Privacy requirements and considerations should be identified and addressed in the development lifecycle.
By Alexandra Ross (Senior Counsel, Paragon Legal)
In the hectic early stages of a technology startup, privacy issues may not always be top of mind.
As many startups don’t have the luxury of relying on the advice of in-house counsel, much less a privacy or compliance officer, founders are tasked with making sense of this seemingly complex topic.
Ideally, companies should be able to achieve their strategic initiatives while incorporating appropriate legal and compliance guidelines. This article should make the fundamental concept of “privacy by design” more comprehensible – and actionable.
Privacy by Design
Just as an architect creates a blueprint for the construction of a building, technology founders create a design – their business plan – in order to accomplish certain goals, satisfy a set of requirements and conform to certain constraints. The concept of “Privacy by Design” means that privacy is an integral part of any business plan and the subsequent development of products or services, whereby privacy requirements and considerations are identified and addressed throughout the development lifecycle.
Privacy by design is a central characteristic of the March 2012 Federal Trade Commission’s (FTC) recommendations for businesses and Congress about the collection and use of consumers’ personal data. The FTC encourages companies, as a best practice, to build privacy protections into the foundations of their businesses and services.
These privacy protections should include:
- Data security (Is data properly transferred and stored?);
- Reasonable collection limits (What information is collected? Is the collection optional or required? Is there a business need for the information?);
- Sound retention and disposal practices (How long is data retained?); and
- Data accuracy (Is user information correct? Can users access and modify the information retained about them?).
How to incorporate “Privacy by Design” into your technology:
- