐edge’—pushing the boundaries of technologies that typically lack established data protection best‐practices. Initial decisions taken by startups could well have long‐term impacts, and their actions may inform (for better or for worse) how particular technologies and the applications they support are implemented, deployed, and perceived for years to come. Ensuring that the innovations and practices of tech startups are sound, appropriate and acceptable should therefore be a high priority. This paper explores the attitudes and preparedness of tech startups to issues of data protection. We interviewed a series of UK‐based emerging tech startups as the EU's General Data Protection Regulation (GDPR) came into effect, which revealed areas in which there is a disconnect between the approaches of the startups and the nature and requirements of the GDPR. We discuss the misconceptions and associated risks facing innovative tech startups and offer a number of considerations for the firms and supervisory authorities alike. In light of our discussions, and given what is at stake, we argue that more needs to be done to help ensure that emerging technologies and the practices of the companies that operate them better align with the regulatory obligations. We conclude that tech startups warrant increased attention, support, and scrutiny to raise the standard of data protection for the benefit of us all.
摘要
尽管关于数据保护的辩论一直聚焦于更大型的、更有名的组织,但初创企业也值得关注。这对科技初创企业尤为如此,它们经常在“前沿”进行创新—突破往往缺少数据保护最佳实践的技术的边界。初创企业的最初决策能产生长期影响,并且其行动能(不论好坏地)影响未来几年里这些科技如何被实施、部署和感知。因此,确保科技初创企业的创新和实践是健全的、适宜的、可接受的,这应是首要重点。
本文探究了科技初创企业在数据保护议题上的态度和准备。我们在《欧盟数据保护通用条例》(GDPR)开始生效时采访了一系列英国的新兴初创企业,结果显示了初创企业的方法与GDPR的性质及要求之间存在不衔接的那些领域。我们探讨了创新科技初创企业面临的错误观念和相关风险,并为企业和监督机构提供了一系列应考量的因素。鉴于关键议题,我们在探讨部分中论证认为,需要付出更多来帮助保证新兴科技(以及使用这些科技的企业的实践)更好地与监管义务保持一致。我们的结论认为,科技初创企业值得更多的关注、支持和监督,以提高数据保护标准,造福所有人。
Resumen
Si bien las discusiones sobre la protección de datos se han centrado en las organizaciones más grandes y establecidas, las nuevas empresas también merecen atención. Esto es particularmente cierto para las nuevas empresas tecnológicas, que a menudo están innovando a la "vanguardia", superando los límites de las tecnologías que generalmente carecen de las mejores prácticas de protección de datos establecidas. Las decisiones iniciales tomadas por las nuevas empresas podrían tener impactos a largo plazo, y sus acciones pueden informar (para bien o para mal) cómo se implementan, despliegan y perciben estas tecnologías en los próximos años. Por lo tanto, garantizar que las innovaciones y prácticas de las nuevas empresas tecnológicas sean sólidas, apropiadas y aceptables debe ser una alta prioridad.
Este documento explora las actitudes y la preparación de las nuevas empresas tecnológicas ante los problemas de protección de datos. Entrevistamos a una serie de startups de tecnología emergente con sede en el Reino Unido cuando entró en vigor el Reglamento General de Protección de Datos (GDPR) de la UE, que reveló áreas en las que existe una desconexión entre los enfoques de las startups y la naturaleza y los requisitos del GDPR. . Discutimos los conceptos erróneos y los riesgos asociados que enfrentan las nuevas empresas tecnológicas innovadoras y ofrecemos una serie de consideraciones para las empresas y las autoridades supervisoras por igual. A la luz de nuestras discusiones, y dado lo que está en juego, argumentamos que es necesario hacer más para ayudar a garantizar que las tecnologías emergentes (y de hecho, las prácticas de las empresas que las operan) se alineen mejor con las obligaciones regulatorias. Concluimos que las nuevas empresas tecnológicas merecen mayor atención, apoyo y escrutinio para elevar el estándar de protección de datos en beneficio de todos nosotros. |
---|---|
AbstractList | Though discussions of data protection have focused on the larger, more established organisations, startups also warrant attention. This is particularly so for tech startups, who are often innovating at the ‘cutting‐edge’—pushing the boundaries of technologies that typically lack established data protection best‐practices. Initial decisions taken by startups could well have long‐term impacts, and their actions may inform (for better or for worse) how particular technologies and the applications they support are implemented, deployed, and perceived for years to come. Ensuring that the innovations and practices of tech startups are sound, appropriate and acceptable should therefore be a high priority. This paper explores the attitudes and preparedness of tech startups to issues of data protection. We interviewed a series of UK‐based emerging tech startups as the EU's General Data Protection Regulation (GDPR) came into effect, which revealed areas in which there is a disconnect between the approaches of the startups and the nature and requirements of the GDPR. We discuss the misconceptions and associated risks facing innovative tech startups and offer a number of considerations for the firms and supervisory authorities alike. In light of our discussions, and given what is at stake, we argue that more needs to be done to help ensure that emerging technologies and the practices of the companies that operate them better align with the regulatory obligations. We conclude that tech startups warrant increased attention, support, and scrutiny to raise the standard of data protection for the benefit of us all.
