In the sea of global privacy regulations, how can startup companies build a good foundation around the way they treat data without going overboard on compliance? After all, the startup needs to focus on building its products, fundraising, and developing the business itself.
At the same time, there are good reasons for startups to pay attention to data protection: this is not solely about compliance, but about building customer trust. And building customer trust is key to all businesses, especially those who operate online.
One approach startups can take is to use the privacy notice as a starting point for their data protection program. But I don’t mean simply slapping up any privacy notice, but, instead, using the privacy notice to think a bit about the practices the startup has (or intends to have) around data.
Every online business will need a privacy notice and this project can be used as a way to think about a new business’s data practice. Privacy notices need to be accurate, truthful and up to date (see the FTC’s Protecting Personal Information: A Guide for Businesses). Because privacy notices should be updated as the business changes, or at least annually, the business can calendar a regular review of the privacy notice and, over, time, this process can be used to review the data protection program
Here are some key questions to ask along with drafting a privacy notice for a startup:
- What data is the startup collecting?
This can form the start of a “data map.” The concept of data mapping can be found in GDPR’s requirement to keep a “record of processing activities”. Although California’s CCPA does not require this record, in effect, companies need to have the data mapping done in order to act on many of CCPA’s other obligations. So it’s a good idea for new companies to start building this data map from the get-go. A company can keep this “map” in a variety of forms (maybe simplest is in a spreadsheet).
Some things to think about include:
- Don’t forget about data that might come not directly from a customer, but from a partner or some other source.
- Consider all data fields — don’t assume a piece of data is not subject to privacy laws. For instance, CCPA now considers as “personal information” some unexpected things that traditionally were thought of as anonymous, for instance: records of products or services purchased or considered and cookies/other tracking technology.
- There will be a new definition of “sensitive personal information” in California’s CPRA that includes things like financial account information, genetic information, precise geolocation, and racial/ethnic/religious beliefs. Although the laws are not harmonized around what is considered sensitive, be aware that all data is not treated equally.
- Data collected from kids has special rules (for instance, COPPA, and CCPA).
2. Is any “extra” data being collected?
It is very common for startups to not know exactly what they will be doing. It can be tempting to collect things that the company “might” need. But there is a concept of “data minimization” in data protection law, which requires companies to only collect data that is needed for a specific business purpose. If you do identify “extra” data that is being collected, consider stopping this practice or thinking about the real purpose behind the collection.
3. How is data being used? Is any data being used for “high-risk” activities?
Start with a basic list of uses. Common uses include account opening, providing the services, and servicing an account, but every company will be different.
“High-risk” activities should be paid special attention to and this is an area where expert advice is key. While there is no single checklist of what is considered “high-risk”, the GDPR has a framework related to data protection impact assessments that can be useful. Also, thinking about what might seem “creepy” or surprising to customers is a good lens. Just a few examples of activities that may be high-risk:
- Building customer profiles for advertising or other targeted use
- Facial recognition or other use of biometrics
- Use of AI to make automated decisions
5. What kinds of security measures is the startup taking?
Because a lack of security can result in data breaches, a startup should pay close attention to its tech setup and access rights. Questions to ask include:
- Who can access customer data?
- Where and how is it stored?
- Is data encrypted?
- Do you have procedures in place for dealing with a data breach or other issue with data?
6. What contracts are we signing with other companies that involve data?
Contracts for all kinds of things get signed at the beginning of a lifecycle of a company. If a startup is either getting data from another company or giving data to another company, these contracts should be tracked and understood from the getgo. Contracts are required under some data protection laws in order to make it clear what each party is responsible for. Questions to ask about contracts include:
- What do contracts say about data protection, privacy, and security generally?
- Are there specific restrictions in any contracts around what can be done with the data? If so, what, practically, is being done to make sure controls are in place?
- Are there any breach notification requirements in the contracts?
Although a more mature company may use a sophisticated contract management system, really all that is needed to track contracts is a simple spreadsheet.
7. Where is the startup operating? What are the geographic expansion plans?
This is a gating question, as it will guide what laws apply to the company. Make sure this is well understood and expansion plans are tracked, so that as the company grows and expands, compliance and customer trust can grow along with it.
8. How will the startup make sure it thinks about privacy and data protection going forward?
Above all, startups should understand that privacy and data protection is an ongoing endeavor, not a one-time checklist to go through. Revisiting practices often and staying on top of the constantly changing laws in this area is certainly a challenge. See the resources below for a few places to bookmark. Start a bookmark folder, subscribe to newsletters about privacy and security, listen to podcasts — there is no shortage of information out there to keep up on.
Good luck to all of the startups in their endeavors!