Data privacy start-up Ethyca raises $4.2m seed round

Data privacy start-up Ethyca raises $4.2m seed round

July 25, 2019 – Data privacy start-up Ethyca announced that it had just closed its latest funding round, raising $4.2m.

The New York-based company was set up by Irish engineer Cillian Kieran, who previously founded BrandCommerce and digital consultancy firm CKSK.

The funding round was led by IA Ventures and Founder Collective, with Table Management and Sinai Ventures also participating. Cheddar’s Jon Steinberg and Moat co-founder Jonah Goodhart also contributed to the fund.

Ethyca will use this round of funding to build out its team and product. Director of MIT’s Internet Policy Research Initiative, Daniel Weitzner, will also join the company as an adviser.

The data privacy start-up provides developers and product teams with infrastructure to ensure consumer privacy throughout applications and services design.

It claims to act as an alternative to the existing privacy solutions, which the start-up labels as “retroactive band-aids that do not solve the root problem”.

TechCrunch broke down exactly how Ethyca works: “[It] helps companies discover sensitive data, then provides a mechanism for customers to see, edit or delete their data from the system. Finally, the solution enables companies to define who can see particular types of data across the organisation to control access. All of these components are designed to help companies comply with GDPR regulations.”

Kieran told TechCrunch that users do not need to be concerned about a third party accessing this data, as Ethyca never actually sees the raw data. “We are a suite of tools that sits between business processes. We don’t capture raw data. We don’t see personal information,” he said.



Ethyca announces world first self-service privacy products

Ethyca announces world first self-service privacy products

May 19, 2020, New York – Ethyca, a New York-based startup, today announced the launch of self-service privacy products, a world first. Teams will be able to start complying with privacy laws in minutes.

Ethyca also announced that businesses can begin using its self-service product for free, enabling automated privacy compliance for a companies across a range of life cycle, from startup to enterprise. Ethyca will now allow businesses of all sizes to implement comprehensive privacy management within a few clicks and without a lengthy onboarding process. 

Ethyca can confirm that their premium product, Ethyca Pro+, is now being used by multiple major direct-to-consumer brands. Companies everywhere are under greater pressure to comply with new privacy regulations such as California’s CCPA, with its enforcement confirmed to begin in July, in spite of the Coronavirus-related challenges facing businesses today.

Cillian Kieran, CEO and co-founder of Ethyca, emphasized the pressing need for companies to get privacy right:

“Right now companies are concerned with applying a ‘band aid’ for the likes of GDPR and CCPA to avoid risk of fines, but are not thinking holistically about what our industry is facing. Not only is it necessary to comply with the increasingly complex web of privacy regulations globally, but it’s more and more important to consumers that the services they use respect and manage their data ethically. Companies must seize the chance to gain competitive advantage here and differentiate themselves – those who take a transparent and considerate approach towards user data will be rewarded when consumers vote with their feet.”



The Deep Privacy Challenge of Doing DPIAs Well

The Deep Privacy Challenge of Doing DPIAs Well


Data Protection Impact Assessments are the sleeping giants that lie deep in the GDPR. Doing DPIAs well requires organizations to commit to responsible data management at a deep, deep level. That’s one of the reasons why they are so challenging.

DPIAs: Why Do They Get Overlooked?

If one were to poll a sample of business, technical, and marketing professionals on “GDPR provisions that keep you up at night,” it’s likely DPIA’s wouldn’t make the top three. There are flashier aspects of GDPR. Consent management. Right-to-object. Data Subject Requests. Since these are the elements most frequently in the headlines, they tend to take up the most space on a business’s priority list.

But DPIA’s represent the biggest challenge to most businesses in their present state. And for that reason, establishing a DPIA process that adheres to the GDPR guidelines is a key indicator that a business is making a deep, meaningful commitment to data privacy.

How Does A DPIA Work, Exactly?

For the uninitiated, here are the basics of a DPIA. It’s intended to let a business analyze and minimize the privacy risk from a processing activity. Under GDPR, businesses conduct a DPIA when undertaking a range of data processing activities, from monitoring public places to using innovative technologies to using biometric data. You can read more about the circumstances in which a DPIA is legally required here.

The Assessment itself is a multi-step process that involves coordination across a number of teams. The ICO describes the following nine steps as essential:

  • Identify the need for a DPIA
  • Describe the processing
  • Consider consultation (with your Data Protection Officer or relevant authorities)
  • Assess necessity and proportionality
  • Identify and assess risks
  • Identify measures to minimize risk
  • Sign off and record outcomes
  • Integrate outcomes into plan
  • Keep under review.


Why DPIAs Are Such A Deep Challenge

The purpose of this article isn’t to walk through the step-by-step of how a DPIA exercise should be conducted. The ICO has already published an excellent one of those here. Rather, it’s to point out what a challenge this poses for most businesses in their present state. Put simply, if most businesses did DPIA’s the way they’re supposed to, it would result in a productivity nightmare.

Within a modern large business, there could be hundreds of processing activities every year. Under GDPR many will require a DPIA. But the vast majority of businesses lack the processes or technology to perform them quickly; they are handled entirely manually. The result is not pretty. Members of the dev team emailing the legal department to set up a meeting where they present a proposed activity and, together, fill in half of a DPIA template form. Then a question comes up. The legal team consults with enforcement authorities for clarity, and the response takes a week to arrive. Meanwhile, developers are bottlenecked as they’re unsure whether they can proceed until getting clearance from legal. And the marketing team awaiting delivery of their snazzy new retargeting tool is frustrated. Multiply this scenario by a hundred cases a year, and the efficiency costs that a DPIA represents to many organizations becomes clear.

Conclusion: Is “Managed Risk” Actually Manageable?

Given this, it’s not surprising that many businesses opt to take a “managed-risk” view of DPIA’s. Perhaps that represents the best of a bad bunch of options. With a fully manual process, the efficiency cost of compliance can look disastrously high.

But enforcement around GDPR is picking up. What’s more, consumers are beginning to expect higher standards of privacy practice. As time passes, the cost of DPIA non-compliance will rise steeply. And businesses that decide they can’t afford deep privacy measures today may find the long-run cost of their inaction significantly higher.