Data protection and tech startups: The need for attention, support, and scrutiny

Though discussions of data protection have focused on the larger, more established organisations, startups also warrant attention. This is particularly so for tech startups, who are often innovating at the ‘cutting‐edge’—pushing the boundaries of technologies that typically lack established data pro...

Full description

Saved in:
Bibliographic Details
Published inPolicy and internet Vol. 13; no. 2; pp. 278 - 299
Main Authors Norval, Chris, Janssen, Heleen, Cobbe, Jennifer, Singh, Jatinder
Format Journal Article
LanguageEnglish
Published 01.06.2021
Subjects
Online AccessGet full text
ISSN1944-2866
1944-2866
DOI10.1002/poi3.255

Cover

Abstract Though discussions of data protection have focused on the larger, more established organisations, startups also warrant attention. This is particularly so for tech startups, who are often innovating at the ‘cutting‐edge’—pushing the boundaries of technologies that typically lack established data protection best‐practices. Initial decisions taken by startups could well have long‐term impacts, and their actions may inform (for better or for worse) how particular technologies and the applications they support are implemented, deployed, and perceived for years to come. Ensuring that the innovations and practices of tech startups are sound, appropriate and acceptable should therefore be a high priority. This paper explores the attitudes and preparedness of tech startups to issues of data protection. We interviewed a series of UK‐based emerging tech startups as the EU's General Data Protection Regulation (GDPR) came into effect, which revealed areas in which there is a disconnect between the approaches of the startups and the nature and requirements of the GDPR. We discuss the misconceptions and associated risks facing innovative tech startups and offer a number of considerations for the firms and supervisory authorities alike. In light of our discussions, and given what is at stake, we argue that more needs to be done to help ensure that emerging technologies and the practices of the companies that operate them better align with the regulatory obligations. We conclude that tech startups warrant increased attention, support, and scrutiny to raise the standard of data protection for the benefit of us all. 摘要 尽管关于数据保护的辩论一直聚焦于更大型的、更有名的组织,但初创企业也值得关注。这对科技初创企业尤为如此,它们经常在“前沿”进行创新—突破往往缺少数据保护最佳实践的技术的边界。初创企业的最初决策能产生长期影响,并且其行动能(不论好坏地)影响未来几年里这些科技如何被实施、部署和感知。因此,确保科技初创企业的创新和实践是健全的、适宜的、可接受的,这应是首要重点。 本文探究了科技初创企业在数据保护议题上的态度和准备。我们在《欧盟数据保护通用条例》(GDPR)开始生效时采访了一系列英国的新兴初创企业,结果显示了初创企业的方法与GDPR的性质及要求之间存在不衔接的那些领域。我们探讨了创新科技初创企业面临的错误观念和相关风险,并为企业和监督机构提供了一系列应考量的因素。鉴于关键议题,我们在探讨部分中论证认为,需要付出更多来帮助保证新兴科技(以及使用这些科技的企业的实践)更好地与监管义务保持一致。我们的结论认为,科技初创企业值得更多的关注、支持和监督,以提高数据保护标准,造福所有人。 Resumen Si bien las discusiones sobre la protección de datos se han centrado en las organizaciones más grandes y establecidas, las nuevas empresas también merecen atención. Esto es particularmente cierto para las nuevas empresas tecnológicas, que a menudo están innovando a la "vanguardia", superando los límites de las tecnologías que generalmente carecen de las mejores prácticas de protección de datos establecidas. Las decisiones iniciales tomadas por las nuevas empresas podrían tener impactos a largo plazo, y sus acciones pueden informar (para bien o para mal) cómo se implementan, despliegan y perciben estas tecnologías en los próximos años. Por lo tanto, garantizar que las innovaciones y prácticas de las nuevas empresas tecnológicas sean sólidas, apropiadas y aceptables debe ser una alta prioridad. Este documento explora las actitudes y la preparación de las nuevas empresas tecnológicas ante los problemas de protección de datos. Entrevistamos a una serie de startups de tecnología emergente con sede en el Reino Unido cuando entró en vigor el Reglamento General de Protección de Datos (GDPR) de la UE, que reveló áreas en las que existe una desconexión entre los enfoques de las startups y la naturaleza y los requisitos del GDPR. . Discutimos los conceptos erróneos y los riesgos asociados que enfrentan las nuevas empresas tecnológicas innovadoras y ofrecemos una serie de consideraciones para las empresas y las autoridades supervisoras por igual. A la luz de nuestras discusiones, y dado lo que está en juego, argumentamos que es necesario hacer más para ayudar a garantizar que las tecnologías emergentes (y de hecho, las prácticas de las empresas que las operan) se alineen mejor con las obligaciones regulatorias. Concluimos que las nuevas empresas tecnológicas merecen mayor atención, apoyo y escrutinio para elevar el estándar de protección de datos en beneficio de todos nosotros.
