In startups and early-stage companies, working as a Privacy Advisor, Privacy Lead, DPO or similar positions often entails being a member of a small team, albeit the term "team" may be a misnomer sometimes. You are most likely the key player when it comes to privacy compliance.
This means you are pushed extra hard to be more versatile, reliable and productive as the whole company relies on the work you do. Often resources being tight, the need to be extremely agile and the hyper-focus on the maxim "act fast, fail fast" just adds fuel to the flames. Therefore, working successfully in an in-house privacy role requires developing an operational approach to all aspects of privacy compliance. It may feel like a circus-level juggling act. But it can be done!
So how can you have a practical approach to privacy compliance while helping your company design and release products and services? Here are a few things to consider.
It goes without saying that in order to run an efficient privacy program, you must understand fundamental privacy principles and how they apply to your organisational structure. Every organisation is unique.
The development of a functional goverance model requires consideration of all parts of the business, sales, legal, engineering, etc. It is necessary to have a thorough understanding of how business processes operate. A successful privacy program reflects the size and structure of the organisation, focuses on driving business objectives forward and making recommendations that help different functions manage and mitigate risks which have greater consequences.
Therefore, Privacy or Information Security Professionals are required to engage with the overall organisational strategy and understand what the business is trying to achieve in order to design the best data management approaches. Moreover, Privacy should be an ally. Product or feature development shouldn't be seen as being held back by it.
Prior to developing an organisational strategy, it’s important to identify what kind of “values” the business would like to advance. Take the time to understand your company’s culture, the risk-appetite, level of privacy knowledge, the data life-cycle, the systems, processes and tools in place, and values that drive it.
In addition, I recommended understanding the following about your organisation:
Pro tip: A step further would be to embrace privacy as a competitive advantage and begin to identify as privacy-champions which requires a commitment to protect your consumer’s privacy beyond the minimum required by law. Going privacy-first drives revenue because asking customers for their preferences directly gives you better data for personalisation and customers are likely to trust the brand more.
Having one dedicated person for data privacy or information security is great as they can focus exclusively on creating internal privacy and security policies and practices. But even the best-written policies can fall short if there is no effective implementation.
In order to protect the whole company, the majority needs to be risk-aware and adhere to some fundamental rules. Even though the majority of your team understands the rules they must follow, if there are a few who do not, they can jeopardize the security of your entire company and the data you manage.
Ironically, if you establish practices that are shared and applied by everyone and if the awareness of your team is high, then the number of privacy-related incidents and reported issues will grow. Though it’s almost impossible to be completely protected from security threats and privacy concerns, having processes in place that outline how to manage them will make dealing with issues much more transparent and efficient.
Bonus tip: As the boundaries between personal and professional life are becoming more permeable, especially with BYOD and remote work, it's indispensable to educate individuals about the privacy and security concerns that go beyond the conventional office settings.
It may seem pointless to plan in great detail as things change quickly in a startup. However, it is crucial to plan ahead, to get involved in discussions, and to act as the consumer's champion while teams are creating their products and services. It involves bringing up potential problems that the teams may not have fully considered.
Make sure that you check in with your teams regularly. You should review the policies and procedures in place frequently, proactively, and without waiting for a crisis to arise.
Don't put off reviewing them until there is an issue or a breach. If you have a continuous review procedure in place, you will be able to identify and prevent potential issues more effectively. It is important to prepare in advance for the potential effects your privacy practices and policies (in the current and future regulatory environments) may have on the business as not everybody in the company will have the time, skill, or the mindset to do it.
Bonus tip: Building a privacy-focused culture is easier when your organisation is still young and the size of your team is small. By doing so, when the team grows and you onboard new people, you can rely more on peer-learning and to build on the foundation you have already laid.
To get all your team on the same page, it's essential to provide a basic Privacy Awareness Training that goes over the fundamentals of cybersecurity and privacy best-practises. The goal of such a program is to train and manage the “human aspect” of privacy programs, which is often the weakest link in the security systems. Therefore, it is instrumental to have the necessary message across teams.
Your training materials might cover all the points but if you don’t speak your team's language, it will quickly fall short. If your training program is too general and does not include useful advice relating to their daily work - first of all, it won't create value and secondly, you will find it hard to have engagement. For instance, include privacy concerns with respect to marketing CRMS for for the marketing team.
Before designing the training program, make sure that you get input from different teams regarding their present level of knowledge, any areas they particularly find challenging and require further development. Gathering such feedback doesn’t require complex procedures or systems, a simple survey (for example, using a Google form or Typeform) that allows to ask some well-structured questions will suffice.
While you are at it, don't forget to make it fun. Get as practical as you can, organise quizzes, use interactive tools and gamify it, if you have the budget. A number of research indicates that training that incorporates uses user-friendly tools can make difficult topics easier to understand (Hanus & Fox, 2015). A training program's retention (Gros, 2007) and engagement (Calliari, 1991) can be improved by using fun games. It can also encourage people to think critically about their behaviours and to make better decisions regarding the topic (Adachi and Willoughby, 2013).
Bonus tip: Don't overdo privacy training, leave some space between each session and plan in periodic intervals. Cybersecurity fatigue is real! If you talk about cybersecurity and privacy issues too frequently, your team will likely become overwhelmed and not be motivated to use it in their daily work.
Compliance with privacy laws may be a difficult, drawn-out procedure and 100% compliance can be somewhat utopic. Compliance with the relevant data protection laws is an ongoing process that calls for ongoing progress, not a one-time job - especially considering that the field is still-growing and there's “breaking news” almost every other week. It is a journey that every organisation must take in order to be able to create a sustainable privacy program.
Disclaimer: Opinions expressed in this article are solely my own and do not express the views or opinions of my employer
Adachi, P.J. and Willoughby, T. (2013) “More than just fun and games: The longitudinal relationships between strategic video games, self-reported problem solving skills, and academic grades,” Journal of Youth and Adolescence, 42(7), pp. 1041–1052. Available at: https://doi.org/10.1007/s10964-013-9913-9.
Calliari, D. (1991) “Using games to make learning fun,” Rehabilitation Nursing, 16(3), pp. 154–155. Available at: https://doi.org/10.1002/j.2048-7940.1991.tb01202.x.
Gros, B. (2007) “Digital Games in Education,” Journal of Research on Technology in Education, 40(1), pp. 23–38. Available at: https://doi.org/10.1080/15391523.2007.10782494.
Hanus, M.D. and Fox, J. (2015) “Assessing the effects of gamification in the classroom: A longitudinal study on intrinsic motivation, social comparison, satisfaction, effort, and academic performance,” Computers & Education, 80, pp. 152–161. Available at: https://doi.org/10.1016/j.compedu.2014.08.019.