C5 Portfolio Company IronNet figuring in Top Early-Stage Cybersecurity Rounds Of 2018

Top Early-Stage Cybersecurity Rounds Of 2018 (So Far)

It’s been nearly a year since Crunchbase News reported that investors are eager to fund cybsersecurity startups. In the story, Menlo Ventures’ Venky Ganesan shared with Mary Ann Azevedo his outlook on the industry:

“If there’s a recession-proof idea that’s not cyclical, it’s cybersecurity,” he told Crunchbase News. “In essence, everything in our lives is going from analog to digital. When that happens the most important thing becomes protecting digital assets, and all these people trying to hack into companies and governments’ accounts are creating demand for cybersecurity products.”

In looking at the cybersecurity space in 2018, this analysis still rings true. With Facebook, TaskRabbit, and Equifax suffering from data breaches of their own, cybersecurity is still a critical concern at the government, company, and individual level.

That may mean good news for security startups. Carbon Black went public in its own so-far successful IPO back in May. And according to Crunchbase, more than 25 early-stage, U.S.-based cybersecurity-adjacent startups have raised at least $10 million so far this year.

Here is a brief list of early-stage startups that have raised the biggest venture rounds halfway through 2018.

NSA Attitude, SV Capital

At the top of our list is Maryland-based IronNet Cybersecurity. The company raised a $78 million Series B led by C5 Capital in May 2018, the largest raise reported by an early-stage U.S. cybersecurity-focused startup. Other investors in the round included ForgePoint Capital and Kleiner Perkins.

The company gathers data and uses its technology to characterize normal behavior and detect abnormalities, prioritizes threat detections, and supply analysts with information to prevent advanced attacks. IronNet, according to its website, provides services to companies in energy, financial services, healthcare, government, and manufacturing.

IronNet was founded (appropriately) by former director of the United States National Security Agency (NSA) General Keith Alexander in 2014. It has raised a known total of $110.5 million.

Alexa Poses A Threat

A second startup, Armis Security, raised a $30 million Series B in April to bring security to Internet of Things (IoT) devices. Armis is backed by Sequoia, Bain Capital, Tenaya Capital, and others. It has raised a known total of $47 million since it was founded in 2015.

The San Francisco and Israel-based company aims to use its security technology to protect businesses from hacking through connected smart devices, including laptops and phones, as well as TVs, webcams and other devices. Its technology monitors and scans devices that connect to an organization’s network, detecting malware and disabling threats. The company’s platform also integrates with analytics services, allowing companies to view more comprehensive cybersecurity data and manage connected devices.

Armis’s efforts shed light on vulnerabilities arising from our dependence on devices as seemingly harmless as webcams, phones, and even smart speakers. For VCs and entrepreneurs, it is also a convenient opportunity to cash in.

Organization Name Headquarters Location Description Last Funding Amount
IronNet Cybersecurity Fulton, Maryland, United States IronNet Cybersecurity is a network security company that bridges gap between traditional cybersecurity approaches and evolving threat. $78M
Claroty New York, New York, United States Claroty is a cybersecurity software company focused on protecting industrial control networks (ICS – A.K.A OT or Operational Technology) $60M
Signal Foundation San Francisco, California, United States Signal is an encrypted communications application for Android and iOS that focuses on advancing secure communications. $50M
Saviynt Los Angeles, California, United States Learn more about Cloud Access Governance and Intelligence $40M
Virtru Washington, District of Columbia, United States Virtru is a data security company that eliminates the trade-off between data protection and ease of use. $37.5M
Orchid Labs San Francisco, California, United States Orchid Labs is an open-source project committed to ending surveillance and censorship on the internet. $36.1M
Armis Security Palo Alto, California, United States Armis Security is an agentless IoT security solution that lets enterprises see and control any device or network. $30M
Valimail San Francisco, California, United States Valimail authenticates legitimate email and blocks phishing attacks. $25M
StackRox Mountain View, California, United States StackRox offers a security platform using instrumentation and sophisticated machine learning to protect the agile enterprise. $25M
Virsec San Jose, California, United States Virsec is a cybersecurity company delivering a radically new approach to protect enterprises from advanced attacks $24M

C5 Portfolio Company Omada is Acknowledged in Gartner Report

Omada Acknowledged by Gartner in 2018 Critical Capabilities for Identity Governance and Administration

Omada, the European leader in identity and access management software, is acknowledged in the annual Critical Capabilities for Identity Governance and Administration report from Gartner, Inc., the leading provider of research and analysis on the global information technology industry, with the third highest score in two out of four use cases.

