Memo to start-ups: Don’t forget the law

It’s a complicated business founding a technology start-up. There’s capital to raise, products to prototype, staff to hire, customers to lure – and, oh yes, laws to observe. This last point – ensuring compliance with product certification, data privacy and numerous other rules and regulations – has proved to be an unanticipated minefield for many a promising new company.

Consider a young digital health company I know – let’s call it “Medco” to preserve anonymity. Medco’s specialism is analysing user generated data to make early diagnoses of disease. Type II diabetes is a growing global health problem, for which earlier diagnosis would result in better outcomes. There is even the possibility of a cure, if people make lifestyle changes. 

Having set up a platform for cloud-based healthcare services, the young company planned to collect and analyse health data from groups of citizens, enabling early identification of people at risk of developing type II diabetes and providing support and advice that would enable them to make lifestyle changes to prevent it progressing. From this, Medco aimed to go on to apply its technology to other chronic diseases.

Everything was set up for an initial launch, and to clarify whether the system would need EU medical device class II approval, an expert in regulatory affairs was consulted.  The expert deemed class II approval was “of course” necessary, and presented the full-scale “standard” package for securing this approval, with little effort to understand the exact situation of the company.  The considerable cost and time required to get class II came as a huge surprise for Medco’s management.  Had they consulted experts sooner and factored this in at a much earlier stage, resources could have been set aside or the strategy adjusted.

But that isn’t all. In another project, Medco learned belatedly that its plan to market services through a high street pharmacy chain in another country required slow and costly government health inspections of each and every in-store clinic. Project killed. And on yet another occasion, Medco was about to conclude a reseller agreement with a bigger company, when it received a request to submit a series of legal documents. The start-up struggled to get all the unexpected and complicated paperwork together, delaying the deal

Three such problems for one company may smack of carelessness, but it must be remembered that health is one of the most closely-regulated sectors there is. And my research suggests this experience isn’t that unusual in any sector. In short, a lack of thinking ahead and planning to ensure compliance can wreck the best business case.

Start-up companies and their advisors, whether at university technology transfer offices or elsewhere, must pay closer attention to this issue. Failure to do so can put a sudden roadblock in the way of a great new product or service.

And the number and complexity of compliance issues is rising. The EU’s General Data Protection Regulation, for example, creates a range of new data privacy requirements that many entrepreneurs hadn’t contemplated when devising their business plans. In general, regulation and powers of enforcement are going up, as society’s tolerance for health, environmental or financial risks, goes down. Entrepreneurs ignore that political fact of life at their peril.

It is also the case that entrepreneurs often overlook the benefits of adherence.  In terms of business operations, it improves efficiency, saves time, and prevents waste of resources. In the longer term, the impact on the standing and reputation of the startup may be even more important. It reassures regulators and partners, including investors and customers.

In principle, adherence to basic regulatory requirements is straightforward: Do what you need to do, do it at the right time, and document that it has been done. This involves:

   • Knowing the requirements in your area of business. The usual sources are published guidelines, networks and experts. And whatever the sector, every business has to be well-versed in standard issues, such as employment law, health and safety, and the like.

   • Running a disciplined, compliance-minded company. Management’s attitude is mirrored in the culture of the organisation, setting the tone and ensuring it is understood there is no way around the basic requirement of being disciplined and accountable. This culture should be set in stone from the hiring of the first employee. And compliance must be across the board - it is no good being disciplined in some areas if you are negligent in others.

   • Timing correctly. When it comes to compliance, timing and execution is all. There will be fixed “static” deadlines and milestones, whether imposed on the company or adopted by management, and then “dynamic” time for processing documentation, decisions, approvals and the like, whether external or internal.

   • Keeping full documentation. The need for this is acknowledged by many but executed by few.  Documentation must include not just what was done, but also what will be done - or not - in future. Setting out suitable routines for doing this is crucial.  Plans and forecasts underpin the business plan and documenting assumptions and forecasts makes it easier to trace or revise plans if the business reality doesn’t match the initial plan – which is usually the case.

   • Planning compliance. This should be viewed as a strategic tool, facilitating the formulation of internal policies, assessing available resources for compliance, and matching development and marketing activities to the capacity to remain in adherence. And as the Medco example shows, it’s important for customers. Start-up companies often seek relationships with large customers to get validation for products and to achieve scale. You should always bear in mind which party risks the greatest damage in case of non-compliance. It is not the plucky little start-up nobody ever heard of, but the multinational with thousands of employees that has spent years building a solid reputation.

Keeping track of all this is a collective responsibility, starting with managers – who are often too busy thinking about product development and market opportunities to keep compliance in mind. So it is essential company directors understand the need for adherence and that they do not neglect or postpone implementation in the attempt to push business development forward.  Advisers and consultants are also important, but often are inclined to present matters in an unnecessarily detailed and complicated way. For university start-ups, technology transfer offices can be a special source of advice. However, in general they do not have the resources to provide support beyond the initial setup of the company.

But more can be done. TTOs can provide cost-efficient services to handle routine compliance issues.  And mentors are important - experienced professionals ready to help start-up companies as advisers on a voluntary (or at least low-cost basis). Mentors have experience and expertise in governance and compliance, and can help young companies on an ad hoc basis with the fundamental issues.

Above all, compliance is about simply being aware and of everybody playing a part. Failure to do so can have dire consequences for all.  A lapse in any aspect of compliance can mean no customers, and no business.

Kent Hansen is CEO of Danish Venture, providing management support to companies and private equity teams.