AbstractList Though discussions of data protection have focused on the larger, more established organisations, startups also warrant attention. This is particularly so for tech startups, who are often innovating at the ‘cutting‐edge’—pushing the boundaries of technologies that typically lack established data protection best‐practices. Initial decisions taken by startups could well have long‐term impacts, and their actions may inform (for better or for worse) how particular technologies and the applications they support are implemented, deployed, and perceived for years to come. Ensuring that the innovations and practices of tech startups are sound, appropriate and acceptable should therefore be a high priority. This paper explores the attitudes and preparedness of tech startups to issues of data protection. We interviewed a series of UK‐based emerging tech startups as the EU's General Data Protection Regulation (GDPR) came into effect, which revealed areas in which there is a disconnect between the approaches of the startups and the nature and requirements of the GDPR. We discuss the misconceptions and associated risks facing innovative tech startups and offer a number of considerations for the firms and supervisory authorities alike. In light of our discussions, and given what is at stake, we argue that more needs to be done to help ensure that emerging technologies and the practices of the companies that operate them better align with the regulatory obligations. We conclude that tech startups warrant increased attention, support, and scrutiny to raise the standard of data protection for the benefit of us all. 摘要 尽管关于数据保护的辩论一直聚焦于更大型的、更有名的组织,但初创企业也值得关注。这对科技初创企业尤为如此,它们经常在“前沿”进行创新—突破往往缺少数据保护最佳实践的技术的边界。初创企业的最初决策能产生长期影响,并且其行动能(不论好坏地)影响未来几年里这些科技如何被实施、部署和感知。因此,确保科技初创企业的创新和实践是健全的、适宜的、可接受的,这应是首要重点。 本文探究了科技初创企业在数据保护议题上的态度和准备。我们在《欧盟数据保护通用条例》(GDPR)开始生效时采访了一系列英国的新兴初创企业,结果显示了初创企业的方法与GDPR的性质及要求之间存在不衔接的那些领域。我们探讨了创新科技初创企业面临的错误观念和相关风险,并为企业和监督机构提供了一系列应考量的因素。鉴于关键议题,我们在探讨部分中论证认为,需要付出更多来帮助保证新兴科技(以及使用这些科技的企业的实践)更好地与监管义务保持一致。我们的结论认为,科技初创企业值得更多的关注、支持和监督,以提高数据保护标准,造福所有人。 Resumen Si bien las discusiones sobre la protección de datos se han centrado en las organizaciones más grandes y establecidas, las nuevas empresas también merecen atención. Esto es particularmente cierto para las nuevas empresas tecnológicas, que a menudo están innovando a la "vanguardia", superando los límites de las tecnologías que generalmente carecen de las mejores prácticas de protección de datos establecidas. Las decisiones iniciales tomadas por las nuevas empresas podrían tener impactos a largo plazo, y sus acciones pueden informar (para bien o para mal) cómo se implementan, despliegan y perciben estas tecnologías en los próximos años. Por lo tanto, garantizar que las innovaciones y prácticas de las nuevas empresas tecnológicas sean sólidas, apropiadas y aceptables debe ser una alta prioridad. Este documento explora las actitudes y la preparación de las nuevas empresas tecnológicas ante los problemas de protección de datos. Entrevistamos a una serie de startups de tecnología emergente con sede en el Reino Unido cuando entró en vigor el Reglamento General de Protección de Datos (GDPR) de la UE, que reveló áreas en las que existe una desconexión entre los enfoques de las startups y la naturaleza y los requisitos del GDPR. . Discutimos los conceptos erróneos y los riesgos asociados que enfrentan las nuevas empresas tecnológicas innovadoras y ofrecemos una serie de consideraciones para las empresas y las autoridades supervisoras por igual. A la luz de nuestras discusiones, y dado lo que está en juego, argumentamos que es necesario hacer más para ayudar a garantizar que las tecnologías emergentes (y de hecho, las prácticas de las empresas que las operan) se alineen mejor con las obligaciones regulatorias. Concluimos que las nuevas empresas tecnológicas merecen mayor atención, apoyo y escrutinio para elevar el estándar de protección de datos en beneficio de todos nosotros.