Copenhagen, June 2018

Omada is positioned third highest in the Global Enterprise and Governance-Focused use cases and was the fifth highest score in the Automation-Focused use case.

In the report, Gartner notes “Security and risk management leaders responsible for identity and access management should: Determine which IGA capabilities and application integrations are most valuable to the organization, while assessing the deployment risks associated with these elements. Create a roadmap for IGA deployment that prioritizes the high-value, low-risk elements, saving higher-risk elements for later phases — for most organizations, governance-oriented capabilities provide the most value, with less deployment risk than provisioning. Treat IGA deployment as a broadly scoped business process re-engineering project, not merely a technology project. IGA should be approached as a platform for adopting best practices and redesigning processes for the management of user access.”

“We see our positioning in the Global Enterprise use case as a result of our solution’s flexible configurability, in combination with strong out of the box features, which addresses a wide range of use cases,” says Omada CEO Morten Boel Sigurdsson. “Our standardized process framework gathers our many best practices into a user-friendly package, providing the foundation for an efficient and easy to accelerate IAM project. We experience an increasing demand for identity and access management to support organizations’ cloud first strategies, where security, compliance, and efficiency becomes even more vital, as well as increasing demand for identity and access management delivered as-a-service, whereby our full enterprise grade solution is filling an important need in the market. Our rapid growth and partnerships with the likes of Microsoft and Deloitte, enable us to offer our product across various delivery models, thereby meeting the demands of the modern organization”.

Omada Identity Suite

Omada Identity Suite provides a strong set of governance and administration features for identity and access management that includes automation of the entire identity lifecycle process, access request processes, policy management, and access recertification among others, delivered on-premises or as-as-service.

The integrated solution for identity management and access governance delivers advanced out-of-the-box functionality for auditing, reporting, and compliance dashboards, as well as built-in standard processes to accelerate deployment and time-to-value.

*Gartner, Critical Capabilities for Identity Governance and Administration, Felix Gaehtgens, Brian Iverson, Kevin Kampman, 5 June 2018.


Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About Omada

Since 2000 Omada has enabled organizations across the world to manage and control business processes around users’ access rights to systems and applications, helping customers to manage identity risks, protecting people and assets, as well as maximizing efficiency and achieving sustainable compliance. Customers select Omada because of our proven technology, flexible platform, and ability to execute.

The solution has multiple editions with different sets of functionalities and our customers are predominantly within banking and finance, life sciences, healthcare, public, telco, manufacturing, retail, and utilities.

Headquartered in Denmark, Omada has offices across Europe and North America.

Access the report

Download the full Gartner report here.


C5 Welcomes 10 Startups to Peacetech Accelerator Cohort 4

WASHINGTON, D.C.–(Business Wire)–C5, the investment specialist firm investing into cybersecurity, artificial intelligence and cloud, announces today that ten startups have entered its PeaceTech Accelerator in Washington, D.C. The Accelerator is housed at the iconic United States Institute of Peace building on the National Mall.

In collaboration with Amazon Web Services, PeaceTech Lab and SAP NS2, C5 established the world’s first Peacetech Accelerator to scale startups on the cloud and solve problems relating to peace, stability and security worldwide. Startups are supported by a highly-experienced group of prominent international technology entrepreneurs, business leaders, investors and peace innovators.

The fourth cohort comprises impact entrepreneurs from Lagos, Nairobi, Buenos Aires, New York, San Francisco and Washington, D.C. working across data analytics, fintech, cybersecurity, IoT, and AI verticals.

Ron Moultrie, Chairman of C5, U.S., said, “It has been a pleasure working with peace technology entrepreneurs over the past 3 cohorts and the incoming cohort holds immense promise. We believe some of the most imminent national security problems can be solved through the innovative minds of entrepreneurs.”

Eva-Maria Dimitriadis, COO of C5 Accelerate, said, “We’ve graduated 18 startups at the PeaceTech Accelerator since launching in April 2017. After another competitive round of applications, we are thrilled to welcome ten more impact ventures to the program. These entrepreneurs are tackling large-scale issues around the UN Sustainable Development Goals and are on a mission to create a more sustainable future.”

