Privacy Optimization

Startup video (draft version): https://vimeo.com/548878625/c571c38d12
Product video: https://vimeo.com/515285935/de5c56f595

Data Breach Management Tool is a software dedicated to helping organizations analyze personal data incidents, assess their risks and timely report personal data breaches to the appropriate data protection authorities.
It is a solution for the GDPR compliance that automatically risk assess data breaches via a proprietary algorithm, thereby reducing the risk of massive regulatory penalties and lowering the costs of external lawyers or consultants.

The product is ready to be sold all over Europe with a strong development for Poland and the UK markets.
In Q1 & Q2 2020 we built the MVP and took part ReaktorX acceleration program.
In Q3 & Q4 2020 we tested the solution with DPOs and privacy expert and we made improvemenet to the software: we run a few PoCs with smaller companies but we are now approaching our target customers which are first large and corporate financial services firms.
In Q4 2020, we signed a collaboration agreement with Dentons Poland which is actively supporting us with legal, marketing and promotional activities and which introduced us to Dentons Europe Innovation program (discussions are ongoing): https://www.dentons.com/en/whats-different-about-dentons/connecting-you-to-talented-lawyers-around-the-globe/news/2020/november/data-breach-management-tool
In Q1 2021, we were awarded an EU grant in collaboration with AccelPoint and PARP of EUR 50k to run a Proof of Concept with Santander Bank Poland which will be completed by June 2021: https://accelpoint.pl/news/the-4th-round-of-accelup-accel
In Q2 2021, we were awarded an endorsement letter by the London Business School (available on request) to apply for a startup VISA to get to the UK to grow, develop and raise funds for our startup.
The company has already revenues via consulting services to a few clients (healtchare, IT and financial services firms) which are meant to build our firm reputation but which are secondaries compared to the software that we built.

Persona or users: Data Protection Officers, Data Privacy Officers, Privacy, Compliance, Legal or Cyber Security teams.

Customer segmentation: we focus first on financial serivces due to the number and sensitivity of the private data that they manage. However, we can work with any medium, large or corporate B2C organisation managing high number of private data of their customers (i.e. healthcare, e-commerce, public administration, etc.).

Market: the product is complaint with the GDPR so it can be sold all over the EU and to all those organisations worldwide which manage EU citizens private data.

Our start-up vision is to build a platform to optimize with DeepTech technology (AI and/or machine learning) all the privacy processes based on different laws all over the world (nobody is even close to developing something like that!). The Data Privacy market size today is around $90 billion forecasted to grow around 15% YoY for the next 5 years at least.

Today, we are focused just on large and enterprise firms within Poland. However, we are already starting to investigate the UK, Austrian and Hungarian markets for further development and growth. Going forward the market target will be worldwide with a first focus on the EU market (including US/Global companies having presence in the EU) in regard to any size private or public organization managing large amount of personal data (e.g. public or private schools and hospitals, international corporations, etc.). Next we will want to expand and include more regions/countries outside the EU (i.e. US, AsiaPac).

Do you know how to determine whether an incident is a personal data breach, and the circumstances under which you are required to report it? Are you aware of the time scale to report a data breach to the authorities? Ever encountered several data breaches simultaneously? Do you know how to assess their risk?

Companies do not have the appropriate skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the regulators. We aim at facilitating and easing the process of reporting personal data incidents, fr om the moment of receiving an incident notifications, through its risk assessment till the eventual reporting to the authorities and to any audit requirements. The whole process becomes less time-consuming and the risk that the breach could be reported with a consistent delay diminishes. It won't be also required anymore a large group of specialists being involved in the assessment process.

The scope of GDPR is broad, covering not only the handling, processing, storing, and communication of personal data but also trace data that—when combined with other observable information—might expose the personal information of an EU resident. This creates a complex set of challenges for data privacy teams who, despite their best efforts, will never be able to protect their businesses from every threat on the digital horizon.
No security system can ever be airtight. In addition to hackers and other attacks that constitute an intentional threat to the businesses they target, human error, and accidental information security breaches are also common.

Even the loss of equipment on which personal data was stored, or an email sent wh ere recipient lists can be viewed, constitutes a data breach.

The question is not whether such incidents will occur or not, but when they occur, and how they can be managed effectively once they do. The risks for improperly managing a privacy breach are high, and they are only getting higher.