Author Cobbe, Jennifer
Janssen, Heleen
Singh, Jatinder
Norval, Chris
Author_xml – sequence: 1
  givenname: Chris
  orcidid: 0000-0002-4331-7863
  surname: Norval
  fullname: Norval, Chris
  email: chris.norval@cl.cam.ac.uk
  organization: University of Cambridge
– sequence: 2
  givenname: Heleen
  surname: Janssen
  fullname: Janssen, Heleen
  organization: University of Cambridge
– sequence: 3
  givenname: Jennifer
  surname: Cobbe
  fullname: Cobbe, Jennifer
  organization: University of Cambridge
– sequence: 4
  givenname: Jatinder
  surname: Singh
  fullname: Singh, Jatinder
  organization: University of Cambridge
BookMark eNpNkM1KAzEcxINUsK2Cj5AH6NZ8bTbrTarVQqE91HP4N5ulKzUJSRbZt3erHjzNHGYG5jdDE-edReiekiUlhD0E3_ElK8srNKW1EAVTUk7--Rs0S-mDEKm4YFO0f4YMOESfrcmddxhcg0d_wilDzH1Ij_hwsthZ2-DWRww5W3dJLnDqQ_AxL346ycQ-d264RdctnJO9-9M5el-_HFZvxXb3ulk9bQvDWVUWhlWgxJFyVUNpJS-PylTWiLrl1AgqjKGWtrRhFTUMJK9rkEQCjA9U3ZSGz1Hxu_vVne2gQ-w-IQ6aEn3BoC8Y9IhB73cbPir_BkqvU9c
CitedBy_id crossref_primary_10_1109_JIOT_2023_3318369
crossref_primary_10_1111_polp_12492
crossref_primary_10_2139_ssrn_4863772
ContentType Journal Article
Copyright 2021 The Authors. published by Wiley Periodicals LLC on behalf of Policy Studies Organization
Copyright_xml – notice: 2021 The Authors. published by Wiley Periodicals LLC on behalf of Policy Studies Organization
DBID 24P
DOI 10.1002/poi3.255
DatabaseName Wiley Online Library Open Access
DatabaseTitleList
Database_xml – sequence: 1
  dbid: 24P
  name: Wiley Online Library Open Access
  url: https://authorservices.wiley.com/open-science/open-access/browse-journals.html
  sourceTypes: Publisher
DeliveryMethod fulltext_linktorsrc
Discipline Sociology & Social History
EISSN 1944-2866
EndPage 299
ExternalDocumentID POI3255
Genre article
GrantInformation_xml – fundername: Microsoft
  funderid: Microsoft Cloud Computing Research Centre (MCCRC)
– fundername: Engineering and Physical Sciences Research Council
  funderid: EP/P024394/1; EP/R033501/1
GroupedDBID -~S
.Y3
05W
0R~
1OC
24P
31~
33P
50Y
50Z
52U
930
A04
AABNI
AAESR
AAHHS
AAHQN
AAMNL
AANHP
AAONW
AAOUF
AAXRX
AAYCA
AAZKR
ABCUV
ABPVW
ABSOO
ACAHQ
ACBKW
ACCFJ
ACCZN
ACGFS
ACPOU
ACRPL
ACXQS
ACYXJ
ADBBV
ADEMA
ADEOM
ADIZJ
ADKYN
ADMGS
ADNMO
ADXAS
ADZMN
AEEZP
AEIGN
AEIMD
AEQDE
AEUQT
AEUYR
AFBPY
AFFPM
AFGKR
AFKFF
AFPWT
AFWVQ
AFYRF
AFZJQ
AHBTC
AIFKG
AIURR
AIWBW
AJBDE
ALMA_UNASSIGNED_HOLDINGS
ALUQN
ALVPJ
AMBMR
AMYDB
ASPBG
ASTYK
AZBYB
AZVAB
BAFTC
BDRZF
BFHJK
BMXJE
BNVMJ
BQESF
BRXPI
CKPZI
DCZOG