Further details of the cohort companies are available below.

Cohort 4 runs from June 4 – July 27 and the next program will begin in September. Applications to the PeaceTech Accelerator can be found here.


Cohort 4 Companies:

  • 3DS Technologies (Kenya): Africa’s premier technology, software and services company specializing in digitization of documents, database management, data fusion and data analysis for enterprises.
  • Agromovil (U.S.): An app-enabled B2B solution combing on-demand transport and mobile payments to get more crops to market across the developing world.
  • DropQue (Nigeria): Africa’s first interactive and intelligent talent application which uses crisp candidate profiles, unassisted video interviews and emotional/facial analysis to help companies find talent faster than ever.
  • HighSide (U.S.): Securing internal team communications and file sharing layers to reduce business risk.
  • Neuralys (U.S.): Empowers teams to manage cybersecurity effortlessly by enforcing accountability, orchestrating security tools and creating mitigation strategies.
  • Pinkaloo (U.S.): Modernizing charitable giving through a white-label Venmo for managing donations.
  • Sou Sou (U.S.): A customer relationship management (CRM) platform for the financial industry to help people save more, build strong credit and attract loans.
  • Suavei (U.S.): Formed by a team of seasoned cybersecurity experts that believe securing the growing army of IoT devices is both feasible and an imperative to prevent massive socio-economic losses.
  • TaQadam (U.S.): Making visual data AI ready by providing image data management and annotation-as-a-service.
  • Video Volunteers (U.S./India): Empowering citizen journalists to make a real change.

About C5

C5 Capital Limited (“C5”) is a family capital-backed technology investment firm focused on innovating security. C5 is a specialist investor in cyber security, cloud computing and artificial intelligence. Headquartered in London, C5 also has offices in Washington, Munich, Luxembourg and Bahrain.

C5 Accelerate has launched two Accelerator programs alongside Amazon Web Services in Bahrain and Washington, D.C. Its mission is to accelerate and invest in best-of-breed startups to meet the growth opportunity being created by the geographic expansion of AWS, the world’s leading cloud computing platform. www.c5accelerate.com

Twitter: @c5accelerate

Instagram: c5.accelerate

Facebook: C5Accelerate

View source version on businesswire.com: https://www.businesswire.com/news/home/20180605005994/en/

Dimitra Hatzudis
John Merva and Emily Jones


ITC Secure announces launch of ITC Global Advisors

Former SBD Advisors to rename following acquisition by ITC Secure in April 2018

Washington D.C., 1st June 2018: ITC Secure (ITC), the assured IT, cyber advisory and managed security service provider (MSSP) and C5 portfolio company has announced that SBD Advisors (SBD), the Washington D.C.-based strategic advisory firm, will be renamed ITC Global Advisors. The new name follows the April 2018 acquisition of SBD by ITC.

Admiral Mike Mullen will remain Chairman throughout the renaming, which will serve to further the integration of the former SBD Advisors into ITC’s advisory practice alongside the G3 Cyber Consulting team, which ITC also acquired in January 2018. Admiral Mullen has been in this role since the inception of the Company in 2013.

Additionally, William ‘Chip’ Colbert has been appointed managing director of the new ITC Global Advisors and will work closely with Admiral Mike Mullen and ITC in the direction of both the new company and the ITC advisory practice as a whole. He will also develop and launch new cyber advisory services to customers in the US, UK and Europe, building on existing expertise in serving fast-growing technology companies to improve clients’ ability to anticipate and manage cyber incidents.

Admiral Mike Mullen, Chairman, ITC Global Advisors said, “Being a part of the ITC and C5 family is very important to us and this renaming is a key step in further integration into the Group. The ITC brand is synonymous with high quality, cutting-edge holistic consultancy and solutions-based offerings, which complement our services perfectly. Today marks the beginning of a whole new chapter for us, completing the journey that we began in January, 2017 when founder Sally Donnelly left what was then named SBD Advisors and returned to government service. William ‘Chip’ Colbert will be a strong managing director and I’m looking forward to seeing where he and ITC take us in the coming years.”

William Kilmer, Executive Chairman, ITC Secure said, “Our acquisitions in 2018 have been key steps in further solidifying the ITC brand, not only in our home territories, but globally. Further aligning the brand identities of these new, welcome additions to ITC is central to our philosophy of growing together as one unit and we’re very pleased to once again welcome the new ITC Global Advisors into the fold as the US representatives of ITC.”