摘要
尽管关于数据保护的辩论一直聚焦于更大型的、更有名的组织,但初创企业也值得关注。这对科技初创企业尤为如此,它们经常在“前沿”进行创新—突破往往缺少数据保护最佳实践的技术的边界。初创企业的最初决策能产生长期影响,并且其行动能(不论好坏地)影响未来几年里这些科技如何被实施、部署和感知。因此,确保科技初创企业的创新和实践是健全的、适宜的、可接受的,这应是首要重点。
本文探究了科技初创企业在数据保护议题上的态度和准备。我们在《欧盟数据保护通用条例》(GDPR)开始生效时采访了一系列英国的新兴初创企业,结果显示了初创企业的方法与GDPR的性质及要求之间存在不衔接的那些领域。我们探讨了创新科技初创企业面临的错误观念和相关风险,并为企业和监督机构提供了一系列应考量的因素。鉴于关键议题,我们在探讨部分中论证认为,需要付出更多来帮助保证新兴科技(以及使用这些科技的企业的实践)更好地与监管义务保持一致。我们的结论认为,科技初创企业值得更多的关注、支持和监督,以提高数据保护标准,造福所有人。
Resumen
Si bien las discusiones sobre la protección de datos se han centrado en las organizaciones más grandes y establecidas, las nuevas empresas también merecen atención. Esto es particularmente cierto para las nuevas empresas tecnológicas, que a menudo están innovando a la "vanguardia", superando los límites de las tecnologías que generalmente carecen de las mejores prácticas de protección de datos establecidas. Las decisiones iniciales tomadas por las nuevas empresas podrían tener impactos a largo plazo, y sus acciones pueden informar (para bien o para mal) cómo se implementan, despliegan y perciben estas tecnologías en los próximos años. Por lo tanto, garantizar que las innovaciones y prácticas de las nuevas empresas tecnológicas sean sólidas, apropiadas y aceptables debe ser una alta prioridad.
Este documento explora las actitudes y la preparación de las nuevas empresas tecnológicas ante los problemas de protección de datos. Entrevistamos a una serie de startups de tecnología emergente con sede en el Reino Unido cuando entró en vigor el Reglamento General de Protección de Datos (GDPR) de la UE, que reveló áreas en las que existe una desconexión entre los enfoques de las startups y la naturaleza y los requisitos del GDPR. . Discutimos los conceptos erróneos y los riesgos asociados que enfrentan las nuevas empresas tecnológicas innovadoras y ofrecemos una serie de consideraciones para las empresas y las autoridades supervisoras por igual. A la luz de nuestras discusiones, y dado lo que está en juego, argumentamos que es necesario hacer más para ayudar a garantizar que las tecnologías emergentes (y de hecho, las prácticas de las empresas que las operan) se alineen mejor con las obligaciones regulatorias. Concluimos que las nuevas empresas tecnológicas merecen mayor atención, apoyo y escrutinio para elevar el estándar de protección de datos en beneficio de todos nosotros. |
Author | Cobbe, Jennifer Janssen, Heleen Singh, Jatinder Norval, Chris |
Author_xml | – sequence: 1 givenname: Chris orcidid: 0000-0002-4331-7863 surname: Norval fullname: Norval, Chris email: chris.norval@cl.cam.ac.uk organization: University of Cambridge – sequence: 2 givenname: Heleen surname: Janssen fullname: Janssen, Heleen organization: University of Cambridge – sequence: 3 givenname: Jennifer surname: Cobbe fullname: Cobbe, Jennifer organization: University of Cambridge – sequence: 4 givenname: Jatinder surname: Singh fullname: Singh, Jatinder organization: University of Cambridge |
BookMark | eNpNkM1KAzEcxINUsK2Cj5AH6NZ8bTbrTarVQqE91HP4N5ulKzUJSRbZt3erHjzNHGYG5jdDE-edReiekiUlhD0E3_ElK8srNKW1EAVTUk7--Rs0S-mDEKm4YFO0f4YMOESfrcmddxhcg0d_wilDzH1Ij_hwsthZ2-DWRww5W3dJLnDqQ_AxL346ycQ-d264RdctnJO9-9M5el-_HFZvxXb3ulk9bQvDWVUWhlWgxJFyVUNpJS-PylTWiLrl1AgqjKGWtrRhFTUMJK9rkEQCjA9U3ZSGz1Hxu_vVne2gQ-w-IQ6aEn3BoC8Y9IhB73cbPir_BkqvU9c |