DPXWK
DRFUL
DRSSH
EBS
EJD
FEDTE
G-S
G50
GODZA
H13
HGLYW
HVGLF
HZ~
LATKE
LEEKS
LG7
LITHE
LOXES
LUTES
LYRES
MEWTI
MRFUL
MRSSH
MSFUL
MSSSH
MXFUL
MXSSH
N04
N06
NF~
O66
O9-
P2W
Q.N
QB0
R.K
ROL
SUPJJ
T2Y
TKY
WBKPD
WIH
WII
WMRSR
WOHZO
WSUWO
WXSBR
ZZTAW
~WP
ID FETCH-LOGICAL-c3275-c27a84b1389a5e635b8c7ec49f31c414cc1e1f1d271c2a6399a606aa86689d5c3
IEDL.DBID 24P
ISSN 1944-2866
IngestDate Wed Jan 22 16:30:15 EST 2025
IsDoiOpenAccess true
IsOpenAccess true
IsPeerReviewed true
IsScholarly true
Issue 2
Language English
License Attribution
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c3275-c27a84b1389a5e635b8c7ec49f31c414cc1e1f1d271c2a6399a606aa86689d5c3
ORCID 0000-0002-4331-7863
OpenAccessLink https://onlinelibrary.wiley.com/doi/abs/10.1002%2Fpoi3.255
PageCount 0
ParticipantIDs wiley_primary_10_1002_poi3_255_POI3255
PublicationCentury 2000
PublicationDate June 2021
PublicationDateYYYYMMDD 2021-06-01
PublicationDate_xml – month: 06
  year: 2021
  text: June 2021
PublicationDecade 2020
PublicationTitle Policy and internet
PublicationYear 2021
References 2015; 5
2019; 15
2009
2019; 17
1995
2006; 3
2018; 26
2018; 25
2020; 5
2018; 8
2018; 4
2019c
2013; 13
2020
2019b
2019a
2018; 376
2019
2018
2017
2016
2018; 51
2013
2012; 6
2007; 1
2017; 149
References_xml – year: 2009
– volume: 13
  start-page: 190
  issue: 2
  year: 2013
  end-page: 197
  article-title: ‘Unsatisfactory saturation’: A critical exploration of the notion of saturated sample sizes
  publication-title: Qualitative Research
– volume: 4
  issue: 1
  year: 2018
  article-title: “Participant” perceptions of Twitter research ethics
  publication-title: Social Media+Society
– volume: 25
  start-page: 1
  issue: 1
  year: 2018
  end-page: 106
  article-title: Blockchain demystified: A technical and legal introduction to distributed and centralized ledgers
  publication-title: Richmond Journal of Law and Technology
– volume: 8
  start-page: 105
  issue: 2
  year: 2018
  end-page: 123
  article-title: When data protection by design and data subject rights clash
  publication-title: International Data Privacy Law
– year: 2019c
– volume: 5
  start-page: 205
  issue: 3
  year: 2015
  end-page: 216
  article-title: Principles‐based regulation of personal data: The case of ‘fair processing’
  publication-title: International Data Privacy Law
– year: 2019a
– volume: 1
  start-page: 191
  issue: 3
  year: 2007
  end-page: 206
  article-title: Making a success of principles‐based regulation