GDPR is only in its third year and fines have reached about EUR 270 million in the EU. In 2019 and 2020, the fines levied against EU businesses increased dramatically per violation, with companies like Cathay Pacific, Equifax, British Airways, Marriott, and Facebook incurring hundreds of thousands, to hundreds of millions of Euros in penalties.

In addition to the financial penalties, each violation has a negative impact on the reputations of the companies involved. This often leads to a serious lack of trust among consumers and additional profit loss.

Not only does DBMT create a central repository for all data incident reporting information, but it also allows Data Protection Officers (DPO) the ability to assign tasks within their teams, track a breach response in-progress, and keep valuable deadlines in check from an easy-to-use dashboard.

DBMT automates the labor-intensive processes involved with risk assessments and matches a given incident with the appropriate privacy regulations, presenting recommendations on the next steps to take and advice on which mitigation measures must be put in place.

DBMT automatically identifies who needs to be notified, as well as when and how the appropriate notification must be submitted for each incident. Additionally, it generates risk reports and submit them to the DPO via the dashboard, email, or through the mobile application.

Businesses that rely on DBMT to assist in the difficult process of complying with privacy protection regulations such as GDPR are investing in a level of protection they desperately need and have never had before.

DBMT represents a necessary step forward, a response to the privacy laws and cybersecurity concerns that are placing undue pressure on businesses around the world. DBMT allows businesses to protect their profits and guard their reputations in an increasingly dangerous information sphere.

DBMT solves a number of problems for both the organization’s employees and the privacy team/DPO:

1. It allows small, medium and large organizations (private and public) to have a single reporting tool among their various locations to report any potential data incident to a centralized privacy team/DPO;

2. It facilitates the easy management of potential incidents by the privacy team/DPO by providing a simple platform for communication between the company’s employees and the privacy function that includes a clear task assignment tool;

3. It automatize the breach risk assessment and it helps reporting of potential personal data incidents quick and easy: the multiple-choice questions within the reporting feature help employees explain in a clear and straightforward way the problem;

4. It allows the privacy team to timely identify if an incident is negligible or is a serious data breach;

5. It helps satisfy the regulatory requirement of the 72h notification window for reporting serious breaches to the authorities;

6. The database allows to filter data for statistical and auditing purposes.

Our software helps businesses to correctly manage this complex process lowering if not avoiding the risk of millions of Euros in fines and penalties, making DBMT a valuable tool for mitigating the risks of GDPR privacy breaches and regulatory violations.

Today, we are working on implementing new functionalities inside the product. Especially, we are working on machine learning capabilities to provide an even more granular result of the risk assessment.

In the future, we will keep implementing new modules to create a comprehensive suites of products to help organizations succesfully cope with all privacy matters. We aim at applying DeepTech technology to the automation of all processes in the privacy area all over the world.

In specific, the first product offers functionalities limited to the data breach process management.

Further development will include the addition of the following features:
- Awareness training module;
- Accountability module;
- DeepTech technology applied to all privacy processes;
- Expansion to other regions beyond the EU and the US;
- Addition of more languages to the website and to the software (e.g. Italian; French; German, etc.).

DLA PIPER, a large law firm serving corporate clients worldwide. The solution offered by the law firm seems similar to our, however, it is not possible to assess all functionalities provided by its product since no data is available. It appears as a solution available just to the large corporate clients of the law firm at a non-competitive price tag and with no flexibility.
RADARFIRST, a data breach management solution focused on the US market. They teamed up with TrustArc to offer a solution similar to ours, however less automatized.
TRUSTARC offers a combination of technology along with expert consulting services to help companies build and manage an effective breach response program on premises. It is more of a consulting company and their platform is limited in its functionalities. It currently operates primarily as a basic process streamline.
ENACTIA, a Cyprus based company, offering a data breach management tool, but the core element of their risk assessments is an elementary function, without a real automation – it only reflects a self-assessment. A privacy team/DPO still needs to assess manually the risk involved in the incident due to the lack of proper guidance from the system.
ONETRUST, the largest player in the privacy arena, a provider of a privacy management platform that offers a range of tools and services, including a template-based self-assessment tool. It does not provide automated solutions for data incident risk assessment. Their price point is less competitive.
All competitors mentioned offer training, consulting and privacy services, but no end-to-end and fully automated data breach management tool is already available on the market. For those available, their functionality is limited to providing a database of incidents, however no further data breach management or any kind of real automation in the risk assessment is offered. Accordingly, their business model is mainly based on hourly consulting fees or on users paid membership, whereas within DBMT the fee varies based on the company's size, number of users and complexity of the modules.

