Corporate governance and legislative foundations for your business

How does a startup grapple with the complex regulatory and legislative requirements in the early stages?

This week, Helaine Leggat, Managing Partner at ICT Legal Consulting brings her expertise in corporate governance to the table, discussing the challenging regulatory environment that young businesses face, and the essential items they need to focus on to ensure they stay compliant as they grow.


The regulatory and legislative environment is a complex one for startups, especially in terms of how electronic law impacts how they operate. You’re passionate about this topic, so let’s start there.

Well, I think of myself primarily as a lawyer, although I’m a very multidisciplinary, unusually educated person. But starting as a lawyer, that means looking at the regulatory universe as it pertains to particular clients; what are the laws that apply to that particular entity within its jurisdiction?

Furthermore, if it is an international operator, how do you interact with all the other jurisdictions that come into play? If you’re registered in Australia and Victoria, but you’re operating in China, the UK, Germany and so on, then you’ve got to take a lot more into consideration. So that’s the regulatory universe.

In a country like Australia, you will have both the Commonwealth laws and the various state laws, and they prevail differently depending on what’s going on. In addition to this, you have things like tax law, labour law and education – general laws that apply to everybody – and then in addition to that, you get the industry-specific laws.

What do we have to consider for Australian startups when it comes to understanding both the regulatory and legislative environment at the beginning of their operations?

The truth is, a startup is really just a baby version of something that it’s going to grow into – it’s the same as a baby growing into a human being, so the rules don’t really change. And that is the crux of what is difficult, because laws are promulgated on the basis of, “This is normal behaviour. These are the rules.” The rules regulate the entity in their specific environment or jurisdiction, and that doesn’t change – which makes it really hard.

So when you’re small, you actually have to grow with an eye on the horizon. What are you going to become? That’s core because if you don’t have a solid foundation – meaning you don’t know how you need to grow up and what might become of you – then you are not going to build this pathway to success properly. And that can cost a business a great expense in redoing things, or sometimes even their total failure.

You need all of the business, financial and legal advice that creates a roadmap into the future – a plan that prioritises events and triggers that need to be done in a systematic way.

Is there a group of essential items that a startup should cover off at the beginning of their journey?

Very much so. Firstly, it’s worth noting that many of the startups today are founded largely on intellectual property, more so than they used to be, because there’s so much value in IP. There will be a lot necessary steps in terms of using this body of IP law. It works as a suite of laws together, and the more you have, the better your protections are. It covers everything from trademark copyright to patent design, etc., which will protect the intellectual value as you create something. Hand-in-hand with that, you also have the entity itself in connection with tax and growth and so on, particularly if you’re working at an international level, which is what most startups are aiming to do.

Startups need to cope with things like company law as well as really knowing their sector. For example, if you work in biotech then you’re in the health sector and you need to deal with very specific health and privacy laws – so that’s where the regulatory universe kicks in. In addition to that, you have all of your internal and external-facing aspects. So if you think about a business, they are all about acquiring and providing services, and that’s the whole supply chain. Law sees each person in that chain as a specific kind of legal relationship, so you need to thread out who’s responsible for what.

In terms of privacy, for example, if there is a breach then who’s there to point the finger at? Who’s going to actually go out and make the notification? Legal agreements are there to manage those kinds of relationships. But the way we tackle it is to say: what has this business set out to do? And then you can identify things that you will do in terms of standards and best practices to help protect it and facilitate the business.

Do startups get the level of attention they should from a legislative perspective? Should there be dedicated clauses and considerations to support the growth of an early-stage company?

I think there definitely should, however it would be extremely difficult for any legislature, executive or judiciary to deal with these different levels of legislation. It would probably be manageable if you tried to treat legislation as more of an operational issue or a maturity-level issue for startups of a particular size.

That thinking is reflected in certain laws, such as privacy law – but you don’t have to comply with privacy law unless you’re doing $3 million or more of revenue in a year. So that’s an example where if you’re a startup you can say, “Well, I’m not going to worry about privacy law.” But the problem is you actually can’t, because if you are in the health sector, you have to adhere to it anyway. And if you’re working with personal information and you don’t do it, nobody is going to take you seriously. But I think you’re not going to get the legislature to say, “Well, we’re going to make this law for small guys and this other law for big guys.” You do see it reflected, as I said, in the privacy example, as well as in various tax benefits and so on.

As someone who works at the very cutting edge of how this electronic world operates, every single piece of work is a newly created thing that involves thinking.

So if we as legal service providers have the opportunity to do this research and development work, which is what law is really about, we can devolve that downwards for the benefit of smaller players. And then we’re able to say, “Hang on, we’ve learned all of this stuff at the macro level. What does it mean for the little guys? How do you concentrate it? What is the basic minimal viable product that they need to kick off?”


Want more insight into the world of security, identity access management, biometrics and more? Get your weekly fix with the Identity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.