About ITC Global Advisors

ITC Global Advisors is a strategic advisory firm that specializes in connecting private sector innovation with national security challenges. Headquartered in Washington DC, SBD utilizes a global network of senior advisors and experts to give its clients unparalleled access to the insight and experience of former government officials and corporate leaders.

Innovation and risk continue to outpace the law and regulation.

This article is a good summary of the challenges for cyber security law in the US market in 2018.

The year ahead in cybersecurity law

By , Contributor, CSO 

Major legal cases and proposed state and federal legislation this year will shape how companies respond to and attempt to mitigate cybersecurity and data privacy risks.

These cases and bills highlight the fact that the patchwork of old laws and regulations – across the United States and across every industry – are having a difficult time keeping up with rapidly developing technology, particularly when they have to balance privacy rights with law enforcement needs. This year, some of the biggest issues to watch will be data disclosures to law enforcement, civil liability for data breaches, and board-level responsibility for data security.

The proper balance with data disclosures

Already, technology, media and telecommunications companies that store personal information receive a large number of law enforcement requests to disclose individuals’ information every year. The question of the proper boundaries for an individual’s expectation of privacy in the digital age versus the burden of proof necessary by law enforcement before requesting personal data has been a contentious issue. Two cases before the Supreme Court may shed new light and provide practical guidance for companies.

The first case, Carpenter v. United States, will be another milestone in the evolving debate over whether existing Constitutional jurisprudence is sufficient or whether new law is needed to address this technology-induced tension. One of the main issues in this case is what burden of proof police need to obtain personal data from companies.

As background on the case, a 1979 Supreme Court case gave some structure to the process required under the Fourth Amendment for law enforcement to compel third parties to disclose information they possessed about an individual. At that time, these third parties would have included the likes of banks (with account information and transaction dates and amounts) and telephone companies (with the numbers dialed or phone numbers from which an individual received calls at what dates and times).

Under the Fourth Amendment, when an individual was willingly give her personal information to these third parties – such as by dialing a phone number and having it routed through a telecommunications company – the individual relinquished privacy rights to it (because individuals do not control what telecommunications operators do with that information). Law enforcement could obtain an individual’s information from the third party without asking the user through a legal process that is less rigorous than a search warrant, which requires approval from a magistrate judge. Under the Stored Communications Act of 1986, law enforcement could obtain such data by affirming that the information would be relevant or material to an ongoing case.

In the new digital era, third parties hold an exponentially larger amount of personal information relating to their users, from search engine data to geo-locating functions in smart phones or connected cars. A very legitimate tension therefore exists in the digital era where everyone stores a large amount of personal information in interconnected devices and apps instead of on paper records.  While that information must be free from unreasonable searches and seizures by the government, law enforcement also must have the ability to carry out its obligation to investigate crimes, including to legally obtain digital data that criminals intentionally attempt to hide in mobile devices.

In Microsoft v. United States, the Government has asked the Supreme Court to overturn a Second Circuit ruling that barred law enforcement from being able to obtain user data stored overseas by using a U.S. search warrant. The Government argues that this restriction would be almost insurmountably detrimental to law enforcement investigations because criminals’ information stored by U.S. companies that happens to use cloud storage on servers outside the country. Microsoft, on the other hand, contends that the Government has no jurisdiction over data held in overseas data centers physically located in other sovereign nations even if that data relates solely to American users (in this case, the data in question is customer email content stored in Ireland as part of a drug investigation). While Microsoft points out that the U.S. government could use an international process for requesting the evidence from Ireland under a Mutual Legal Assistance Treaty (MLAT), the MLAT process is generally a drawn-out and sometimes inefficient process that does not meet more urgent needs of law enforcement investigations. Ireland, the UK and the European Commission have now all submitted amicus briefs in the case.

The decision in both cases will inform how companies should respond to data access requests. Businesses more than ever need a clear path forward that balances their need to prove to customers that they are keeping data private and secure, while also supporting the investigations of law enforcement agencies when it concerns valid concerns.

