5 Privacy Must-Dos For Startups And Tech Companies

In the age of mass surveillance and big data analytics, why should startups (or any company) spend scarce resources on data privacy? Is there even any such thing anymore?

There is. And today, Data Privacy Day, is the perfect time to explore the very good reasons why every company, even scrappy startups, must invest in protecting it.

Why It Pays To Get Privacy Right

Privacy today is about the ethical handling and protection of personal data. It’s about initiating a relationship of trust with your customers and honoring that trust; it’s about being a good steward of users’ personal data.

61% of adults “disagree” or “strongly disagree” with the statement: “I appreciate that online services are more efficient because of the increased access they have to my personal data.” Pew Research Center

New companies, new product developers, and new idea generators should — and must — care about privacy for one obvious reason: It’s the right thing to do. When users sign up for your service or purchase your product, they are entrusting you with the data they disclose. So, it’s important you respect that trust.

But if the ethical aspects of privacy don’t move you, maybe the business side will. Startups should care about privacy for these very practical reasons:

It comes down to this. Data privacy in 2016 is nuanced and complicated. People — as consumers, citizens, students, parents, patients, employees, and community members — face a daily array of trade-offs and options that affect their privacy in complicated ways. From apps, to connected cars, to electronic medical charts, to schoolwork and records, the privacy management challenges are overwhelming, and nearly impossible to navigate without an advanced CS degree.

91% of adults agree or strongly agree that consumers have lost control of how personal information is collected and used by companies. Pew Research Center

That’s why I think and passionately argue that the onus for privacy protection today — and lawmakers and consumer protection groups increasingly agree — must be on the companies that operate the products and services with which we interact.

How To Build In Privacy: 5 Action Items

Even if you haven’t considered the privacy implications of the products or services you’re creating until now, it’s not too late to get started. These basic action items will help any company build privacy-centric practices into its processes and culture.

1. Take An Inventory Of Your Data
Privacy begins and ends with the personal data you collect. It’s difficult to identify how to protect your users’ privacy or what your compliance obligations are if you don’t know what data you have and how it’s used. So, start by taking an inventory of it.

Your primary goal is to have a comprehensive view of how your organization is collecting, using, buying, and/or sharing personal data with other parties throughout the product lifecycle. Personal data includes one’s name, physical and electronic addresses, age, preferences, geolocation information, payment details, Social Security number (if applicable), and other like details.

To ensure accuracy and completeness, you’ll probably need to reach out to several different teams during this process: IT, engineering, analytics, marketing, and product teams are great places to start.

Tip: Start with these questions:

  • Who are we collecting data from?
  • How do we collect it?
  • When do we collect it?
  • Who do we share it with?
  • How long do we hold on to it?
  • How do we secure it?
  • How (and when) do we dispose of it?

2. Review Your Data Inventory Findings
One of the most important questions to ask after your inventory is: Do we really need to collect everything we’re collecting? The most advanced privacy-centric organizations only collect the data they need. They practice what’s called data minimization.

Data minimization is a smart move because it can limit the amount of information your company holds (and has to secure and manage). It also can create a less intrusive sign-up process. Data minimization involves:

  • Limiting the collection of personal data to only what you need for a specified purpose
  • Retaining the data for only as long as needed to satisfy the specified purpose

Tip: Get key stakeholders together — from engineers to marketers, from product designers, to product managers — to agree on what data is truly needed for what purposes.

3. Study Consumer Protection Laws That Affect Your Business
Now that you’ve taken inventory of the personal data in your company’s care, you can better identify the laws and regulations that may apply. This action item requires significant research time. But researching the laws that affect your business will save you potential heartache, brand damage, and legal entanglements down the road.

Tip: Start with these sites:

4. Write An Easy-To-Understand Privacy Policy 
Your privacy policy helps your users make informed decisions about your site because it tells them — among other things — how their information will be used, how it will be shared, and how long you hold on to it. Too often, privacy policies are long and complicated — two factors that discourage people from reading them.

But it doesn’t have to be this way. Posting an easy-to-understand privacy policy sends the powerful message that you care about whether people understand your data-handling practices. And this is equally important: Your policy serves as a window into your privacy program, and your company’s stance on it.

It’s hard for a company to claim to be privacy-centric if the very document that speaks to their privacy practices is impossible for the average person to understand. Write your policy as if you’re explaining your practices to a friend.

Tip: Study these examples:

5. Educate And Train Your Teammates 
Integrating a culture of privacy within your organization is an all-hands-on-deck process. So, it’s important that teams — from business development to engineering — understand how privacy laws, social expectations of privacy, and privacy best practices can affect your organization’s products and services. Driving privacy in an organization is as much about training as it is about privacy impact assessments and satisfying your company’s compliance obligations.

Tip: At Inflection, we’ve found that finding ways to mix fun into education goes a long way toward keeping privacy top of mind. Here’s how we do it:

  • Every new hire takes a privacy training course that covers basic data security and privacy concepts and practices.
  • Internal privacy education events, like privacy movie nights and speaker series, bring employees together.
  • The quarter-long Privacy War Games challenge rewards Inflectionites for attending events, earning internal certifications, and other privacy activities.
  • A privacy dashboard sits in the heart of our headquarters office to display everything from privacy news, to historical quotes, to customers’ comments, to privacy law excerpts to RSS feeds from consumer protection organizations, to, of course, the Privacy War Games leaderboard.
  • Our internal certification program tests key employees (including customer service agents) on their knowledge of the privacy laws, trends, and regulations that matter most to our organization.

Start Today, Plan For A Data Privacy Journey

As you embark on these action items, keep in mind that building data privacy practices into your culture will be a process.

It takes time to update products and services that have already gone live. But you can start working today to ensure that the products and services your team creates going forward have privacy embedded from ideation to launch.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.