“While external privacy disclosures and internal privacy programs can legally function as a defensive measure, your privacy strategy can also be proactive and a differentiator for your business. This is especially true if your business is aiming to disrupt or put out a tech-forward product, where there will be new frontiers of privacy to consider.”
In these times, businesses are increasingly data driven and privacy regulations are continually being updated to keep pace. As an entrepreneur, of the many operational checkpoints that come with starting and growing a business, managing your privacy notices and programs is something that can fall by the wayside. But given the increasing scrutiny from a privacy standpoint from investors, regulators, and the public at large, early attention to and investment in sustainable privacy practices can pay dividends as you grow and avoid some potentially disastrous pitfalls.
What is Privacy and Related Considerations
Privacy is really a spectrum depending on the stage of your business. As a startup founder or someone who is involved in the early stages of a company, your privacy focus is going to be different than if you were at a mid-stage or late stage company. You will have different budgetary and resource constraints, and your risk profile may vary.
As it relates to risk on the privacy front, one key element to consider is whether you are in a regulated area (e.g. healthcare, fintech, education, etc.) – if so, then additional privacy regulations may apply to you and your regulatory risk exposure will be higher, compared to a company that is not in a regulated vertical. You should also consider your risk exposure generally; for example, are you in stealth mode where few people are accessing your product, or do you have a large and rapidly growing user base? In the latter case, your exposure and privacy risk will be much higher.
Understanding your data collection and use, as well as your privacy risk exposure, is going to fundamentally inform how you conceive your data privacy strategy, including external disclosures and operational program practices. Especially in the early stage where resources are often limited, efforts to establish a privacy program is not a revenue generating activity, so understanding the privacy risk specific to your business will help you balance how much to invest in data privacy early on.
External disclosures are an important part of any privacy program and in many cases are required under applicable privacy regulations. These disclosures serve as an external notice regarding how you collect and use personally identifiable information (PII).
What is PII?
Personally identifiable information (PII), which may also be called personal data or personal information, is a key concept when it comes to data privacy. PII refers to any information that can be used to identify a natural person or be reasonably associated with a natural person. This includes obvious identifiers such as names, emails, phone numbers, but can also include unique device identifiers, and information held in combination with other information where such combination can be used to identify a person. Most companies will encounter PII fairly early on, but the disclosures you will need to make will vary as your business grows.
At the very early stage, in addition to identifying what PII you need to collect and how you will use it, you should also identify what regulations are applicable to your business. Privacy regulations typically are industry-specific or jurisdiction-specific, especially in the United States. It may be helpful to work with outside counsel on identifying applicable regulations.
As your business grows, the disclosures you will be required to make will increase, largely because (i) the number of privacy regulations your business is subject to will likely increase as you scale and (ii) your risk tolerance will decrease as you have more at stake when it comes to liability. Your scope of disclosures will usually evolve from a basic privacy notice to a strategic framing of how your data collection and data practices fit into regulations you are subject to. You will need to navigate the specific privacy regulatory framework applicable to your business and optimize your external disclosures and documentation from a risk mitigation standpoint.
Concurrently, as you scale, you will also start to see the limit of external disclosures and how they are just one aspect of a successful data privacy strategy. Internally, you will need privacy programs in place to meet the commitments you are making in your disclosures, as well as to prevent data breaches and other negative events from happening.
When it comes to internal privacy programs, you should, at a baseline, know your business and how it relates to the use and collection of PII. For example, are you directly collecting PII from consumers, or are you mainly a service provider to other companies who may send you PII for processing? By understanding your role and place in the data chain of custody, you can better design an appropriate privacy program.
For a successful privacy program, the place to start is with information security – which is to say, you need to have controls, technology, and processes in place to protect the data you have and to allow you to use it a secure manner. Once you have a reasonable security program in place, the next step as you grow the business is to layer in more mature processes – this can be informed by commitments you are making in your privacy notice, vendors and partners you are engaging with where PII may flow to or from, as well as evolving regulatory obligations. At the very early stage, it helps to think of the privacy program as growing in layers alongside your data collection and use, that way you are always looking ahead at the next layer to avoid accruing excess privacy risk or spending unnecessary resources. Otherwise, you may end up accumulating “privacy debt”, which will be costly to resolve later on and exposes you to risks which along the way may materialize as negative business impacts.
You should also consider, starting from the early stage, privacy by design from a product standpoint. Specifically, consider what data you need to collect to be successful and only collect what you need. This is useful to reduce the amount of data you collect and consequently the obligations and risk that come with holding excess data. Privacy regulations also increasingly require that you have a legitimate interest or purposes for collecting any PII, so documenting these purposes earlier on can benefit you later on, especially in the context of an exit transaction such as an IPO or acquisition.
As you move out of the early stage and you have revenue worth protecting, you should consider investing in a privacy program and potentially also cyberinsurance. However, these later steps are most successfully built upon an early and strong foundation where you have established an appropriate information security program and you are documenting how and why you collect PII, and what you are using this PII for.
Privacy as a Differentiator
While external privacy disclosures and internal privacy programs can legally function as a defensive measure, your privacy strategy can also be proactive and a differentiator for your business. This is especially true if your business is aiming to disrupt or put out a tech-forward product, where there will be new frontiers of privacy to consider.
Your data privacy strategy can differentiate you in many ways. It can be an operational differentiator, as businesses tend to slow down when they are dealing with privacy issues, such as security threats, data breaches, or bad publicity regarding their privacy practices. It can also be a regulatory risk differentiator, which is especially significant when it comes to investors and in exit transactions. Finally, it can also be a reputational risk differentiator, impacting your ability to sell to customers. If your company has bad publicity regarding its data privacy practices or security, then customers may not want to engage you or buy from you. In contrast, if you hold yourself to a higher standard than you competitors, then a customer may choose you over a competitor for that reason.
On the flip side, failing to implement an adequate data privacy strategy can be potentially disastrous for your business. It can result in security breaches or other unauthorized use or disclosure of PII that you hold, which in many cases will have a quantifiably negative impact on your revenue numbers.
Draw Your Roadmap Early
Your data privacy strategy needs to be designed into your product roadmap and overall business strategy from the beginning. It should encompass external disclosures, internal programs, as well as strategic considerations from a marketing communications or PR standpoint. At the very early stage, even though you may have limited cash and other resources, you can still: (i) identify what product you want to create, what data you need to collect, and how you will use this data, (ii) put together some basic required legal disclosures for your business, and (iii) put in place reasonable information security measures. From there, you will have a foundation where you can layer on and build out a successful and sustainable data privacy strategy.