Cybersecurity liability

The next big cybersecurity issue to watch this year will be on civil liability for data breaches. We live in an era in which an increasing number of companies have been hit with cyberattacks while others have had employees lose a USB stick containing unencrypted customer data, for example. Because of this, the link between a certain data incident and fraudulent activity (which may or may not lead to concrete harm) is becoming murky. Enter the fray class actions in which plaintiffs allege that they were harmed by having their data stolen in a security incident because they now face the risk of future harm that may (or may not) occur due to the breach. According to Article III of the Constitution, plaintiffs can only bring a case to court if harm was suffered and they are the actual party that suffered harm (called having “standing” to sue).

CareFirst has petitioned the Supreme Court to review a DC Circuit’s ruling in CareFirst Inc. v. Attias on future harm and informational injury following a 2014 data breach. A class action was brought against the health insurer claiming future harm that could result from the breach. Following the ruling in Spokeo v. Robins in 2016, which found that a plaintiff must affirmatively plead particularized and concrete injury to establish Article III standing, several Circuits have split on the issue of whether potential future harm was enough to constitute standing. With the rise of cyberattacks and data breaches, this case will have wide-ranging ramifications for any business that holds personal data as well as cyber insurers.

The Federal Trade Commission has recently held a public meeting on “consumer informational injury”. As the FTC seeks to expand its role in data security and privacy enforcement, particularly recently in relation to the Internet of Things products, onlookers will be watching closely to assess the Commission’s stance on potential future harm.

The legal fallout from the Equifax breach will also have important ramifications in this area. After a rare class action was filed in 50 states against the credit monitoring agency, the Independent Community Bankers of America, on behalf of thousands of community banks, has also filed a class action in November in the District Court for the Northern District of Georgia. This case again brings up the issue of whether the simple threat of future harm – as opposed to alleging that actual harm has already been suffered – is sufficient to establish Article III standing.

Potential relief from liability

On the bright side for data breach victim organizations, a proposed state bill in Ohio could pave the way for shielding businesses from law suits following data breaches if the organization can demonstrate that its cybersecurity program meets certain industry standards. Ohio Senate Bill 220 would create a ‘safe harbor’ for businesses if they comply with the NIST Cybersecurity Framework or certain other standards.  The bill specifically mentions NIST 800-171, 800-53, the ISO 27000 family, the Center for Internet Security (CIS) critical security controls, Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Modernization Act (FISMA).

If other states start to follow suit, this could help to protect businesses that have legitimately taken reasonable steps to protect personal data appropriate for their particular situation, but who were ultimately still victims of an attack.

Lawmakers look to the board

In the wake of a large number of high-profile breaches last year, scrutiny is now turning more and more to senior executives and the Board. In the current day and age, customers or clients and shareholders have a reasonable expectation that data privacy and cybersecurity will be a major consideration for every company, big or small, regardless of the sector they are in. Lawmakers are also starting to scrutinize the company leaders with the expectation for stewardship in this area.

The Cybersecurity Disclosure Act of 2017 (S.536) aims to promote to promote transparency in the oversight of cybersecurity risks of publicly traded companies. The bill would require publicly traded companies to disclose the cybersecurity expertise of any members of the Board or general partner “in such detail as necessary to fully describe the nature of the expertise or experience”. If none have such experience as designated by NIST or the Securities and Exchange Commission, the company would have to describe the cybersecurity measures they have taken for identifying and nominating future nominees to the Board. Given the risk of not having such expertise on the Board in the current day and age, investors would no doubt read these types of reports closely. The same bill was introduced back in 2015 though, so while its passage is far from clear, it does point to the increasing scrutiny from lawmakers on corporate boards in relation to cybersecurity.

Another bill that could be keeping C-Suite executives up at night is the potential for criminal action. A U.S. Senate bill would criminalize failures to report data breaches. The Data Security and Breach Notification Act, filed by three Democratic Senators, was recently introduced and calls for the FTC to develop security standards and procedures for businesses. Some industries, such as healthcare providers and insurers under HIPAA, already have many of these responsibilities.

These pieces of legislation point to areas where corporate boards should already be advancing. The most recent edition of the National Association of Corporate Directors’ Cyberrisk Handbook, which set out five core cybersecurity principles for board members of public companies, private companies, and nonprofit organizations in every industry sector, highlights the importance of having cybersecurity expertise – both in-house and externally. As a New Year’s resolution that businesses should keep, this should be a top priority.

I am committed to supporting the ONE campaign against gender enforced poverty. Every one person can help make a change.


