Nov 15 2019 33 mins 1
On this week's episode of FounderQuest Josh, Ben, and Starr talk about their Soc 2 and GDPR compliance efforts. They go over the different strategies to handle compliance, the potential costs involved, and discuss if it's worth the time and money.
When embarking on their compliance research, the guys also stumbled across some surprising claims companies are using to stretch the truth on actually being compliant. Learn a few of the 50 shades of compliance* that they found.
Links:
Full Transcript:
Starr: Did y'all go trick or treating?
Josh: Yeah, we did. We went to a neighborhood with some friends of ours and it was a good suburban trick or treating neighborhood. Most of the houses were all participating. The kids had a blast.
Starr: Oh, great.
Josh: We were a family of bats.
Starr: Oh, cool.
Josh: Yeah, I wasn't the Batman. I was just ...
Starr: You were just a bat.
Josh: Just a bat.
Starr: That's okay. There's nothing wrong with just a bat.
Josh: Yeah.
Starr: Yeah, we did the neighborhood thing too. This was Ida's first year of really understanding what was going on and not being just terrified of strangers. So she was just all over this. She was like, "We're going to go get more candy. Mom and dad, you stay right here. You leave me alone and let me do this myself. I'm going to go knock on their door and say trick or treat. She's not even four yet, so it was super cute.
Josh: Nice.
Starr: Yeah. I can't even imagine when she gets to be like 13, she's just going to be like, "You stand over here dad, you park a mile away from school and I'll walk."
Josh: Yeah, she's going to be choosing colleges across the country or something or ...
Starr: Yeah, she likes us nearby, but she just wanted to do it herself. She's very big on that.
Josh: It makes sense. Yeah, Tatum was doing ... she was going up to doors by herself too. I'm pretty sure I saw her hit houses multiple times. Like I should go up, come back to the street and then I think I saw her go back up at the same house.
Starr: That's so funny.
Josh: Yeah.
Starr: Yeah. I ate so much candy last night that this morning I literally feel like hung over or something. My brain isn't working, I'm just exhausted. That's how you know you're getting old, I guess.
Josh: Yeah, we did the same thing.
Starr: Yeah. Today, we're going to be discussing ... what are we going to be discussing? We're going to be compliance GDPR, SOC 2, all those big things.
Ben: Yeah. All that fun stuff.
Starr: Where should we get started on? Is anybody want to give us sort of an intro? This isn't really my forte.
Ben: In talking about compliance, we're a small company, and I think a lot of times people in our position, entrepreneurs in our position ignore the whole compliance issue because they're just too small to handle that, and like, "Oh, I don't have a compliance department because it's just me." I think we spent most of our existence in the same boat, like, we'll just ignore that and we'll just whistle and move along our way, but really came to a head with GDPR because we had customers who are international and who themselves had to deal with it. So, we had to deal with it because they had to deal with it. So I think that's the reason why we really felt like we had to get up to speed on what all this compliance stuff means and couldn't just ignore it, put our head in the sand.
Starr: What do we mean when we say compliance? What are we talking about?
Ben: Yeah, really, all the compliance regimes are about, generally speaking, like security. A good security practice is making sure that you are operating your business in a way that protects the data, which you're entrusted. GDPR was very much about personal data and making sure that companies treat that responsibly, that is not going out to everybody and their brother, that you're not doing things with it, that your customers wouldn't agree with you doing. For them, it was about, you want to be sure that you're not sharing this information willingly and unwillingly. Either through marketing partnerships or through breaches, that would be basically a breach of trust with your customer, or your employee, like they have a special case for HR data.
Ben: If you're employed by a company, they have your social security number and they might have other information about you and your address, your, maybe some health insurance information, whatever. You don't necessarily want that information going out to everybody and their brother. Basically, GDPR came about, and compliance, more generally, is all about doing what you're supposed to do, being ethical with the data that you have in your possession.
Starr: A lot of the companies are sort of ... If you're a company in the European Union or you're selling to people in the EU, you are sort of legally required to follow a GDPR, this sort of list of rules. Right?
Ben: Right. If you're a company in the EU and you have to comply with this regulation, you also need to make sure that your suppliers comply with this regulation. That's where it involves us because we're not in the EU, but we have customers there.
Starr: Yeah. The other sort of compliance regimes, what is it? SOC 2. I don't know, there's, I think HIPAA is sort of in that same boat. All these are, either there's a law somewhere that says that certain people have to follow these or big companies have in their policy that they only do business with people who follow these. They're like viral, rig...