CitedBy_id | crossref_primary_10_1109_JIOT_2023_3318369 crossref_primary_10_1111_polp_12492 crossref_primary_10_2139_ssrn_4863772 |
ContentType | Journal Article |
Copyright | 2021 The Authors. published by Wiley Periodicals LLC on behalf of Policy Studies Organization |
Copyright_xml | – notice: 2021 The Authors. published by Wiley Periodicals LLC on behalf of Policy Studies Organization |
DBID | 24P |
DOI | 10.1002/poi3.255 |
DatabaseName | Wiley Online Library Open Access |
DatabaseTitleList | |
Database_xml | – sequence: 1 dbid: 24P name: Wiley Online Library Open Access url: https://authorservices.wiley.com/open-science/open-access/browse-journals.html sourceTypes: Publisher |
DeliveryMethod | fulltext_linktorsrc |
Discipline | Sociology & Social History |
EISSN | 1944-2866 |
EndPage | 299 |
ExternalDocumentID | POI3255 |
Genre | article |
GrantInformation_xml | – fundername: Microsoft funderid: Microsoft Cloud Computing Research Centre (MCCRC) – fundername: Engineering and Physical Sciences Research Council funderid: EP/P024394/1; EP/R033501/1 |
GroupedDBID | -~S .Y3 05W 0R~ 1OC 24P 31~ 33P 50Y 50Z 52U 930 A04 AABNI AAESR AAHHS AAHQN AAMNL AANHP AAONW AAOUF AAXRX AAYCA AAZKR ABCUV ABPVW ABSOO ACAHQ ACBKW ACCFJ ACCZN ACGFS ACPOU ACRPL ACXQS ACYXJ ADBBV ADEMA ADEOM ADIZJ ADKYN ADMGS ADNMO ADXAS ADZMN AEEZP AEIGN AEIMD AEQDE AEUQT AEUYR AFBPY AFFPM AFGKR AFKFF AFPWT AFWVQ AFYRF AFZJQ AHBTC AIFKG AIURR AIWBW AJBDE ALMA_UNASSIGNED_HOLDINGS ALUQN ALVPJ AMBMR AMYDB ASPBG ASTYK AZBYB AZVAB BAFTC BDRZF BFHJK BMXJE BNVMJ BQESF BRXPI CKPZI DCZOG DPXWK DRFUL DRSSH EBS EJD FEDTE G-S G50 GODZA H13 HGLYW HVGLF HZ~ LATKE LEEKS LG7 LITHE LOXES LUTES LYRES MEWTI MRFUL MRSSH MSFUL MSSSH MXFUL MXSSH N04 N06 NF~ O66 O9- P2W Q.N QB0 R.K ROL SUPJJ T2Y TKY WBKPD WIH WII WMRSR WOHZO WSUWO WXSBR ZZTAW ~WP |
ID | FETCH-LOGICAL-c3275-c27a84b1389a5e635b8c7ec49f31c414cc1e1f1d271c2a6399a606aa86689d5c3 |
IEDL.DBID | 24P |
ISSN | 1944-2866 |
IngestDate | Wed Jan 22 16:30:15 EST 2025 |
IsDoiOpenAccess | true |
IsOpenAccess | true |
IsPeerReviewed | true |
IsScholarly | true |
Issue | 2 |
Language | English |
License | Attribution |
LinkModel | DirectLink |
MergedId | FETCHMERGED-LOGICAL-c3275-c27a84b1389a5e635b8c7ec49f31c414cc1e1f1d271c2a6399a606aa86689d5c3 |
ORCID | 0000-0002-4331-7863 |
OpenAccessLink | https://onlinelibrary.wiley.com/doi/abs/10.1002%2Fpoi3.255 |
PageCount | 0 |
ParticipantIDs | wiley_primary_10_1002_poi3_255_POI3255 |
PublicationCentury | 2000 |
PublicationDate | June 2021 |
PublicationDateYYYYMMDD | 2021-06-01 |
PublicationDate_xml | – month: 06 year: 2021 text: June 2021 |
PublicationDecade | 2020 |
PublicationTitle | Policy and internet |
PublicationYear | 2021 |
References | 2015; 5 2019; 15 2009 2019; 17 1995 2006; 3 2018; 26 2018; 25 2020; 5 2018; 8 2018; 4 2019c 2013; 13 2020 2019b 2019a 2018; 376 2019 2018 2017 2016 2018; 51 2013 2012; 6 2007; 1 2017; 149 |
