Whether or not your business is required to comply with GDPR (see our Article GDPR FAQ for MEA SMEs), VCs and investors will be considering the following questions when evaluating your startup:
How does GDPR affect the viability of the model?
Aside from the level of GDPR compliance in your business, investors will want to understand whether the impact of GDPR on customer behaviour will affect the viability of your model. Does your model rely on collecting data by offering a free service with a view to monetising that data through advertising or sale? This will be more difficult now as individuals have more control over how their personal data is shared. However, other previously less attractive startups may deserve a second look (e.g. a subscription-based model which would have lost out to competitors with a free but ad revenue-driven offering).
How will growth be impacted?
The business development strategy a startup is using, or will use, may not be viable now that GDPR is in effect. Startups and investors may need to lower their expectations of the growth potential for a business.
Does your model rely heavily on aggressive marketing techniques? You’ll need to gain express consent to use personal data to send marketing material to your potential customers. Someone on your mailing list can revoke their consent at any time and you must delete their personal data upon request. Purchasing and using third-party marketing databases will become less efficient and come with more risk.
Using more sophisticated marketing methods will require more money and have an impact on valuation. Similarly, the additional obligations and potential liability under GDPR will also impose additional costs (both financial and the allocation of resources away from core functions) on businesses.
Is data an asset or a liability in this business?
In the recent past, data was often viewed as an asset but the compliance obligations and potential liability under GDPR mean that it may now be seen as a liability. Investors will be looking to see whether your startup fully understands GDPR and has taken all necessary steps to comply with its provisions or what level of voluntary compliance you have achieved if GDPR is not applicable to your business. They will need comfort that there are no gaps in your data security measures and that your employees are all aware of their responsibilities around personal data.
Is GDPR compliance a competitive advantage for this business?
Complying with GDPR may be a selling point and provide a strategic opportunity, particularly if you have opted for compliance when it is not mandatory for your business. A startup which respects personal data and is therefore trusted by its customers and partners has the potential to be given more personal information. Investors will recognise the value of being entrusted with that information.