5 Privacy Must-Dos For Startups And Tech Companies
In the age of mass surveillance and big data analytics, why should startups (or any company) spend scarce resources on data privacy? Is there even any such thing anymore?
There is. And today, Data Privacy Day, is the perfect time to explore the very good reasons why every company, even scrappy startups, must invest in protecting it.
Why It Pays To Get Privacy Right
Privacy today is about the ethical handling and protection of personal data. It’s about initiating a relationship of trust with your customers and honoring that trust; it’s about being a good steward of users’ personal data.
61% of adults “disagree” or “strongly disagree” with the statement: “I appreciate that online services are more efficient because of the increased access they have to my personal data.” Pew Research Center
New companies, new product developers, and new idea generators should — and must — care about privacy for one obvious reason: It’s the right thing to do. When users sign up for your service or purchase your product, they are entrusting you with the data they disclose. So, it’s important you respect that trust.
But if the ethical aspects of privacy don’t move you, maybe the business side will. Startups should care about privacy for these very practical reasons:
- It makes good business sense. Privacy not only enhances the user experience, but also, when handled well, helps you mitigate risk to your brand.
It comes down to this. Data privacy in 2016 is nuanced and complicated. People — as consumers, citizens, students, parents, patients, employees, and community members — face a daily array of trade-offs and options that affect their privacy in complicated ways. From apps, to connected cars, to electronic medical charts, to schoolwork and records, the privacy management challenges are overwhelming, and nearly impossible to navigate without an advanced CS degree.
91% of adults agree or strongly agree that consumers have lost control of how personal information is collected and used by companies. Pew Research Center
That’s why I think and passionately argue that the onus for privacy protection today — and lawmakers and consumer protection groups increasingly agree — must be on the companies that operate the products and services with which we interact.
How To Build In Privacy: 5 Action Items
Even if you haven’t considered the privacy implications of the products or services you’re creating until now, it’s not too late to get started. These basic action items will help any company build privacy-centric practices into its processes and culture.
1. Take An Inventory Of Your Data
Privacy begins and ends with the personal data you collect. It’s difficult to identify how to protect your users’ privacy or what your compliance obligations are if you don’t know what data you have and how it’s used. So, start by taking an inventory of it.
Your primary goal is to have a comprehensive view of how your organization is collecting, using, buying, and/or sharing personal data with other parties throughout the product lifecycle. Personal data includes one’s name, physical and electronic addresses, age, preferences, geolocation information, payment details, Social Security number (if applicable), and other like details.
To ensure accuracy and completeness, you’ll probably need to reach out to several different teams during this process: IT, engineering, analytics, marketing, and product teams are great places to start.
Tip: Start with these questions:
- Who are we collecting data from?
- How do we collect it?
- When do we collect it?
- Who do we share it with?
- How long do we hold on to it?
- How do we secure it?
- How (and when) do we dispose of it?
2. Review Your Data Inventory Findings
One of the most important questions to ask after your inventory is: Do we really need to collect everything we’re collecting? The most advanced privacy-centric organizations only collect the data they need. They practice what’s called data minimization.
Data minimization is a smart move because it can limit the amount of information your company holds (and has to secure and manage). It also can create a less intrusive sign-up process. Data minimization involves:
- Limiting the collection of personal data to only what you need for a specified purpose
- Retaining the data for only as long as needed to satisfy the specified purpose
Tip: Get key stakeholders together — from engineers to marketers, from product designers, to product managers — to agree on what data is truly needed for what purposes.
3. Study Consumer Protection Laws That Affect Your Business
Now that you’ve taken inventory of the personal data in your company’s care, you can better identify the laws and regulations that may apply. This action item requires significant research time. But researching the laws that affect your business will save you potential heartache, brand damage, and legal entanglements down the road.
Tip: Start with these sites:
- Federal Trade Commission and its Bureau of Consumer Protection and Business Center sites. There, you’ll find information about proper data handling, marketing, and ethical business practices. The FTC reports provide a wealth of information on how to avoid pitfalls in your industry, too. Don’t miss the recent report Big Data: A Tool for Inclusion or Exclusion, which provides insight into how to use big data responsibly.
- Given that it’s the most populous state, it’s a good idea to keep up with California law. The Business Privacy Resource Center and the Privacy Enforcement, Laws, and Legislation pages provide a host of information for start-ups and established companies.
It’s hard for a company to claim to be privacy-centric if the very document that speaks to their privacy practices is impossible for the average person to understand. Write your policy as if you’re explaining your practices to a friend.
Tip: Study these examples:
5. Educate And Train Your Teammates
Integrating a culture of privacy within your organization is an all-hands-on-deck process. So, it’s important that teams — from business development to engineering — understand how privacy laws, social expectations of privacy, and privacy best practices can affect your organization’s products and services. Driving privacy in an organization is as much about training as it is about privacy impact assessments and satisfying your company’s compliance obligations.
Tip: At Inflection, we’ve found that finding ways to mix fun into education goes a long way toward keeping privacy top of mind. Here’s how we do it:
- Every new hire takes a privacy training course that covers basic data security and privacy concepts and practices.
- Internal privacy education events, like privacy movie nights and speaker series, bring employees together.
- The quarter-long Privacy War Games challenge rewards Inflectionites for attending events, earning internal certifications, and other privacy activities.
- A privacy dashboard sits in the heart of our headquarters office to display everything from privacy news, to historical quotes, to customers’ comments, to privacy law excerpts to RSS feeds from consumer protection organizations, to, of course, the Privacy War Games leaderboard.
- Our internal certification program tests key employees (including customer service agents) on their knowledge of the privacy laws, trends, and regulations that matter most to our organization.
Start Today, Plan For A Data Privacy Journey
As you embark on these action items, keep in mind that building data privacy practices into your culture will be a process.
It takes time to update products and services that have already gone live. But you can start working today to ensure that the products and services your team creates going forward have privacy embedded from ideation to launch.