Pedigreed team composed by experts in privacy, IT, marketing and business development.

The first automated personal data breach management tool in the market based on a proprietary algorithm which completely automatize the data breach risk assessment. Working on potential Machine Learning applications.

A cost effective software for organization public and/or private of any size managing large amount of personal data, aiming at becoming a full privacy platform to cover all privacy processes.

DBMT should be more cost effective than large corporations like OneTrust or Enactia because we can take advantage of more cost-effective operations, IT, research and marketing support from Poland. Moreover, to gain market share we want to offer a better price to clients. The idea is to lower for example the fee’s structure that Enactia put in place by at least 1/3:
• ENTERPRISE MIN €24,500/year Full Functionality Cloud Based 200 System Users (price depends on the work involved)
• LARGE BUSINESS €14,500/year Full Functionality Cloud Based 50 System Users
• MEDIUM BUSINESS €6,500/year Full Functionality Cloud Based 20 System Users
• SMALL BUSINESS €3,000/year Full Functionality Cloud Based 5 System Users
These prices are correct for Eastern european countries but they should be in line with the one from our competitors for the Western countries.
The next 5 years revenue will depepend on the size of the sales and marketing team that we will be able to put in place depending on the size of the Seed round that we will be able to raise.

In general, we charge clients with a yearly licence fee depending on the company size, number of users and complexity of the modules. Most importantly – the platform should be accessible to all organisations applying a different fee depending on the complexity of the use of the platform that is required and on the company size.
Today, law firms are losing market share from new market players (i.e. consulting or IT companies) which are automatizing legal processes. We aim at teaming up with large law firms helping them to preserve their market share and sharing with them part of the yearly license fee. That is why we are mainly using 3 different business models:
1- selling the tool thanks to the help of our distributors (i.e. Dentons Poland) with whom we would share part of the yearly fee;
2- selling the tool bundled together with the consulting services from our distributor (i.e. Dentons) so to keep the yearly fee for us and leave the consulting fees to the distributor;
3- the distributor would use the tool on behalf of the client to whom they would provide a service encompassing the whole data breach management process.
A different revenue stream may come from the partnering up with insurance companies that provide cybersecurity/GDPR insurance. The idea in this case is to provide together with that insurance our basic version of DBMT within just its core function - which is an automated risk assessment and creation of the incident reports. These basic features provided to a large number of customers through the relationship with one single insurance company allows to price this limited version of our product very low - we expect that within sale to 1000 clients of one single insurance company at the price of 350 EUR we could break even after the first year (without external investments).

50% marketing and sales team.
20% R&D team (lawyers and researches).
20% IT team.
10% operations.

In terms of valuation, we look at our competitors and we have
the intention to follow a similar path to be able to compete with
them at an international level (but with a better product). Please
see hereafter a couple of examples of raising rounds that we take
inspiration from:

o Privitar: https://craft.co/privitar/metrics - https://www.crunchbase.com/organization/privitar/company_financials - https://pitchbook.com/profiles/company/113075-29#overview

o OneTrust: https://craft.co/onetrust/metrics -
https://www.crunchbase.com/organization/onetrust -
https://pitchbook.com/profiles/company/166325-05

The suite of products will be developped independently from the speed of clients acquisition or from receiving any outside investment (e.g. VC, business angels, etc.). However the biggest risk is that being slow on developing the full suite of products could make our products market penetration and market share acquisition more challenging. However, working on the product now, during a crisis/COVID-19 period, gives us more time to pursue the development because all other companies are freezing or slowing down their development (from a competitors point of view) or they are not looking to acquire any solution in the short term due to potential liquidity issues (from a client point of view).

ReaktorX
AccelUp (ongoing)
Design Termial (ongoing)

During ViennaUp'21 competition our team was awarded with the special prize (EUR 1000) for the startup from the CEE region to establish company in Vienna sponsored by the Vienna Business Agency.

Automated risk assessment via a proprietary algorithm.
Copyrights are automatically associated while the product is created. Now we are exploring the possibility of trademark for our name and logo, and possible protection of the core of the product which is an automated risk assessment algorythm, EU-wide.