The Globe and Mail ran a story recently where they claimed that “start-ups don’t care about privacy,” even in this post-Snowden era. I was bemused by that statement.
I’ve advised start-ups even in the pre-Snowden era, and smart ones took privacy seriously because they realised that getting it wrong could damage their brand or affect their ability to deliver a return to their investors. Really smart ones tried to figure out how to make it part of their USP (unique selling proposition).
The article contends that “years of prizing growth over privacy” has led to complacency. I agree. The cloning of Silicon Valley start-up culture in start-up incubator and accelerator programmes around the world is partly to blame for this state of affairs. The success of “poster boy” businesses that grew to be behemoths before the privacy bug was detected in their code is another factor. Historically paltry penalties haven’t helped either.
Imagine this scenario: You’ve taken your redundancy cheque and ploughed it into a business idea, funding the development of a prototype for your personal data-sharing web service. You’ve bet the farm on it. But when a potential investor runs due diligence over your business, they spot a small problem: The data sharing you propose to do is illegal, and the data you’ve already got was obtained illegally. Your business is going nowhere, and you have no money left.
Or, worse yet, you get the investor money and go live with your service only to have someone complain to a privacy regulator who orders you to delete your customer database, which is probably the only asset your business has at that time.
It’s a scenario I’ve seen happen.
Disruption is another buzzword in the Silicon Valley start-up lexicon. Right now one of the biggest disruptions is the trend toward data privacy. There are laws now and they’re growing rapidly. Many are modelled on the EU Data Protection Directive, with some already incorporating elements inspired by the draft EU Data Protection Regulation. Penalties are increasing. The regulation will set penalties at a level that would bury even a well-funded start-up, so data privacy issues will soon have to be a feature in the risk assessments businesses.
Post-Snowden we are seeing a number of innovative companies emerging to provide more secure communications technologies. Threema and Silent Circle are just two that spring to mind, but there are many more trying to disrupt industries with more privacy-enabling solutions. Add to this the increased privacy focus of established players in mature markets and privacy is an essential part of the value proposition for any innovator.
My solution is “smart bootstrapping,” and the keys to it are Privacy by Design and privacy engineering.
I’ve used these methods for a number of years on projects, but I just called them data governance and information quality. I advise start-up clients to consider privacy in two contexts during planning and design.
- Business Plan:
- PESTLE Analysis: Include Data Protection/Privacy as part of the PESTLE analysis you do for your start-up. You have done one of those in your business plan right? So you have something to back up your “to-infinity-and-beyond” sales projections? PESTLE analysis requires you to look at some of the social and legal aspects that might affect the business. Data protection is one of them.
- Headcount and Resource Plan: Have you considered if you’ll need a data protection officer/chief privacy officer? How much does one of them cost? Can you outsource? When would you need one? Can you get an advisor now and grow in-house resources?
- Target Markets: What markets are you targeting? Singapore has a data privacy law now. It’s a doozy. Are you ready to comply with it? What about the 700 million people in the EU—do you want their euros?
- Technical Design & Coding: Apply Privacy by Design/Privacy Impact Assessment
- The key term in “Minimum Viable Product” is VIABLE. Do a PIA on your proposed processing and figure out where the risks are then take simple steps to mitigate those risks. Figure out some governance early, before things go wrong.
- Understand basic requirements for compliance and prioritise protecting personal data. When faced with a choice between paying to salt your popcorn or your passwords, spend the money wisely. Engineer for the right level of privacy as you grow. Don’t just ignore it.
If the argument is that start-ups don’t care about privacy, we need to urgently look at what they are being told to care about by their incubators and the start-up culture. The Globe and Mail quoted an Ontario-based accelerator that didn’t include privacy issues in its curriculum. The same is true of almost every incubator and small business start-up training programme the world over. I’ve been through an incubator programme and spent more time on how to approach banks for finance then on fundamental privacy principles needed to run a compliant business.
Incubators and accelerators need to evolve their syllabi to meet emerging requirements of the market. Perhaps former Ontario Information and Privacy Commissioner Ann Cavoukian will teach Privacy by Design at that incubator in her home state of Ontario?
I know I’m knocking on the doors of incubators here to try and get more done to get start-ups ready for the coming changes. I invite other privacy pros to join in this disruption!
If you want to comment on this post, you need to login.