References_xml | – year: 2009 – volume: 13 start-page: 190 issue: 2 year: 2013 end-page: 197 article-title: ‘Unsatisfactory saturation’: A critical exploration of the notion of saturated sample sizes publication-title: Qualitative Research – volume: 4 issue: 1 year: 2018 article-title: “Participant” perceptions of Twitter research ethics publication-title: Social Media+Society – volume: 25 start-page: 1 issue: 1 year: 2018 end-page: 106 article-title: Blockchain demystified: A technical and legal introduction to distributed and centralized ledgers publication-title: Richmond Journal of Law and Technology – volume: 8 start-page: 105 issue: 2 year: 2018 end-page: 123 article-title: When data protection by design and data subject rights clash publication-title: International Data Privacy Law – year: 2019c – volume: 5 start-page: 205 issue: 3 year: 2015 end-page: 216 article-title: Principles‐based regulation of personal data: The case of ‘fair processing’ publication-title: International Data Privacy Law – year: 2019a – volume: 1 start-page: 191 issue: 3 year: 2007 end-page: 206 article-title: Making a success of principles‐based regulation publication-title: Law and Financial Markets Review – year: 2016 – volume: 5 start-page: 65 issue: 1 year: 2020 end-page: 93 article-title: What lies beneath: Transparency in online service supply chains publication-title: Journal of Cyber Policy – year: 2018 – volume: 17 start-page: 21 issue: 6 year: 2019 end-page: 30 article-title: The security implications of data subject rights publication-title: IEEE Security & Privacy – volume: 3 start-page: 77 issue: 2 year: 2006 end-page: 101 article-title: Using thematic analysis in psychology publication-title: Qualitative Research in Psychology – volume: 6 start-page: 116 issue: 2 year: 2012 end-page: 132 article-title: All the right moves: How entrepreneurial firms compete effectively publication-title: Strategic Entrepreneurship Journal – volume: 376 start-page: 1 issue: 2133 year: 2018 end-page: 15 article-title: Algorithms that remember: Model inversion attacks and data protection law publication-title: Philosophical Transactions of the Royal Society A: Mathematical Physical and Engineering Sciences – volume: 25 start-page: 1 issue: 1 year: 2018 end-page: 109 article-title: GDPR: The end of Google and Facebook or a new paradigm in data privacy? publication-title: Richmond Journal of Law and Technology – volume: 15 start-page: 187 issue: 3 year: 2019 end-page: 201 article-title: Automating dynamic consent decisions for the processing of social media data in health research publication-title: Journal of Empirical Research on Human Research Ethics – year: 2020 – volume: 149 start-page: 21 year: 2017 end-page: 23 article-title: ‘European’ data privacy standards implemented in laws outside Europe publication-title: Privacy Laws & Business International Report – year: 1995 – year: 2017 – year: 2019b – volume: 51 start-page: 56 issue: 8 year: 2018 end-page: 59 article-title: User data privacy: Facebook, Cambridge Analytica, and privacy protection publication-title: Computer – year: 2019 – volume: 26 start-page: 1 issue: 1 year: 2018 end-page: 15 article-title: GDPR compliance in Norwegian companies publication-title: Proceedings from the Annual NOKOBIT Conference, Svalbard, Norway – year: 2013 |
