Regardless of the size of a company, allocation of resources is of the utmost importance. Many established companies realize the importance of having privacy programs in place, especially public companies or those looking to IPO or be acquired. But early stage startups may not realize the possible consequences of not having a privacy program. This may be because management believes its resources are better allocated elsewhere, as they cannot afford a “privacy person,” or they do not understand how privacy impacts their business. I’m sure many of us working at early stage startups have heard some variation of these rationalizations when we brought up privacy. I know I have. It took time, numerous conversations, and education for my team to understand why privacy was so important to the economic success of the company.
In this article, I will share with you some methods I found helpful on how best to have these conversations and begin implementing a proactive privacy program with an early stage startup.
Lunch anyone?
Many privacy professionals will tell you that their first task will be to evaluate, identify, and fix any privacy compliance issues the company may have. However, with early stage startups, before you can get to work on addressing any privacy compliance issues, the company must first realize the need of having a privacy program in place. Therefore, the larger overarching matter will be to ensure that every employee, especially those in management and product teams, realize the importance of having a privacy program.
The best way I found to educate my co-workers on privacy matters was to create allies within the company who thought of me as credible and knowledgeable. When I joined my startup, I knew that I could not get onto my privacy soapbox on day one and preach the need for privacy. I needed to build trust and rapport with my co-workers first, otherwise I may quickly be ignored.
Therefore, I decided that getting to know my co-workers on a personal and professional level was critical to creating effective allies. I began going to lunch with them and asking questions about their projects, even offering help after hours. After a few weeks of building relationships, I started asking how privacy intersected with what they were doing. When no one seemed to really know, I did lunch-and-learns and discussed general privacy matters and how non-compliance could greatly impact the future of the company.
After a few lunch-and-learns and weeks of building trust with my co-workers, they began to see me as an ally who was there to help them succeed. My co-workers then began to understand the role privacy played in the success of the business.
What do you really need to implement?
Concurrently, while I was building my credibility and reputation with my co-workers, I also started assessing what our privacy program should entail. At an early stage startup, a privacy program will likely be simple, as a highly developed program may be unnecessarily costly and time consuming at this point, unless you are dealing with data from European citizens and need to be GPDR-compliant. (If you are dealing with European citizens' data, you should and can still implement these techniques, but there may be additional requirements you will need to comply with.) During this assessment, I looked at the type of information we currently collected and what it was used for, and projected what the company may do with this information in the future so that the privacy program could grow along with the company.
From there, I looked at what was absolutely necessary for our startup. As great as it is to have a fully developed program from the beginning, my company, as well as many other early stage startups, cannot afford to spend thousands of dollars to create this type of program. What I ended up deciding was that a solid privacy policy that was properly integrated with the terms of service was necessary. We also needed a strategy for how we would handle the collection of data, how to handle marketing (whether through opt-in or opt-out practices), a general response procedure in case of breach, and overall employee education. By starting with these areas, I knew we would be able to easily implement an affordable privacy program that could scale as the company grew.
Each company’s privacy needs will be different, but I have found that this is a good place to start.
After implementing my process, it was time to address the most formidable aspect of the implementation of a privacy program: getting the funding to move forward.
Though some items of the privacy program do not have a cost, such as creating a company culture that allows employees to take ownership over privacy matters, there will still be an expense. Therefore, I sat down with the founders and had a discussion on what implementation would look like and how much this could actually cost. At this meeting, it was critical for me to address that though this may cost more initially, in the end it would likely be more cost-effective. I addressed how the consequence of being non-compliant could be huge – emphasizing the fines, especially for each CAN-SPAM Act violation. I found that when I broke it down into how much the company could actually be liable for and how that could quickly use up all a company’s funding, I made a huge impact.
Additionally, I mentioned how non-compliance could be a hindrance to the economic growth of the company as it could prevent future fundings, IPO or acquisition. In the end, I stated that it can come down to this: If you do nothing now, you will pay a lot more down the road, as opposed to paying a little now.
During this meeting, I also proposed a solution as to how this privacy policy could be implemented in an affordable manner. If they did not want me to do this, we could find a privacy intern that was IAPP-certified, minimizing the need of a specialist or a law firm reviewing the policy, or we could hire an outside company which specializes in drafting privacy policies. I also stated that a privacy team was not needed at this moment; only someone who is knowledgeable and wants to further learn privacy matters.
In using all of these techniques, I have been able to build out a privacy program that is appropriate for the size and scope of our startup. When it comes to building out your privacy program, keep in mind more is not always more: Only implement a policy that works for your company and that you can build as the company grows.