GDPR, and the newer California Consumer Privacy Act, have given a legal bite to ongoing developments in online privacy and data protection: it’s always good practice for companies with an online presence to take measures to safeguard people’s data, but now failing to do so can land them in some serious hot water.
Now — to underscore the urgency and demand in the market — one of the bigger companies helping organizations navigate those rules is announcing a huge round of the funding. OneTrust, which builds tools to help companies navigate data protection and privacy policies both internally and with its customers, has raised $200 million in a Series A round of funding led by Insight that values the company at $1.3 billion.
It’s an outsized round for a Series A, being made at an equally outsized valuation — especially considering that the company is only three years old — but that’s because, according to CEO Kabir Barday, of the wide-ranging nature of the issue, and OneTrust’s early moves and subsequent pole position in tackling it.
“We’re talking about an operational overhaul in a company’s practices,” he said in an interview. “That requires the right technology and reach to be able to deliver that at a low cost.” Notably, it said it wasn’t actually in search of funding — it’s already revenue generating and could have grown off its own balance sheet — although he noted that having the capitalization and backing sends a signal to the market and in particular to larger organizations of its stability and staying power.
Currently, OneTrust says that it has around 3,000 customers across 100 countries, and the plan will be to continue to expand its reach geographically and to more businesses. Funding will also go towards the company’s technology: it already has 50 patents filed and another 50 applications in progress securing its own IP in the area of privacy protection.
The company offers technology and services covering three different aspects of data protection and privacy management.
Its Privacy Management Software helps an organization manage how they collect data as well as generate compliance reports in line with how a site is working relative to different jurisdictions. Then there is the famous (infamous) service that lets internet users set their preferences for how they want their data to be handled on different sites. The third is a larger database and risk management platform that assesses how various third-party services (for example advertising providers) work on a site and where they might pose data protection risks.
These are all provided either as a cloud-based software as a service, or an on-premises solution, depending on the customer in question.
OneTrust has an interesting backstory that sheds some light on how it was founded and how it identified this problem relatively early.
Alan Dabbiere, who is the co-chairman of OneTrust, had been the chairman of Airwatch — the mobile device management company acquired by VMware (Airwatch’s CEO and founder, John Marshall, is OneTrust’s other co-chairman). In an interview, he told me that it was when they were working on Airwatch — where Barday had worked on consulting, integration and engineering services — that they began to see just how a smartphone “could be a quagmire of information.”
“We could capture apps that an employee was using so that we could show them to IT to mitigate security risks,” he said, “but that actually presented a big privacy issue. If you have dyslexia or if you use a dating app, you’ve now shown things to IT that you shouldn’t have.”
He admitted that in the first version of the software, “we weren’t even thinking about whether that was inappropriate, but then we quickly realised that we needed to be thinking about privacy.” He says that it was Barday who first brought that sensibility to light, and “that is something that we have evolved from,” he added. After that, and after the VMware sale, it seemed a no-brainer that he and Marshall would come on to help the new startup grow.
Although, Airwatch made a relatively quick exit, the plan, he added, was to stay the course at OneTrust, with a lot more room for expansion in this market.
Indeed, there is an obvious opportunity to expand not just its funnel of customers, but to add in more services, such as proactive detection of malware that might leak customers’ data (such as in the recently-fined breach at British Airways), as well as tools to help stop that once identified. While there are a million other companies also looking to fix those problems today, what’s interesting is the point from which OneTrust is starting: by providing tools to organizations simply to help them operate in the current regulatory climate as good citizens of the online world.
This is what caught Insight’s eye with this investment. “OneTrust has truly established themselves as leaders in this space in a very short timeframe, and are quickly becoming for privacy professionals what Salesforce became for salespeople,” said Richard Wells of Insight. “They offer such a vast range of modules and tools to help customers keep their businesses compliant with varying regulatory laws, and the tailwinds around GDPR and the upcoming CCPA make this an opportune time for growth. Their leadership team is unparalleled in their ambition and has proven their ability to convert those ambitions into reality.”
He added that while this is a big round for a Series A it’s because it is something of an outlier — not a mark of how Series A rounds will go soon.
“Investors will always be interested in and keen to partner with companies that are providing real solutions, are already established and are led by a strong group of entrepreneurs,” he said in an interview. “This is a company that has the expertise to help solve for what could be one of the greatest challenges of the next decade. That’s the company investors want to partner with and grow, regardless of fund timing.”