GDPR (General Data Protection Regulation) is top of mind for many. Given concern around data breaches, this regulation was finally approved two years ago by the EU Parliament after four years of preparation and debate and goes into enforcement on May 25, 2018. But it's a form of long-arm jurisdiction that affects many U.S. companies, including most software startups, because data collection and user privacy touch so much of what they do. And with EU regulators focusing most on transparency, it affects everything from user interface design to engineering to legal contracts and more. That's why it's really about "privacy by design", argues Lisa Hawke, Vice President of Security and Compliance at a16z portfolio company Everlaw (she started as an environmental scientist and lawyer, but spent most of her career in regulatory compliance; she also serves as Vice Chair for the Bay-Area based nonprofit Women in Security and Privacy). That's why, encourages a16z board partner Steven Sinofsky, founders, product managers, and all company members should think about privacy and data regulations (like GDPR, HIPAA, etc.) as a culture... not just as "compliance". The two break down the basics all about GDPR in this episode of the a16z Podcast -- the why, the what, the how, the who -- including the easy things startups can do immediately and on their own. In fact, GDPR might give startups an edge that bigger companies don't have here: "You may have fewer resources," observes Hawke, "but it's also easier to make changes to your infrastructure, your org structure... and if you're willing to put the work in and you can do it, it could open up a ton of opportunities." links mentioned in this episode and further resources: GDPR compliance doc -- Everlaw open-sourced this Google Spreadsheet tool, which combines documentation for GDPR Article 30: Records of processing activities; Article 32: Security of processing; and Article 35: Data protection impact assessment into one workbook (including a place to document Article 15: Right of access by the data subject) "Privacy by Design" foundational principles -- by Ann Cavoukian, Ph.D., Information & Privacy Commissioner, Ontario, Canada Privacy and Security by Design: An Enterprise Architecture Approach -- by Ann Cavoukian and Mark Dixon (Oracle)