In part three of this quarterly series, Stephen Bolinger, CIPP/E, CIPP/G, CIPP/US, CIPM, who spent years at tech giant Microsoft, shares some of the strategic and tactical decisions along the way as a first-time CPO at start-up TeleSign--where he also serves as general counsel.

In the first two columns of this series, we looked at developing a privacy policy, training employees and nurturing a culture of privacy within your company. In this column, we’ll look at some of the ways in which small companies and startups can use privacy strategically.

When I refer to strategic privacy, I’m referring to leveraging core privacy issues to: develop an external reputation for privacy awareness, compliance and innovation; enable more efficient legal contracting, and drive, or at least influence, key public policy topics that have business value to your company.  

Building your privacy reputation

Many privacy professionals truly believe in the individual and societal value of privacy and enjoy working in positions that allow us an opportunity to help ensure privacy rights are protected. And it's great to be working in a time where so many organizations around the world are becoming increasingly aware of the business value of a reputation for privacy awareness and compliance.

The first step to establishing this type of reputation for your company is to work your professional contacts and build your professional network. Individually, you can do this by attending conferences, making professional connections and posting key takeaways on social media to increase your own thought leadership position. Joining IAPP as a corporate member and sharing our experience through this series of articles are some examples of how my team is helping TeleSign raise its profile within the privacy community.

In addition to those things we can do as individual CPOs, broader campaigns on privacy topics can be effective. 

At TeleSign, we feel strongly about the importance of two-factor authentication, which is why we recently surveyed individuals to find out their password behaviors and their perspectives on two-factor authentication (2FA). The output of this study showed us that a majority of people (68% to be exact) wanted the extra account protection of 2FA, but many didn’t know how to go about turning it on for their accounts. This led us to launch a broad consumer-focused campaign called Turn It On, aimed at educating consumers on the benefits of 2FA and how to turn it on for many of the most popular websites today. By connecting our survey with this online resource to help people be better protected online, we’ve created a compelling narrative that continues to make an impact in the broader industry discussion on best online security practices today.  

The way we’ve approached our privacy and security terms at TeleSign is by first looking at what large cloud services providers offer to their customers. What we have found is the industry has come a long way from a couple sentences requiring appropriate security measures to protect data.

Putting your best contractual foot forward

For companies working in the business-to-business space, a tremendous amount of time can be spent negotiating privacy and data protection terms. Small companies find even greater challenges because they simply don’t have the clout to insist on certain provisions for the sake of consistency.

For a startup or small company to act strategically with its contractual approach to privacy, it should anticipate the desires, and especially the requirements, of its (generally much larger) customers and incorporate those into its standard contracting terms. By doing so, it can both convey a level of understanding and expertise to its customers, as well as improve the speed with which it can close deals.

The way we’ve approached our privacy and security terms at TeleSign is by first looking at what large cloud services providers offer to their customers. What we have found is the industry has come a long way from a couple sentences requiring appropriate security measures to protect data. Many B2B service providers today are offering robust and comprehensive security commitments, as well as proactively offering data protection terms such as the EU’s Standard Contractual Clauses to address cross-border transfers (especially in the context of Safe Harbor’s detractors). By looking at the large players in the industry, we can get a good sense for what our customers will be expecting and tune our contractual terms accordingly.

Working with academics on public policy

Considering how much money the large tech companies spend on lobbying efforts, it’s understandable that startups and small companies will face great challenges having a voice in public policy issues.  Nonetheless, there are opportunities to participate even if you can’t afford a team of lobbyists.

There are an increasing number of privacy and security academics today, which is a sign of the maturing of our profession. These academics are springing up not only in legal fields, but also in computer science, sociology and economics, creating both broad and deep areas of expertise. Academics are innately curious and are traditionally expected to research new issues and publish findings. 

Startups and small businesses can work with these academics to participate in or raise the profile of certain public policy issues. At TeleSign, we believe that two-factor authentication will eventually displace reliance upon a username and password alone for protecting user accounts. With that point of view, we wanted to see some research into the regulatory landscape around security measures for user authentication—specifically around the expectations of regulators. We knew that any research into this topic would be extremely valuable for us and for the advancement of the marketplace if it was conducted by respected academics.

In order to identify the right academics, it is important to do some research of your own to see who is publishing on topics similar to your company’s areas of focus.  You can gain a good sense of their interests and views on particular issues by reading their existing work. For us, we reached out to leading data protection and privacy scholars in Europe and the U.S. who had experience looking at data security issues. Their resulting work—Data Security and Multi-Factor Authentication: Analysis of Requirements Under EU Law and in Selected EU Member States and Should the FTC Kill the Password? The Case for Better Authentication, respectively—has further developed our, and our industry’s, understanding of the current landscape in security measures for user authentication and the direction in which we may be headed from a regulatory standpoint.

It’s important to remember that academic integrity is of the utmost importance when working with academics. In that regard, you should discuss with them the questions you want researched and even the type of output you’re looking for (e.g., an opinion piece, a journal article, a formal research paper, etc.), but you must accept that their conclusions are beyond your control. You should also expect them to question your motivations for funding the research. To help keep our intentions clear, we funded the research up-front, before any work had begun, and we made a clear commitment that the academics were free to reach any conclusion supported by the research.

Strategic conclusion

After implementing your privacy program and addressing privacy from a compliance standpoint, startups can begin to be more strategic with privacy. By pursuing one or more of the approaches above, you can help raise your company’s privacy profile, increase the speed with which you close deals and grab a seat at the crowded public policy table.

These are just a few of the ways in which TeleSign is being strategic with privacy.  I’d love to hear from you, fellow privacy professionals, on the programs and initiatives you have in place to ensure privacy remains of strategic value to your executive team and your board. 

Miss the first two installments of this series? Find part one here, and part two here

Engineering via photopin (license)