Privacy is a human right. With all the reasons startups fail, ensure privacy isn’t one of them.
Nigel Jones, ex-Google lawyer and now co-founder of the Privacy Compliance Hub, says the early days of founding a growing startup are the perfect time to get your ducks in a row when it comes to privacy compliance
It’s easy to get caught up in the fast-paced world of building a startup. Most entrepreneurs start with the spark of an idea, or a problem they think they can solve. They hire engineers to build a product. They start attracting customers and/or clients and make plans for future growth, investment and features on the product roadmap. And they begin to collect data. But it’s rare that they’ve stopped for a second to think about privacy.
That’s a problem. Because privacy really matters.
And it’s down to businesses of all sizes and from all sectors to protect this fundamental human right.
Making a public commitment to privacy is good for business too. A whopping 92% of the British public say they feel uncomfortable about the number of businesses that collect data about them, and 41% say they’ll never return to a business after a breach. Investors are interested as to whether companies are complying with privacy laws, and place emphasis on this factor when doing due diligence. Falling foul of the UK General Data Protection Regulation (GDPR) can, after all, cause significant reputational damage and come with heavy penalties. The Information Commissioner’s Office (ICO) has the power to fine a company up to 4% of its worldwide turnover, or £17.5m (whichever is higher), for breaches of the UK GDPR. It has also recently gone public with its intention to name and shame companies moving forward.
With that in mind, here’s how startup leaders can prioritise privacy from day one.
Focus on your people
It’s easier to build an effective privacy culture when you’re overseeing a team of 50 rather than 500. And with 88% of data breaches down to human error, it makes sense to centre your privacy programme on the people within your organisation. Make sure there’s a comprehensive training strategy in place, with frequent refresher sessions. That’s particularly important with the shift to hybrid working, as phishing attacks are increasing in frequency and complexity. Once your team is big enough, appoint privacy champions in every department to keep compliance on the agenda. When employees understand privacy, they care about it and are willing to play their part in protecting it every day.
Consider your processes
The influx of Big Data has opened up endless opportunities for innovation in the startup world. But it does become problematic when it comes to privacy, not least because many businesses quickly become overrun by information. Start with an audit of what personal data the business collects, how it’s processed, where it is kept (and for how long), and what happens to it when it’s no longer needed. This exercise will help you streamline workflows to ensure that data is being processed in accordance with the law at every stage. You’ll also have the information you need to be transparent with customers about the data you’re collecting and why – a key requirement of the UK GDPR.
Be careful about sharing data externally
It’s a fact of modern day business that organisations increasingly share data with each other. But the UK GDPR requires you to only share personal information with companies that take privacy as seriously as you do. If one of your partners has a sloppy approach to compliance, which leads to a data breach that affects your customers, you risk a hefty fine and reputational damage. Ask the question whether it’s necessary for personal information to be shared externally at all. If it is, make sure your team is doing the necessary due diligence and that there’s an appropriate agreement in place before you start sharing data with another organisation. The buck always stops with you, even if a breach is solely down to your partner’s actions.
Get the executive team on board
Too often, privacy is seen as the responsibility of an IT or legal lead and not something that involves the entire organisation. Employees are more likely to follow your lead if you make it clear that this is something you and the rest of the leadership team cares about. Give privacy a seat at the top table by adding it to the agenda of board meetings, and appoint a key person to take ownership of driving progress forward. Someone needs to be able to look ahead and ask, what are the implications of what we’re building – in the short, medium and long term? It’s always better to build well in the first instance, rather than try to mend the dam after it’s sprung a leak. In fact, it’s a legal requirement under the UK GDPR.
Commit to developing a culture of continuous privacy compliance in the long term
Privacy isn’t a tick-box exercise that’s over before it’s begun. It’s an ongoing effort that will become part of your startup’s culture. Getting privacy right in the early days means customer data will be kept safe and treated with the respect it deserves as the business grows and adapts. That boosts innovation – when employees know exactly what they can and can’t do with data, they feel empowered to act. It builds your reputation as an ethical company, among customers and your future talent pool. And it puts you in the best place to expand into new markets or services, and scale faster than your competitors.
Keen to make sure you’re compliant? Take your free 10-minute GDPR health check here.
Cherry Martin
