For startups struggling to turn engineering smarts and sweat-equity into the next big headline acquisition, privacy issues may not be at the top of the to-do list. It’s not surprising that developing new product releases, growth hacking, and securing funding all rank higher than a thorough consideration of best privacy practices.
Jonathan Latsky, founder, CEO and Chief Privacy Officer for Envirolytic Insights Inc., says in a recent article for The Globe and Mail about privacy priorities for startups,
“It is in my experience very rare that an entrepreneur leads [with] or even has much of a concept as to what privacy is all about.”
For early stage companies with scarce resources and lack of privacy expertise, the challenges of implementing Privacy By Design can be somewhat daunting. In the same article, Ann Cavoukian, Ontario’s former Information and Privacy Commissioner says,
“It’s not that startups don’t care about privacy – they don’t know how to do it, how you embed this stuff into the design. People have to talk to them and show them that this isn’t that complicated and this is what you can do and things of that nature.”
How do you encourage startups to consider privacy a priority?
When every dollar and every development hour counts, how do we communicate to startups that privacy matters? How do we translate the ways in which sound privacy practices can mitigate risk and even provide an edge in a crowded market?
1. Promote awareness. It’s vital for startups to understand the fundamental data privacy compliance obligations. There are profound legal and reputational risks for non-compliance including litigation, negative PR, user abandonment, and brand damage.
2. Highlight the benefits. It’s more efficient to build a foundation of privacy by design up front than it is to retroactively integrate secure, functional privacy practices in a slapdash code base. What’s more, touting this company direction early on can help establish trust with early adopters and force competitors to revisit their own privacy practices.
3. Integrate it in the culture early. There’s very little downside to a company culture with leadership dedicated to privacy by design. This foundation can pay big dividends later on. A recent Forrester Report blog post, “Customer Privacy is a European CIO Priority” mentions how “privacy regulation is now a topic that no CIO should underestimate as a major risk factor for business,” and “the CEO, and ultimately investors, will hold the CIO responsible for ensuring customer privacy with technology tools that protect customer data.” Make privacy a seamless part of the strategy and mission statement of your company – a sustainable priority.
4. Train employees. This means embracing the HOW of privacy implementation and operations. The International Association of Privacy Professionals (IAPP) offers a variety of training and certification programs for Certified Information Privacy Professional (CIPP) credentials.
The IAPP has expanded its offerings to bring data privacy concepts to IT, security, engineering and data management professionals. The CIPT (Certified Information Privacy Technologist) is certification centered on securing data privacy at all stages of IT product and service lifecycles. It covers:
• Critical privacy concepts and practices that impact IT
• Consumer privacy expectations and responsibility
• How to bake privacy into early stages of IT products and services for cost control, accuracy and speed-to-market
• How to establish privacy practices for data collection and transfer
• How to preempt privacy issues in the Internet of Things
• How to factor privacy into data classification and emerging tech such as cloud computing, facial recognition and surveillance
• How to communicate privacy issues with partners such as management, development, marketing and legal.
The CIPM (Certified Information Privacy Manager) certification covers organizational-level privacy program development and governance including:
• How to create a company vision
• How to structure the privacy team
• How to develop and implement a privacy program framework
• How to communicate to stakeholders
• How to measure performance
• The privacy program operational lifecycle
5. Widen the scope. Communicating the big picture value proposition of sound privacy practices can increase the number of startups focused on privacy. This means educating VCs and incubators on the importance of privacy by design and data privacy frameworks in the companies they choose to invest in.
Broadening the scope also means educating and empowering the next generation of founders and startup employees. There’s real opportunity in making privacy a cross-curriculum issue, touching engineering, law, and business school programs. For example, Santa Clara Law School is on track to offer a privacy law certificate in beginning in the 2014 – 2015 academic year. It will require students complete extensive coursework, professional fieldwork on privacy issues, a published paper on privacy topics, and certification from the IAPP.
Bolt-on privacy is not a long-term solution. The next successful generation of startups may just discover how baked-in privacy can give them a sustainable edge.