SSID | ssj0068342 |
Score | 2.2729757 |
Snippet | Though discussions of data protection have focused on the larger, more established organisations, startups also warrant attention. This is particularly so for... |
SourceID | wiley |
SourceType | Publisher |
StartPage | 278 |
SubjectTerms | compliance data protection data subject rights emerging technology General Data Protection Regulation (GDPR) privacy by design supervisory authorities tech‐startups |
Title | Data protection and tech startups: The need for attention, support, and scrutiny |
URI | https://onlinelibrary.wiley.com/doi/abs/10.1002%2Fpoi3.255 |
Volume | 13 |
hasFullText | 1 |
inHoldings | 1 |
isFullTextHit | |
isPrint | |
link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV07T8MwELagLCyIp6A85AF1qil-Jc6IgKogAR2o1C3yU2JJqzYd-u97dtIiNqYs9uD74rvP57vPCN0zqQP1zJFCFxkRNhTEZLkjTlEvmKV5lhL6H5_ZaCLep3LaVlXGXphGH2KXcIs7I_nruMG1WQ5-RUPnsx_-AIR4Hx3QGPSjqrMYb71wpnh6OAfO6IIwlWVb4dlHNtjO_MtHU0AZHqOjlgnipwa6E7Tnq1PU3TWQ4B5uWmdxo-SxPkPjF11r3CorgD2xrhyOIqwYKN6iXsHSMMCOK4hIGMgojtqZqZqxj5ereWTa_TQHXAX8b9X6HE2Gr9_PI9K-iEAsZ7kkluVaCRMvF7X0wBWMsrm3ogicWkGFtdTTQB3LqWU6kg8NBxStYf2qcNLyC9SpZpW_RJhrgInK4KQ0IjgVscwLaYM30hWUX6FeMk45b1QvykbfmJXReiVYrxx_vXH4dv878BodslgQklIYN6hTL1b-FiJ6be4SdBt_WJ3q |
linkProvider | Wiley-Blackwell |
linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV1LTwIxEG4QD3oxPqP46sFwokKfuxtPRiWggBwg4bbptt3Ey0JwOfDvnXYB481TL-2h87UzX6edrwg9MKlz6pgliU4UESZPSKYiS2xMnWCGRiok9Icj1ZuK95mc1dDTtham0ofYJdz8zgj-2m9wn5Bu_6qGLuZf_BEY8R7aF4p1_JJmYrx1wyrm4eccOKQLwmKltsqzHdbejvxLSENE6R6jow0VxM8Vdieo5opT1NhVkOAmrmpncSXlsT5D41ddaryRVgCDYl1Y7FVYMXC8ZbmCuWHAHRcQkjCwUezFM8Nzxhb-Xi081W6FMeArYMEV63M07b5NXnpk8yUCMZxFkhgW6Vhk_nZRSwdkIYtN5IxIck6NoMIY6mhOLYuoYdqzDw0nFK1h_nFipeEXqF7MC3eJMNeAE5W5lTITuY09mFEiTe4yaRPKr1AzGCddVLIXaSVwzFJvvRSsl44_-xzaxn873qOD3mQ4SAf90cc1OmT-dUjIZ9ygerlcuVsI72V2F2D8ASLtoVk |
linkToPdf | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjZ07T8MwEMctKBJiQTwF5eUBdaopfuUxIkrV8igZqNQtcvyQWNKopEO_PWcnBbExZYkH38V3fzt3PyN0y6Ry1DJDUpVGRGiXkiKKDTEJtYJpGkfhQP9tGo1n4nku521Vpe-FafgQPwdufmWEeO0XeGXc4BcaWi0--R0I4m20IzyxxVOdRbaJwlHCw8U5sEcXhCVRtAHP3rPBZuRfPRoSyugA7bdKED80rjtEW7Y8Qt2fBhLcw03rLG5IHutjlA1VrXBLVgB7YlUa7CGsGCTesl7B1DC4HZeQkTCIUezZmaGasY-_VpVX2v0wBkIFfG_l-gTNRk8fj2PS3ohANGexJJrFKhGF_7mopAWtUCQ6tlqkjlMtqNCaWuqoYTHVTHnxoWCDohTMP0mN1PwUdcpFac8Q5grcRKUzUhbCmcT7Mk6ldraQJqX8HPWCcfKqoV7kDd-Y5d56OVgvz94nHJ7d_754g3az4Sh_nUxfLtAe87Uh4TTjEnXq5cpeQXKvi-vgxW-F8KCL |
openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Data+protection+and+tech+startups%3A+The+need+for+attention%2C+support%2C+and+scrutiny&rft.jtitle=Policy+and+internet&rft.au=Norval%2C+Chris&rft.au=Janssen%2C+Heleen&rft.au=Cobbe%2C+Jennifer&rft.au=Singh%2C+Jatinder&rft.date=2021-06-01&rft.issn=1944-2866&rft.eissn=1944-2866&rft.volume=13&rft.issue=2&rft.spage=278&rft.epage=299&rft_id=info:doi/10.1002%2Fpoi3.255&rft.externalDBID=10.1002%252Fpoi3.255&rft.externalDocID=POI3255 |
thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1944-2866&client=summon |
thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1944-2866&client=summon |
thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1944-2866&client=summon |