Every day new technology startup companies are created that have found creative and innovative ways to harness data. Artificial intelligence and machine learning have allowed startups to create products that lead to more customized experiences, greater customer conversion rates, and many other useful purposes. While bringing these products to market quickly is vitally important for startup founders, it is equally important for those founders to understand the regulatory implications of their new technology.
Over the last five years we have seen a huge proliferation of privacy laws that regulate how companies collect data, how they use data, how they store data, and how they protect data–especially sensitive data or personally identifiable information (PII). There are now data breach notification laws in every state in the US and practically every developed country.
To make matters more complicated, these laws that have been enacted have many different requirements, so following one is rarely sufficient to meet the requirements of another, and failure to comply can result in massive penalties. The regulatory complexity has become so onerous that last year the Chief Executive Officers from 51 tech companies signed a letter to Congress asking for a federal law that would preempt all of these diverse requirements.
As a startup founder you may think that you do not have to worry about the regulations because the regulators are only focusing on big companies like Google and Facebook, but is it really worth the risk, if failure to comply could end your business? Additionally, if you are a B2B startup and want to do business with a big brand name company, those bigger companies impose the same requirements to their vendors. Here are a few representative examples: BestBuy, Ericsson, and Adobe.
While paying outside counsel to sort through these issues is the safest option, it is also the most expensive approach and may not be realistic for an early stage company. In the interim, there are a number of things startups can do to build the foundation for a solid privacy program that will pay dividends as the company grows. Here are some basics that every startup should consider:
1. Privacy by Design
It is much easier to build in privacy from the beginning than to try to retrofit privacy considerations after the fact. While the framework is a little dated, these 7 Foundational Principles written by Ann Cavoukian are a great starting point.
2. Data Inventory and Data Mapping
Just as fundamental as the architectural diagrams you build for your tech stack, it is vitally important that your company knows the who, what, when, where, why, and how of the data’s collection, use, storage, movement, and deletion.
It is tempting to simply copy and paste a policy from another company, but it is important that the policy your company puts in place is truly representative of how your company handles personal data and equally important that the policy is updated as your company’s practices evolve.
4. Incident Response Plan and Tabletop Exercises
It is not enough to simply plan to call outside counsel after a cyber attack or privacy incident occurs. Many of the breach notification regulations have short timelines—for example, GDPR requires notification in 72 hours.
Prior to experiencing an incident, your team should design a plan that takes into account internal and external policies, the regulations that apply to your company, and all the contractual obligations you’ve agreed to follow when you signed agreements with customers, suppliers, and business partners. In addition, these plans need to be updated frequently as the obligations change and your team should regularly practice the plans you put in place.
Whether your organization is just putting together these foundational aspects of its privacy program, or a large multinational organization, BreachRx allows organizations to stay fully up-to-date on regulatory changes and to keep track of the various contractual responsibilities that come into play when handling an incident.
By having an automated and dynamic solution for incident response, our customers are able to exceed customer and regulatory expectations and thus minimize the fallout from the inevitable events that will occur. Implementing the BreachRx platform is the fastest way to achieve a best in class incident response approach.