AWS Startups Blog

What Startups Need to Know About GDPR


Guest post by Justin Antonipillai, the Founder & CEO of WireWheel. He was previously the Acting Undersecretary of Economic Affairs at the U.S. Department of Commerce in the Obama administration and led the U.S. negotiating team with Europe on privacy issues.

Whether just starting a company or migrating your existing storage or applications, issues of cybersecurity, speed and scalability are high on every company’s checklist. Now, privacy and “data protection” (as this area is called in Europe) can join that list.

First off, if Privacy and Data Protection— which is critical to any company’s ability to succeed—isn’t at the top of your list, it should be. The European Union’s General Data Protection Regulation (GDPR) is the biggest change in data privacy and protection laws in 20 years. It has a number of important requirements, and every company should know the following about GDPR:

  • The GDPR applies to companies around the world, not just in Europe.  If you offer any services in Europe, or handle the data from European Individuals, you could be covered
  • Failure to comply with GDPR carries fines of up to 4% of global revenue
  • Forty-four independent regulators are poised to enforce the GDPR starting on May 20

Second, in order to comply with GDPR (and most other privacy laws), you need to at least be able to show, on demand (1) where you are storing the personal data, (2) where your “compute”—or servers—are processing that data; (3) what third-parties also have access to that data; and (4) what personal data you are actually collecting and using.

The GDPR goes into effect on May 25, 2018. In light of GDPR, organizations around the world are taking steps to operationalize privacy enterprise-wide in order to build transparency and trust with customers around the use of their personal data.

However, according to Gartner, 50% of global enterprises will not be GDPR compliant by the end of 2018. One of the biggest barriers to compliance is the fact that most organizations don’t even know what data they hold, where they hold it, or what application servers are accessing it. They know that it is an abundant, dynamic resource in perpetual motion, but if asked to present an inventory of their personal data processing activities, most companies today would not be able to immediately respond. Instead, they would “need to get back to you on that.” But that type of response will not hold in the new era of GDPR regulation, with financial penalties of up to 4% of annual worldwide revenues for failure to comply.

Today, enterprises lack a fast, scalable solution to help them find, classify and better use the data they have collected from their customers. That’s why I decided to start WireWheel. Our data privacy and protection platform leverages AWS infrastructure and services, and addresses requirements around the mapping of personal data, preparation of data protection impact assessments, affording customer transparency and fulfilling data subject access requests in a timely manner.

The bottom line is that if you are deployed on AWS—and using WireWheel—complying with GDPR and a number of other privacy laws around the world, is much, much easier and faster. Contact us at to hear how WireWheel can help you solve these GDPR challenges.

Michelle Kung

Michelle Kung

Michelle Kung currently works in startup content at AWS and was previously the head of content at Index Ventures. Prior to joining the corporate world, Michelle was a reporter and editor at The Wall Street Journal, the founding Business Editor at the Huffington Post, a correspondent for The Boston Globe, a columnist for Publisher’s Weekly and a writer at Entertainment Weekly.