  publication-title: Law and Financial Markets Review
– year: 2016
– volume: 5
  start-page: 65
  issue: 1
  year: 2020
  end-page: 93
  article-title: What lies beneath: Transparency in online service supply chains
  publication-title: Journal of Cyber Policy
– year: 2018
– volume: 17
  start-page: 21
  issue: 6
  year: 2019
  end-page: 30
  article-title: The security implications of data subject rights
  publication-title: IEEE Security & Privacy
– volume: 3
  start-page: 77
  issue: 2
  year: 2006
  end-page: 101
  article-title: Using thematic analysis in psychology
  publication-title: Qualitative Research in Psychology
– volume: 6
  start-page: 116
  issue: 2
  year: 2012
  end-page: 132
  article-title: All the right moves: How entrepreneurial firms compete effectively
  publication-title: Strategic Entrepreneurship Journal
– volume: 376
  start-page: 1
  issue: 2133
  year: 2018
  end-page: 15
  article-title: Algorithms that remember: Model inversion attacks and data protection law
  publication-title: Philosophical Transactions of the Royal Society A: Mathematical Physical and Engineering Sciences
– volume: 25
  start-page: 1
  issue: 1
  year: 2018
  end-page: 109
  article-title: GDPR: The end of Google and Facebook or a new paradigm in data privacy?
  publication-title: Richmond Journal of Law and Technology
– volume: 15
  start-page: 187
  issue: 3
  year: 2019
  end-page: 201
  article-title: Automating dynamic consent decisions for the processing of social media data in health research
  publication-title: Journal of Empirical Research on Human Research Ethics
– year: 2020
– volume: 149
  start-page: 21
  year: 2017
  end-page: 23
  article-title: ‘European’ data privacy standards implemented in laws outside Europe
  publication-title: Privacy Laws & Business International Report
– year: 1995
– year: 2017
– year: 2019b
– volume: 51
  start-page: 56
  issue: 8
  year: 2018
  end-page: 59
  article-title: User data privacy: Facebook, Cambridge Analytica, and privacy protection
  publication-title: Computer
– year: 2019
– volume: 26
  start-page: 1
  issue: 1
  year: 2018
  end-page: 15
  article-title: GDPR compliance in Norwegian companies
  publication-title: Proceedings from the Annual NOKOBIT Conference, Svalbard, Norway
– year: 2013
SSID ssj0068342
Score 2.2729757
Snippet Though discussions of data protection have focused on the larger, more established organisations, startups also warrant attention. This is particularly so for...
