In their rush to market their products or services, many startups inadvertently overlook potential legal obligations. For startups, overlooking privacy and data protection could be extremely costly. These costs could arise from system redesign and development activities and fines, particularly from the European Union’s new General Data Protection Regulation (GDPR) that goes into effect May 25, 2018. Fines under the GDPR may reach as high as 4% of global revenue or $20 million dollars in situations in which the breached entity has ignored its privacy obligations.
To avoid such penalties, startups should seek to implement “privacy by default” (or design) from the outset. This is a specific requirement of the GDPR, but should be combined with all other legal, contractual and voluntary obligations like ISO and other frameworks.
1. Compliance Risk Assessment
The first step is essentially a compliance risk assessment to determine criticality and prioritizations to drive future action.
2. Privacy Impact AssessmentData Protection Impact Assessment (DPIA) is required to assess the potential risks to the “rights and freedoms” of the covered data subjects as their data is processed by the startup. The DPIA’s requirements and nuances are addressed in Article 35 of the GDPR and Working Paper 29.
3. Privacy by Default Architecture
After understanding the potential privacy risks inherent in the data processing, the system should be designed to minimize the data collected, delete data when no longer required for its original purpose, give access to the data subject, and give individuals control over how much data is shared with other organizations. The design principle in each of these areas should be construed to maximize the data subject’s privacy, not the processor’s anticipated benefit. Decisions, rationale, and resulting actions should be documented and maintained for each system to be revisited as part of the required DPIA process.
4. Assignment of Responsibilities
5. Privacy Safeguards
To support the “privacy by design” architecture, controllers and processor must identify the appropriate administrative and technical safeguards to implement. These should first be reduced to policies and other process documentation appropriate for the organization’s size and scope of processing. The policies should outline management’s intent to implement, monitor, and enforce the privacy safeguards.
6. Technical Safeguards
Article 32 requires the controller and process to implement “appropriate technical measures” appropriate to the risk. Common technologies used to protect privacy include tools that:
- Map data flows
- Map devices and networks
- Identify and track assets
- Control access
- Secure the network perimeter
- Encrypt data in-transit and at-rest
- Secure servers and endpoints
- Identify malware
- Prevent data leakage and exfiltration
- Log and aggregate security incidents
- Restore the availability and access to personal data
- Manage the consent lifecycle
Privacy by design cannot be sustained without a process for regularly testing, assessing and evaluating the effectiveness of the privacy safeguards. A monitoring plan should be developed to ensure continuous security of the data processing. The plan should include the scope, methods, roles, frequency, and reporting or escalation procedures. Implement and execute the monitoring plan to provide continuous improvement of the privacy safeguards. The risk owner and other stakeholders should collaborate to determine whether any external notification is required.
Monitoring results need to be analyzed to determine the root cause of any deficiency. Once analyzed, remedial actions should be developed, communicated, implemented, and documented. Remediation should be tested to ensure it fully addresses the identified risk.
11. Where to Begin
Implementing privacy by design should be viewed as an organization-wide process. Establish a cross-functional governance structure to educate key stakeholders, including the Board. This body should drive the privacy program to ensure its success and continued operation. Privacy professionals should be consulted where the organization lacks clarity or requires assistance in program design. Developing a data privacy program under the auspices of legal counsel establishes a relationship with a trusted legal counselor and better prepares the startup for future incident response, breach notification, and potential litigation.