Why Startups Can No Longer Afford To Ignore Privacy:(Part 4 of 4)

This is the last of a four part blog series examining the issues that startups face with meeting their privacy requirements.  The first blog post was a reprint of an article I published along with Frank Vargas of Rimon Law in the New York Law Journal discussing the subject.  In that article, we listed a number of concrete steps that companies (and their lawyers and advisors) can take to meet privacy regulations early.  In this fourth blog, I will cover those steps in more detail in this final blog.

Unlike larger more established companies, early-stage companies need to have simple and cost-effective ways to address their privacy risks.  They will not have a privacy team in place, and typically will not have a general counsel.  Often, they will not even have an outside lawyer in place with specific privacy expertise. But there are some steps that the startups can take:

1. Review business model and product for high privacy risk

Review the startup’s business model, go to market plan, and product/technology in order to understand whether the startup falls into any ‘high-risk’ categories.    Does the business model depend on selling or sharing of personal information?  If so, then it important to do a data flow review and discuss technologies to protect data.  In addition, the company should plan for how it will get truly informed consent for the sharing or selling of personal information, or whether it must avoid selling or sharing in some jurisdictions.  For example, GDPR requires express informed consent by consumers to any sharing of their personal information.  The rules for what constitutes consent, how it can be withdrawn, what rights the consumer has thereafter, etc. are complex.  In some cases, it may make sense for a startup to just avoid sharing data or selling data in the EU initially, while testing it in the US where the rules are less stringent (but not non-existent).

2. Review financing/acquisition plan

Discuss the startup’s plans for financing to determine when the proper policies and practices need to be in place to avoid lengthy due diligence processes.  Some startups start the security and privacy process work needed over a year before a targeted acquisition, with an eye toward minimizing the due diligence issues, reducing the number of representations in the purchase agreement, and eliminating holdbacks of the acquisition payment for security or privacy breaches.  Even if the acquisition or investment is imminent, there are some steps that a company can take with its legal advisors to smooth the process.

3. Determine which privacy regulations apply

Understand what legal regulations the startup will be subject to in its first year of product delivery based on its business model and go to market plan.  Startups can work with their legal/privacy advisors to determine which states and countries the company will be subject to privacy laws of.  Knowing the rules and when you will be subject to them is a first critical step.

4. Get cyber insurance

Evaluate cyber-insurance early and determine when and whether such insurance is possible and what policies that startup needs to have in place in order to qualify for it.  If the startup waits until someone is demanding that they have cyber-insurance, then it is already too late.

5. Do a Privacy Impact Assessment

Perform a privacy impact assessment early to understand the privacy risks that are most likely for the startup and put a plan in place to address the highest risks.   This is an important first step in developing a privacy plan.  Startups don’t have to invest a fortune in privacy practices or changes to their products.  Instead, they should know and focus on the highest risks, given which regulations apply to them and what their customer expectations are.  This risk assessment can then become a prioritized plan for implementing critical privacy and security capabilities that will give you the most bang for the buck.

6. Document Dataflows/Classify Data

Understand and document the product/technology’s dataflows and assess whether there are high risks associated with these dataflows.  This is important to understanding where personal information and sensitive personal information is being collected, processed, stored, and transferred.   Each of these steps is restricted under privacy regulations.  Technology can be applied to reduce these restrictions in many cases.  

7. Implement privacy policies and notice/consent screens

Put customized privacy policies in place for website and software applications and ensure that customers and partners are consenting to these policies.  For tech startups, the most important reason to implement these before the product is completed is because it the most time and cost effective time to do it.  At no future time will it be as easy to correct even simple mistakes in how data is collected, processed, stored and transferred.  This is the essence of privacy by design.  

A good privacy project for a startup would encompass all of the above steps.  Talk to your lawyers or privacy advisors to get their help.  In future blogs we will provide some case studies of startups that have completed these steps for their unique businesses.

The Bottom Line

You know what they say:  “Privacy early and often”.  For startups this imperative will lead to more investment and lower risk.  But, it will also lead to a better designed product, quicker sales, better customer trust, and a more advantageous acquisition down the road.  Most importantly, the quickest and cheapest time to implement privacy is at the beginning.