Privacy Strategy: How to avoid expensive privacy pitfalls

A few approaches your company can take to manage privacy compliance risk

Privacy has been consistently in the headlines for the last decade. As I’m writing this article, there are two privacy incidents that my colleagues are talking about - 23andMe’s data breach involving ancestry data of millions of their subscribers and Carta’s data breach allegations leading to Carta shutting down its trading platform. Both incidents had significant financial and reputational repercussions to these mature and financially viable businesses.  

From my experience as a General Counsel to data heavy technology companies, privacy issues that lead to expensive pitfalls arise largely out of the strategy that the company takes when it comes to compliance. Every approach has had its advantages and disadvantages, and can be more applicable to different stages of organizational maturity. For the purposes of this article, my target company profile is a privately held technology B2B or B2C organization selling globally. 

I will first evaluate three possible approaches: 1) Customer driven/reactive approach to privacy compliance; 2) Proactive: Values Driven/ Privacy by Design; 3) Passive: Wait and See Approach   Then I will share some key points to think about when you, as a founding team, decide on which approach is best for your company. 

1. Customer driven/reactive approach to privacy compliance

This approach is the most common across companies of all sizes, industries, and customer profiles.Typically, this approach allows the product design to happen  by knowledgeable engineers with most of the security best practices, but without much consideration for privacy by design principles or applicable privacy regulations. 

In the beginning, the company is able to get away with having a  Privacy Policy (there are a lot of crowdsourced templates out there), and there doesn’t appear to be a serious need to address any of the privacy regulations. This may continue for a little while, until one day the company either receives a customer inquiry about their privacy practices or a request for production from a prospective customer. When the IT and the product teams are not able to respond with satisfactory answers, the leadership team starts feeling the pressure of the need to address privacy specific compliance issues and reaches out to the lawyer (hopefully, a privacy one). 

What happens next? Usually, an expensive legal and customer success fire drill. The privacy lawyer evaluates the company’s product and vendors, puts a data map together (an inventory of all of the different data types, their origin, what is being done with this data and why, and how it’s being used and stored by the product/company),  and determines which privacy regulations apply to the company’s specific product offering.

The remedial measures can be as simple as drafting and/or amending privacy policies  and customer agreements. Or they can be as drastic as opening new data center(s), parting ways with customers, switching vendors, and even making changes to the product itself. The former will usually run a company a few thousand dollars in legal bills and will require some operational changes. The latter will require substantial legal expenditures, vendor fees, general business disruption, and countless engineering hours. 

2. Proactive: Values Driven/ Privacy by Design

There are companies that put privacy at the heart of their product design, their general operations, and sometimes even the company culture.  If you approach it from this perspective, privacy becomes heavily integrated into the core of the company’s operations, and the privacy principles will guide the product roadmap, go to market strategy, and even marketing (Apple is a great example of “selling” privacy). 

Taking a values based approach means getting appropriate privacy counseling from the inception of the product and building internal facing and external policies with privacy in mind. This approach also anticipates regulatory compliance requirements in advance of entering specific markets. For example, a cloud based software company that wants to sell to public services companies in Indonesia will need to open local data centers to comply with Indonesia’s data localization requirements. 

From the overall impact on legal and operational spend, this approach may cost more upfront, but over time will allow the company to gradually invest into a comprehensive privacy program. There should be an anticipation of the initial ramp up push that may take up engineering and product team’s hours as well as some initial investment into legal and compliance hours. However, once the core privacy mechanisms are established, the incremental spend on privacy will stabilize. Some other advantages to this approach are: lower risk of regulatory scrutiny and fines,smooth sailing through customer audits, and differentiation from competition on the market. Oh, and let’s not forget - peace of mind.

3. Passive: Wait and See Approach

When evaluating options, it’s important to evaluate a “do nothing” approach. What if we just wait and see what happens? In my experience, it is possible to stay somewhat clear of privacy regulations for a period of time without getting detected by customers and regulators. However, I have yet to see a technology company that doesn’t address privacy or can survive without any privacy program at all. Privacy compliance is shared between companies and their customers, vendors, partners, and the whole technology ecosystem. Sooner or later, privacy questions will arise and your approach will most likely move towards “reactive” as I outlined earlier. However, the cost of compliance might snowball the longer you wait, and if privacy vulnerabilities become public knowledge, it may be catastrophic to your business and reputation. 

Which Approach to Take?

All in all, each organization decides which approach to take, and the approach will largely depend on a number of factors and questions. A few that could provide the initial framework are: 

1. What data types is my organization using, collecting, and storing? Is my company dealing with any personal information (any piece of information that could identify a person), any sensitive data (special categories of data - biometric data, racial/ethnic origins, political/union/religious affiliations), any specially regulated data (financial, health, children’s personal information, information pertaining to education records, ext.)? 

If the product uses minimal personal information, de-identifies the personal information that it receives, does not store or process in any way sensitive or specially regulated data, then your business can most likely get away with a more reactive approach. If your product deals with sensitive data, specially regulated data, or large amounts of personal information, then choosing the proactive approach should be at the forefront of your strategy. A single security event, negative article, or regulatory investigation can be extremely damaging. 

2. What national and state regulations is my company subject to? 

If you want to sell into the European Union, Canada, Australia or any other country with comprehensive privacy regulations, the proactive approach is a regulatory requirement. The proactive approach will also help you plan which countries you should and should not be selling to due to data localization requirements. The same logic applies to US states with comprehensive data privacy regulations, such as California, Virginia,or Colorado.  

3. What is the nature of my product, who is my customer, and who am I competing with? When it comes to privacy, perception of the product and the company being privacy centric may have a serious impact on growth, sales, and competitiveness. If your customers care about privacy, then building the company proactively with privacy in mind is a competitive necessity. 

Every company will take their own path to privacy compliance. The key is to determine which one makes the most sense for your specific business and being ready to reevaluate it as the business grows and transforms.

Disclaimer: The information in this blog post ("post") is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice of the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient's state, country or other appropriate licensing jurisdiction.