Regulatory requirements around data sovereignty and localization are a moving target for multinationals. With more than 80 countries implementing data sovereignty laws of varying degree of stringency over the past decade, the market for solutions is growing fast.
Russia, for example, has required companies since 2014 to store data on its citizens inside the country and has clashed with several large American tech firmsOpens a new window including Facebook and Twitter over the issue. Separately, a Russian court banned LinkedIn from operating there in 2016 because it stored Russians’ data outside the country.
The General Data Protection Regulation, a European Union law designed to protect individual privacy and data, has shaken up the ways companies store personal informationOpens a new window on the continent. Google even moved its European base to Ireland from the United States to comply with the law.
EU regulators handed down multimillion-dollar fines to British Airways and Marriott hotels over their failure to protect customer information from hackers in accordance with the law.
In the United States, a stringent privacy law, the California Consumer Privacy Act, goes into effect in January 2020. At least 24 other states have enacted various data privacy laws.
Few Getting Ready for 2020
A survey by Trust ArcOpens a new window , a privacy law expert, suggested that 88% of American companies are unprepared for the California privacy law while 44% of those surveyed had not even started to implement the necessary changes.
The California law will have a national impact because it mandates technology companies based there to impose strict safeguards on consumer privacy and prevents the companies from selling personal data to advertisers, a major source of Silicon Valley’s revenues.
“Companies that took the steps to comply with (the European privacy law) are already ahead of the game and will have an easier path to meet the requirements (of the California statute),†said Chris Babel, chief executive of Trust Arc. The companies that did not work on complying with the California law will be under the gun to implement compliance by the 2020 deadline, he added.
Money Flowing In
Investors are taking note. Just over a week ago, Atlanta-based data protection start-up One Trust raised $200 millionOpens a new window in series A funding to gather customers in the wake of the new laws.
Other recent fund-raisers for data protection companies include San Francisco-based Trust Arc, which raised $70 million; Privitar pulled $40 million; and Big ID last year secured $30 million.
An example of the quickening velocity of interest is InCountry, a two-month-old start-up that provides a platform to help companies comply with the global patchwork of privacy and data protection laws. The San-Francisco-based company has raised $15 million in a series A funding round.
The firm emerged from stealth in May with $7 million in seed fundingOpens a new window  and already operates in 65 countries, uses software and local legal experts to help companies working in multiple countries comply with laws for storing, processing and regulating customer data.
“Companies are struggling to comply with (the European law) and as more laws are being written every week, it has led to business-ending consequences for infractions,†says Peter Yared, the firm’s founder and chief executive.
InCountry provides a comprehensive compliance platform using sophisticated software combined with on-the-ground legal support to manage risk at every level, says Yared, who has founded and sold six software companies.
InCountryOpens a new window plans to use its latest investment to open regional offices in Singapore, Berlin and Abu Dhabi. It will also roll out a new product called InCountry Border, with encryption and data handling capabilities to help a client comply with a particular country’s regulations.
The new product will complement an existing service called InCountry Profile, which large corporations use to comply with regional data laws.