Five Questions for Data Privacy and Security
Internet companies navigate through a flood of user data. These huge amounts of data present companies with fundamental strategic decisions – what user data should companies collect? How can the collected user data contribute to the business goals of the company?
However a company decides to answer these initial commercial questions, investors will quickly follow up with another question: does the company protect the privacy and security of its users? Users have entrusted the company with their personal and private data. A failure to maintain adequate privacy and security controls can cost the company a loyal user base. Moreover, a company that neglects privacy and security can find itself in the crosshairs of a regulatory investigation or staring down the barrel of a lawsuit. Investors will want to know that the company is in compliance with applicable privacy and security law, especially if the company's business plan depends on the monetization of user data.
But getting privacy and security right can be expensive and complicated. Startups often don't have the time and resources to make sure that all the details of their legal boxes are checked. So startups should prioritize to make sure that they handle the most important issues. Here are five questions where startups should focus their limited energies:
1. What Are You Doing? All companies need to have a good grasp of what data they collect and how they are processing that data. Both Israeli and foreign data protection law requires companies to document how and why they are collecting data, and how that data is being protected. Such data mapping can be the key to ensuring that your data is being adequately protected, and can be essential to show authorities that you are taking your responsibilities seriously.
2. Who Is Doing it? Limit data access to the individuals in your company that really need to use and manipulate the data. Also, ensure that you are not providing data to your vendors or subcontractors if they don't require access to that data. This can also help you ensure that the consequences of any data breach are minimized.
3. Where Are You Doing it? Data protection laws can restrict the transfer of data between countries. You need to know what country your data is coming from, where you are storing it, and where you will be transferring it.
4. Are You Doing it With Encryption? Use encryption! The more the better! When you are storing data and when you are transferring data! If data is encrypted, then even if you experience a data breach the consequences will be limited. Data breaches may also need to be reported to the relevant authorities, but you may be able to avoid that requirement (and the ensuing public relations fiasco) if the data is encrypted.
5. Do it Again! Revisit your privacy and data security plan regularly. Make sure that your plans reflect how the company is actually running its business. Make changes as needed to keep your plans up to date. And investigate these issues more fully when you have the funds and resources to do so. Data privacy authorities will expect more from companies that have greater resources to invest.
The resources available to a startup can be limited. Even if you can't perform a full legal review of your data and privacy plans right away, you should keep these questions in mind. Building your business on the right foundations of privacy and security can prevent expensive legal hassles in the future.