Imagine you’re a few years from now. Things are going well with your startup. You’re doubling your customer numbers year-on-year. Investors are interested, and term sheets are drawn up. Then, someone mentions a data compliance audit.
That’s what happened to the French HealthTech Alan, which announced a €185 million fundraise at a €1.4 billion valuation in 2021. Luckily, it passed the audit with flying colours and secured that much-coveted unicorn status.
But had the founders not paid attention to privacy when they were growing the business, they could have been in trouble.
In the fast-paced world of growing a startup, it’s easy to forget about the importance of laying the right foundations early. But getting privacy wrong can be expensive – not just in terms of lost investor deals, but through reputational damage after a data breach, or significant fines imposed by the UK regulator, because of a breach of the UK General Data Protection Regulation (GDPR).
Getting privacy right is important but it doesn’t have to be complicated. Here’s where to start.
Train your people
The overwhelming majority (88%) of data breaches are down to human error, and it’s a risk that’s increased with the shift to hybrid working. Online fraud rose by 70% during 2020, with criminals taking advantage of employees working from home. Research has found remote workers are more susceptible to impersonation attacks, where hackers encourage individuals to share sensitive data or transfer money. Privacy training programmes are also easier to implement when you’re overseeing a team of 20, rather than 200, and more effective because it’s culturally ingrained as the business grows. Make sure you provide frequent opportunities for refresher sessions, and that everyone feels able to report incidents without fear of repercussions.
Do your own audit
As startups collect insights through technologies such as AI, machine learning and the Internet of Things, they can quickly become overwhelmed by swathes of Big Data. This can cause real problems when it comes to privacy. Start by doing your own audit, investigating the information your business collects, how it’s processed, where it’s kept (and for how long) and what happens when it’s no longer needed. This exercise will help you improve processes so that employees can only access the data they need, and make it easy to be transparent with customers about what happens to their personal information.
Take a pause before sharing data externally
It’s becoming common for startups to share data between each other. But it’s important that you only share information with companies that take privacy seriously. If a data breach happens and affects your customers, you can still be liable to a hefty fine from the regulator. Consider whether it’s necessary to share customer personal information externally at all. If it is, conduct a risk assessment and put an appropriate agreement in place before you begin working with a new partner. If they appreciate the importance of privacy, they’ll be happy to answer your questions.
Lead from the front
As the founder of a startup, it’s important that you make clear that privacy is important to you and the rest of the leadership team. Talk about it in executive meetings, set KPIs, and track progress. Prioritising privacy is frequently being used as a competitive advantage, as seen with Apple’s recent changes to its privacy policies, and accompanying advertising campaign. Treating data with the respect and care it deserves leads to better business decisions, greater innovation and more insightful go-to-market strategies.
Commit to this for the long term
Privacy isn’t a one-off project, or a tick-box exercise that can be shoved to the back of a drawer. It’s not just the responsibility of the IT department, or General Counsel. Everybody in a startup needs to play their role in championing a culture of continuous privacy compliance, even as the business scales and evolves. If they do, you’ll have the confidence you’re keeping your customers, investors and the regulators happy.