Supervisory authorities may not pay attention, but how can a startup get investments if the scale of risk reaches millions of euros?

Siarhei Varankevich, a corporate trainer and GDPR consultant, founder Data Privacy Office, presented the key GDPR risk factors for a startup during the 12th A-Hub for Startup meetup (a collaboration project of AngelsBAND and Alfa-bank).



Personal data is commonly named a new oil or 21st century uranium in order to emphasise the importance. All the headlines confirmed it by talking about privacy's influence on startups and big businesses. Julia Nekhay, Meetup moderator and Project Manager, noted at the very beginning of the conversation that the Data Protection Regulations cover an immeasurable number of aspects of a startup's “life”. 

As an experienced trainer, Siarhei has started the presentation with a little story about how the word privacy was appeared:

«Privacy is a response to the violation. As soon as new technologies emerge, the strictness of regulation increases. So, privacy originated with Kodak Instant Photography», - told us Siarhei.

Besides, GDPR is the first law that has stimulated businesses to deal with personal data questions.

«Before GDPR, even European companies considered it economically advantageous to pay fines rather than comply with all requirements. Nevertheless from 2018 attitudes according to privacy have changed utterly. The whole reason turned out to be the fines, which can reach up to 20 million euros», - pointed out the speaker. 

Does this apply to startups? Of course, it does. It's not a new fact that the supervisory authorities will get to it, but will an investor invest his money if the scale of the risk seems as millions of euros or more?

«Conventionally, if Google buys you, the risks are not even millions, but 4% of annual profits, which is about 3 billion 700 million euros», — Siarhei clarified.


In addition, the speaker tried to dispel the myth that only well-known companies can be fined. You only need to follow the link, where all fines related to GDPR are accumulated. Afterwards, you will see that even individual entrepreneurs are on the list.

Although GDPR is not a law that tells you how and what technical measures to take. GDPR is about conduct the risk factors by yourself and defining a work plan and a list of measures to follow: «Keep in mind that when the supervisory authority comes to you, it's not enough just to provide proof you've done the rules right. You will also have to prove that the company is compliant with the requirements not only within papers», — pointed out Siarhei. 


As well we didn’t forget about practical recommendations. 


  1. You don't have to add consent everywhere, because you may be fined for extra. At first it’s better to weigh up if one of the other six grounds fits. 
  2. GDPR prohibits processing medical data, political opinions. Or rather, it can only be done in special cases.


In the end of the meetup, Siarhei compares personal data with a toxic substance that must be gotten rid of as quickly as possible.

The course is loading, wait a few seconds