Oprah Winfrey, Meryl Streep and Chadwick Boseman Among 150 Stars to Sign Letter on Gender Equality

Stars from film and television are calling for action against gender inequality.

Oprah Winfrey, Meryl Streep and Chadwick Boseman are among the notable names who have signed a letter in support of gender equality. More than 150 stars have banded together with international charity ONE in the hopes of creating change.

Back in March, on International Women’s Day, the organization published its fourth annual #PovertyIsSexist letter to world leaders, “demanding that they deliver powerful changes for women and girls living in extreme poverty.” And now, Winfrey, Streep, Boseman, along with a myriad of other influential figures, are lending their support by signing onto the letter.

Other famous signatories from the entertainment industry include Reese Witherspoon, Amy Schumer, Tina Fey, Amy Poehler, Blake Lively, Ryan Reynolds, Natalie Portman, Mariska Hargitay, Mindy Kaling, Neil Patrick Harris and Yara Shahidi.

“We won’t stand by while the poorest women are overlooked,” part of the letter states, expressing a dire need for “historic changes for women” in the #MeToo and Time’s Up era. The campaign has also received support from those outside of show business, including former U.S. Secretary of State Madeleine Albright, Facebook’s Sheryl Sandberg, Chelsea Clinton and Huffington Post founder Arianna Huffington.

Read the entire letter below

“Dear World leaders,

We’re putting you on notice.

For 130 million girls without an education. For one billion women without access to a bank account. For 39,000 girls who became child brides today. For women everywhere paid less than a man for the same work.

There is nowhere on earth where women have the same opportunities as men, but the gender gap is wider for women living in poverty.

Poverty is sexist. And we won’t stand by while the poorest women are overlooked.

You have the power to deliver historic changes for women this year. From the G7 to the G20; from the African Union to your annual budgets; we will push you for commitments and hold you to account for them. And, if you deliver, we will be the first to champion your progress.

We won’t stop until there is justice for women and girls everywhere.

Because none of us are equal until all of us are equal.”














4 steps to help you get GDPR compliant

Current data protection laws haven’t been updated in the UK since 1998 when the government brought in the Data Protection Act, an Act of Parliament designed to protect personal data stored on computers or in an organised paper filing system. The policy makers at the time could not have foreseen the growth of data collection that exists today, or how it is used to make important decisions and automate systems through big data processes.

It is for this reason that the General Data Protection Regulation (GDPR) has come about to add further regulation to how user data is collected, stored and used. Breaching this policy, which comes into force on 25th May 2018, would be a substantial monetary and reputational risk. In fact, any business that doesn’t abide by the policy will face a fine of 20 million euros or 2% of the company’s global turnover (whichever is greater).

GDPR doesn’t just affect future data but it also affects historic data that organisations have amassed. This means some potentially big changes for businesses who use big data to their advantage.

In this article, I’ve listed four key steps that businesses should be in the midst of taking in preparation for GDPR. Preparation shouldn’t just stop there though as there are lots more steps businesses should be taking.

  1. Under the GDPR, customers will have the right to know what information companies have collected about them free-of-charge and they will also have the right to have their information removed from publicly accessible databases. As these requests need to be met within one month, businesses will be required to have a procedure in place to handle and respond to these requests with urgency.
  2. Currently, when personal data is collected, businesses have to share privacy information for example, how they intend to use the data. Under the GDPR, businesses will be required to share some additional information for example, the data retention period and the fact that customers have the right to complain to the ICO if they suspect that their data is being mishandled.
  3. A regular and complex form of cyber-attack is the insider threat. After all, employees have access to the most sensitive information which businesses wouldn’t want ending up in the wrong hands. This is why businesses should be ensuring that employees are fully up-to-speed on GDPR so that they can help the business remain fully compliant.
  4. Although not every company will require a data protection officer, organisations can be fined if a data protection officer is required, but there isn’t one. It’s therefore advisable to immediately seek confirmation as to whether this is a requirement for your business or not.

GDPR should be taken seriously by all businesses, no matter what their age or size. This may be a daunting thought for start-ups but fear not, the Information Commissioner’s Office has a dedicated phone service to help small businesses prepare for the new data protection laws.

For more information about GDPR, I encourage you to read through the documents found on the European Commission website. ICO also has a useful free data protection self-assessment toolkit to help you assess your compliance with data protection law.