Ten Privacy and Data Security Mistakes Start-Ups Should Avoid (Part II)

8. Copying the privacy policy of the business next door

Start-ups often hope to “save” on legal costs by simply copying the privacy policy of another website without fully understanding what it means, or ensuring that the document describes accurately the start-ups policies and procedures. The borrowed document is likely to tell someone else’s story other than that of your company. It will describe the neighbour’s practices, which may be significantly different from those of your company, or, worse, may be illegal. From a legal standpoint, this may end up constituting misrepresentation, which can be prosecuted by a state Attorney General and the Federal Trade Commission and in some states by competitors for “unfair or deceptive practices.”

If you were to run a marathon, would you borrow your neighbour’s shoes? No. You would be concerned that they would not fit you. You would fear that you could be hurt and be unable to continue for the entire distance. Similarly, a borrowed privacy statement likely will not fit your company and may significantly hurt you in your race to the customer. It will not reflect your company, its values, its practices, or its objectives. It will state commitments other than those you would want to make.

9. Making representations that they don’t understand

It is true that legal documents may be long or difficult to read. That is not an excuse for not reading them with a critical eye. Privacy statements of some tech start-ups state “we will never sell your personal data.” This might be their intention at a particular time, but it fails to take into account that the company or a portion of its assets might be sold. An asset deal may be blocked because the main asset of the company is its database, and per the statement in the privacy policy, the database of personal data cannot be sold.

10. Misunderstanding the effect of anonymisation

When discussing personal data protection, it is common to hear:  “We don’t have any personal data, our data is anonymised, and it cannot be tied to an individual.” This is a significant mistake. While it might have been true, a long time ago, that anonymisation prevented the association of a particular individual to a particular data set, this is no longer the case. In the world of data analytics, big data, semantics and other tools, there is no such thing as anonymity. Too often, a competent data scientist will be able to crack the anonymisation shell in a short time.


Be proactive from the start

It is clear that technology start-ups need to be proactive about privacy and data security from a very early stage. Small size and limited means are not valid excuses.

  • Pay attention to your practices and procedures when handling personal data and sensitive business data.
  • Take the time to build and maintain a data map that identifies what data is expected to be collected and from whom, and how the data is expected to be used, stored, transferred and destroyed.
  • Design a data privacy and security program that addresses your company’s compliance obligations and ensures adequate data protection.
  • Translate this program into clear and accurate public disclosures about your company’s practices.
  • Periodically revise the program to take into account the developments in the company and its business. Train your staff, employees and independent contractors, so that they understand their obligations.
  • Do not procrastinate and wait for the day when you need to respond to a due diligence questionnaire.

Leave a Reply

Please Login to comment
Notify of

Enjoyed the article?

Get notified of new articles and relevant events.

Thanks for subscribing!

Pin It on Pinterest

Share This