A Start-up
guide to


SFG10: Data rights are human rights

Why is this important? Copy link

Did you know? In 2022 there were 4,100 publicly disclosed data breaches, equating to 22 billion records being exposed, including from companies like Okta, Google, Twitter, Uber, Microsoft, Dropbox, Twilio, LastPass according to cshub.com.

Data rights are human rights because in today's digital age, individuals generate and share an enormous amount of data. This data often includes personal information such as names, addresses, financial information, and even biometric data such as fingerprints and facial recognition data.

The right to privacy is one of the fundamental rights that is threatened by the collection, storage, and use of personal data.

Additionally, data can also be used to discriminate against individuals based on factors such as race, gender, or sexual orientation. This can lead to further human rights violations.

Protecting data rights is essential to ensuring that individuals are able to exercise their fundamental human rights. Data security should therefore be a focused investment from day one of your business. It shouldn’t be taken lightly, as incidents such as a data breach can be very damaging to customers and to your reputation, and could result in substantial fines or other regulatory action.

The responsible handling of data, and in particular personal data, is crucial to protect from cybersecurity risks - the most prevalent being: Copy link

  • Social Engineering - The process of hacking people rather than systems remains one of the most popular methods for compromising security as up to 85% of all data breaches (Source) include an aspect of human involvement. The 4 common types are Phishing (email based), Vishing (voice based), Smishing (SMS based) & Impersonation.
  • 3rd Party exposure - Attacks facilitated by granting 3rd parties, e.g. contractors or external systems, privileged access to company data from networks and devices that are less well protected, maintained or monitored.
  • Configuration mistakes - Either from an external source or via privileged internal access, configuration mistakes can lead to security gaps that are unknown to the company security teams.
  • Ransomware - A method of denying access to a company's data by encrypting it and demanding a 'ransom'. The average cost of this type of attack in the UK is $1million with system access typically restricted for at least three weeks.
  • Insider threats - Insider threats involve employees or other trusted individuals who intentionally or unintentionally compromise the security of a system or network. This can include stealing sensitive data or inadvertently introducing malware into a network.
  • Password attacks - Password attacks involve attempting to guess or steal a user's password in order to gain access to their accounts. This can be done through brute force attacks, where an attacker tries to guess a password by using various combinations of letters, numbers, and symbols, or through credential stuffing attacks, where stolen usernames and passwords from one site are used to attempt to access other sites.

There have also been increased data security risks caused by remote working. Like with public Wi-Fi networks, the lack of physical security, decreased visibility for security teams to monitor network activity, makes it more difficult to identify and respond to potential security breaches in remote working environments.

Regulatory compliance Copy link

The General Data Protection Regulation (GDPR) was introduced in 2018, to provide a European-wide legal framework for keeping everyone's personal data safe by requiring companies to have robust processes in place for handling and storing personal information. Start-ups based in or doing business in the UK and Europe should build and implement privacy in their business model. They should also take steps to ensure they are GDPR compliant as well as taking into account and complying with data privacy laws of any other countries in which they operate (for example, there are a number of US states which have their own privacy laws, with more states to follow suit).

The California Consumer Privacy Act (CCPA) was introduced in 2018 to give consumers more control over the personal information that businesses collect about them, and the CCPA regulations provide guidance on how to implement the law. Businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

Where to start Copy link


Pre-seed/Seed Copy link

  • Understand business model and product-related data risks and obligations
  • Hire a security-savvy developer
  • Build and implement data privacy controls by implementing a ‘Security by Design’ culture across the business
  • Develop appropriate policies and procedures for your business to minimise data security risks
  • Deploy endpoint security solutions as the first layer in your security stack

Series A Copy link

  • Formalise data security responsibilities across your team and consider hiring a CISO (Chief Information Security Officer)
  • Continue developing appropriate policies and procedures to address additional risks
  • Engage a third party to conduct regular security assessments and promptly remediate issues highlighted
  • Invest in a training platform and schedule regular, mandatory, cyber and regulatory training for all
  • Adopt a fundamentally zero-trust approach to infrastructure and architecture. Only work with vendors who adhere to these principles
  • Invest in solutions that will help you manage cybersecurity threats (e.g. email phishing) and allow for secure software development (e.g. source code scanning for sensitive information).
  • Maintain regulatory compliance with GDPR, CCPA and other relevant obligations
  • Plan and document what you will do in the event of a breach

Series B onwards Copy link

  • Continue monitoring for data-related risk across your business and all applications and developing appropriate corresponding policies and procedures
  • Maintain regulatory compliance: improve adherence to compliance mandates like GDPR, CCPA and other relevant obligations, develop strong audit of email security risk
  • Hire a CISO (Chief Information Security Officer) if you haven’t already done so, and, if appropriate, build a dedicated security team
  • Build software with a fundamentally zero-trust approach to infrastructure and architecture. Only work with vendors who adhere to these principles
  • Audit your suppliers to check their GDPR/other data compliance
  • Consider cyber insurance
  • Invest in enterprise risk solutions helping to:
    • Enable secure software development by scanning source code to detect API keys, passwords and other sensitive information in real-time. For example, GitGuardian
    • Support zero-trust architectural decisions that help ensure your company’s software and the data you store is secure by design
    • Manage cybersecurity threats in real-time by reporting key areas of insider risk (like unusual credential use or data movement).
    • Improve employee behaviour through regular simulations of phishing and training
    • Deploy an ASM platform to fully understand your risk profile

The suggestions above are just some of the key areas to watch, there are many others including: pen testing, bug bounty programs, security logging and investigation tools, application security (which starts with secure designs), supply-chain security, implementing a zero-trust architecture, securing your cloud infrastructure, running internal phishing campaigns to raise awareness, proper 2FA...

Data collection Copy link

  • Number of data breaches
  • Number of cybersecurity threats/attacks
  • % employees completing cybersecurity and other IT training
  • % employees failing phishing tests

Useful resources and further reading Copy link

Examples and testimonials Copy link

Merama sees cybersecurity and consumer data protection as fundamental elements of its ESG approach. The company has implemented seven information security policies and created a Cyber Awareness Program to promote cybersecurity and personal data privacy awareness throughout the organization. During 2022, the team carried out a Data Protection Compliance risk and gap analysis and documented the Data Protection Management System for Merama’s holding companies and 20 subsidiaries.

“We’ve invested a lot to design and implement an efficient, globally standardized data protection infrastructure by providing systematic rules to cover policies, processes, and activities that involve personal data processing. This effort includes hiring knowledgeable, hands-on data protection professionals who undertake the DPO’s responsibilities and understand and ensure compliance with the Data Privacy Laws applicable to all countries where we operate. This topic was of utmost importance to our stakeholders and us, so we started to assess and address the most critical aspects firsts, the Privacy Notices.” Copy link
Luana Rosa, Global Head of ESG at Merama. Copy link

Tessian has pioneered a new category of security software called Human Layer Security, tackling the most vulnerable asset of an organisation when it comes to cybersecurity: people. Today, 90% of today’s data breaches are caused by some form of human error and Tessian uses machine learning to stop data breaches and security threats caused by human error - without disrupting employee workflow. Customer stories can be found here.

“People make 35,000 decisions every day; it just takes one wrong decision or one instance of human error for an employee to cause a catastrophic security breach. In the same way we have firewalls to secure networks, and endpoint detection and response platforms to secure devices, enterprises now need advanced security technology to secure their people.” Copy link
Tim Sadler, Co-Founder and CEO at Tessian. Copy link