SourceID wiley
SourceType Publisher
StartPage 278
SubjectTerms compliance
data protection
data subject rights
emerging technology
General Data Protection Regulation (GDPR)
privacy by design
supervisory authorities
tech‐startups
Title Data protection and tech startups: The need for attention, support, and scrutiny
URI https://onlinelibrary.wiley.com/doi/abs/10.1002%2Fpoi3.255
Volume 13
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV07T8MwELagLCyIp6A85AF1qil-Jc6IgKogAR2o1C3yU2JJqzYd-u97dtIiNqYs9uD74rvP57vPCN0zqQP1zJFCFxkRNhTEZLkjTlEvmKV5lhL6H5_ZaCLep3LaVlXGXphGH2KXcIs7I_nruMG1WQ5-RUPnsx_-AIR4Hx3QGPSjqrMYb71wpnh6OAfO6IIwlWVb4dlHNtjO_MtHU0AZHqOjlgnipwa6E7Tnq1PU3TWQ4B5uWmdxo-SxPkPjF11r3CorgD2xrhyOIqwYKN6iXsHSMMCOK4hIGMgojtqZqZqxj5ereWTa_TQHXAX8b9X6HE2Gr9_PI9K-iEAsZ7kkluVaCRMvF7X0wBWMsrm3ogicWkGFtdTTQB3LqWU6kg8NBxStYf2qcNLyC9SpZpW_RJhrgInK4KQ0IjgVscwLaYM30hWUX6FeMk45b1QvykbfmJXReiVYrxx_vXH4dv878BodslgQklIYN6hTL1b-FiJ6be4SdBt_WJ3q
linkProvider Wiley-Blackwell
linkToHtml http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV1LTwIxEG4QD3oxPqP46sFwokKfuxtPRiWggBwg4bbptt3Ey0JwOfDvnXYB481TL-2h87UzX6edrwg9MKlz6pgliU4UESZPSKYiS2xMnWCGRiok9Icj1ZuK95mc1dDTtham0ofYJdz8zgj-2m9wn5Bu_6qGLuZf_BEY8R7aF4p1_JJmYrx1wyrm4eccOKQLwmKltsqzHdbejvxLSENE6R6jow0VxM8Vdieo5opT1NhVkOAmrmpncSXlsT5D41ddaryRVgCDYl1Y7FVYMXC8ZbmCuWHAHRcQkjCwUezFM8Nzxhb-Xi081W6FMeArYMEV63M07b5NXnpk8yUCMZxFkhgW6Vhk_nZRSwdkIYtN5IxIck6NoMIY6mhOLYuoYdqzDw0nFK1h_nFipeEXqF7MC3eJMNeAE5W5lTITuY09mFEiTe4yaRPKr1AzGCddVLIXaSVwzFJvvRSsl44_-xzaxn873qOD3mQ4SAf90cc1OmT-dUjIZ9ygerlcuVsI72V2F2D8ASLtoVk
linkToPdf http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjZ07T8MwEMctKBJiQTwF5eUBdaopfuUxIkrV8igZqNQtcvyQWNKopEO_PWcnBbExZYkH38V3fzt3PyN0y6Ry1DJDUpVGRGiXkiKKDTEJtYJpGkfhQP9tGo1n4nku521Vpe-FafgQPwdufmWEeO0XeGXc4BcaWi0--R0I4m20IzyxxVOdRbaJwlHCw8U5sEcXhCVRtAHP3rPBZuRfPRoSyugA7bdKED80rjtEW7Y8Qt2fBhLcw03rLG5IHutjlA1VrXBLVgB7YlUa7CGsGCTesl7B1DC4HZeQkTCIUezZmaGasY-_VpVX2v0wBkIFfG_l-gTNRk8fj2PS3ohANGexJJrFKhGF_7mopAWtUCQ6tlqkjlMtqNCaWuqoYTHVTHnxoWCDohTMP0mN1PwUdcpFac8Q5grcRKUzUhbCmcT7Mk6ldraQJqX8HPWCcfKqoV7kDd-Y5d56OVgvz94nHJ7d_754g3az4Sh_nUxfLtAe87Uh4TTjEnXq5cpeQXKvi-vgxW-F8KCL
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Data+protection+and+tech+startups%3A+The+need+for+attention%2C+support%2C+and+scrutiny&rft.jtitle=Policy+and+internet&rft.au=Norval%2C+Chris&rft.au=Janssen%2C+Heleen&rft.au=Cobbe%2C+Jennifer&rft.au=Singh%2C+Jatinder&rft.date=2021-06-01&rft.issn=1944-2866&rft.eissn=1944-2866&rft.volume=13&rft.issue=2&rft.spage=278&rft.epage=299&rft_id=info:doi/10.1002%2Fpoi3.255&rft.externalDBID=10.1002%252Fpoi3.255&rft.externalDocID=POI3255
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1944-2866&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1944-2866&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1944-2866&client=summon