New York-based BigID recently raised a $30M Series B funding, less than five months after completing its $14M Series A round. The funding was led by Scale Venture Partners with participation from previous investors such as ClearSky Security and Comcast Ventures.
The latest financing, which has taken the startup’s valuation to $46.1M, is a result of BigID’s timely offering: helping companies comply with the Global Data Protection Right (GDPR) data privacy regulations. This need for compliance with a new legal framework and increasing pushback from privacy-focused consumers has changed the way software companies look at privacy solutions. It has also helped BigID move and grow fast in the global data protection market which is expected to reach $14.1B by 2025.
BigID’s big idea is privacy. The startup believes that privacy is hard even for the most sophisticated companies because they have long approached privacy through policy and processes, not product.
So even as customer-preference and behaviour data is essential for any data-driven organization, privacy hasn’t been. Companies might keep customers hooked through granular data and tailor experiences for them, but structuring, mapping, analyzing this data on a regular basis is not easy. It’s highly challenging for companies to sift through large volumes of data, document it, find whose data they have, its context and the risks around in.
Most of the data that companies collect contains personal identifiable information (PII). PII was initially restricted to credentials and payment card information but the expanding definition means the problem has only got worse. BigID, additionally, has discovered another shortcoming: most companies rarely have complete knowledge of this data’s location. In fact, according to a study commissioned by Gemalto, the majority of companies (55% of respondents) do not know where their payment data is located.
Large organizations collect and store huge amounts of data but it’s difficult for them to track, secure or report on this data’s history or flow. However, knowing what is customer PII data, along with who has touched it when and how, is increasingly mandated under regulatory requirements. Policy demands and compliances such as GDPR, then, mean that understanding PII is not a good-to-have but essential and crucial to a business’ future.
Putting Privacy First
BigID Founder and CEO Dimitri Sirota, who is called a “privacy expert” and is a serial entrepreneur and investor, says that the company has innovated around four core components: First, they provide companies with the ability to find whose data they have. Second, they help them find all personal data, not just PII. Third, they help them operationalize that data and finally, they help companies move from spreadsheets to data-driven processes. Previously, Sirota founded two enterprises software companies focused on security and API management that were sold to CA Technologies.
More elaborately, BigID’s solution uses machine learning to automate how companies track and secure sensitive data to avoid breaches and non-compliance with data protection regulations. Simply, it helps companies replace “inaccurate survey and spreadsheet-based privacy compliance with data-centric enterprise privacy management” and thus helps them meet emerging privacy and data protection regulations like the GDPR.
GDPR, in fact, a key reason why companies like BigID matter today. The regulation has made companies tighten their processes and change how they perceive data privacy, or risk paying hefty fines. As companies scamper to comply with the GDPR, BigID’s solutions have proved timely and important. While it competes with other privacy-centric companies like IBM, OneTrust, Trustarc and others, GDPR means there’s plenty of business for many.
It’s a top reason why the company has seen its latest round of funding: “With the advent of the GDPR, more companies are shifting from manual and survey-based compliance to data-centric automation and operationalization,” Ariel Tseitlin the partner at Scale Venture Partners said. “BigID’s advanced privacy automation technology provides enterprises a first-of-its-kind ability to address critical privacy requirements like right to be forgotten and data usage record keeping at petabyte scale, across any data, on-premises or in the cloud.”
But BigID believes that their solutions go beyond GDPR. As some U.S. states mull over privacy laws, Sirota has argued that because of consumers’ pushback and rejection of being unsympathetically used for sales, companies realize the need to build a privacy-centric organizations. “Our Series B round validates our unique approach to privacy management that takes into account not just what data enterprises are collecting and processing, but most importantly, whose data it is.” But even then it’s the need to be GDPR compliant that is keeping BigID occupied. Sirota told media that that it’s been “tough to keep up with demand”, that he could “double” his sales team “and still keep everyone busy” as the company partners with corporations, big system integrators, and value-added resellers.
How BigID Works
BigID’s proprietary scanning technology locates sensitive data and provides a score to measure data’s identifiability. A data inventory is built after the scan that determines the residency of the organization’s identities to make sure that the correct regulations apply. The scanning process can give a quick snapshot of stored data or help build a more holistic map of stored data. After the scan, data is classified appropriately to apply the correct security control or decide about compliance, encrypted storage, deletion, archiving, etc. The startup also helps organizations comply with right to be forgotten, document data processing, and manage risk around the data so that they could be proactive in securing it.
BigID also helps is in consent management. It manages consent of customers and employees, as well as enforces their rights over the personal data and thus allowing organizations to search, identify, segment, and amend personal data as necessary.
Sirota says that what their automation means for an enterprise is that they can move from spreadsheets to a data-driven privacy framework which allows them to better protect their information.
An equally important byproduct of this data-processing is that it helps organizations scoop more value and better insight from their data. What’s noteworthy is they do so in an ethical, safe, and secure way.