Supporting many brilliant Start-ups that are ready to launch their new services, we also noticed that there are similar misconceptions on privacy and data.
We thought it will be useful to share this with you, hoping it will be useful to avoid the most common mistakes.
1) “It is all anonymized”
If you think that your Startup does not deal with personal data, it probably does.
Personal data is not simply an email address, and there is no such thing as anonymization if a data scientist can retrace back the original information in due time.
In most case, anonymization is impossible, or economically inefficient. So here is the first point: it is much better to have a good privacy policy that spending money and time to “try” to anonymize data.
2) “Business first, privacy afterwards”
Many Startups think they can pass unnoticed to privacy regulators in their early stages. Beware: just because you run a small business does not mean you cannot cause big damage. Often it is the procedure that you put in place- and not the amount of data you are dealing with- that triggers the infringement of data protection rules.
Regulators do have their eyes wide open, but you should know that the first ones to object to a breach are your own customers. Apart from fines, loosing clients’ trust is ultimately one of the biggest damage you can do to your business.
Moreover, a successful Start-up may receive an offer from a larger company. A contract of this type will require the Startup to be compliant with current regulations: adapting a business model that is built on inadequate privacy standards will prove to be hard. Sometimes the business plan is so engrained in a unlawful data management that its structure cannot be adjusted: and that is why to get advice from a privacy professional before hand is a very smart idea. Don’t have the money? Read below.
3) “We don’t have the money”
A Startup at its early stages needs just some legal guidance from a privacy expert, and not necessarily a full on consultancy that will emit an expensive privacy policy. It is much more economically efficient to be advised at this stage than having to adjust- if at all possible- your business model because of privacy inadequacy.
For example, Aphaia starts with a special rate for Startups at 50 pounds an hour, that will allow a new born company to assess its privacy needs. Basically, a compass to put a business on the right direction.
4) “Let’s copy paste a privacy policy”
Sometimes copy-pasting privacy policy written for a similar looking business is a real temptation.
However, a small difference in a business model can translate in a very big difference in legal terms.
Moreover, the services that you may outsource will not come necessarily from the same providers; the use of data that you will put in place may be different in scale or scope, and your customers may be different as well. Like spectacles, you want your privacy policy to be the rigth focal length: it will allow you to extend your business model as far as you can.
5) “Let’s collect all the data we can, it will be useful”
In legal terms, there is a balance to be struck between privacy and business interests. Collecting every personal information you may gather is not necessarily a smart move: you may be asked to justify why you did so.
6) “All data published on social media are the same”
No, they are not! It is important to draw a distinction and to master it: it will allow you to avoid “sensitive” data and to collect more data that you think on other realms.
7) “I use a cloud provider, I am not responsible”
Your choice of a cloud provider, as well as the level of safety you can offer in sorting data, can be crucial for compliance.
8) “I don’t understand privacy regulation, my lawyer does”
Although privacy may seem- we agree – a painful headache for no-experts, the key concepts are easy to grasp, and a good consultant will first and foremost empower you.
He/She will give you the tools to understand when a new move could entail a privacy risk- basically, you’ll be able to ask yourself the right privacy questions.
9) “I am outsourcing services to third parties, so I am not responsible”
Many Startups think that outsourcing some services means also transferring the responsibility of treating their data lawfully. This is not the case. The company who first collects the data remains responsible for the data.
If at all, other companies involved in the data process may gain responsibilities too: but it does not mean that your Startup is not liable in case of inadequate use.
10) “Privacy is just a cost”
Last but not least, Start-ups tend to think that drafting a privacy policy is a just a cost.
Let us surprise you: a good privacy policy does not just stop you from sourcing “bad” data: it also enables you to make full use of the data you gather and process.
We call this approach ‘smart compliance’: be in compliance allows you to extend your business model even further.
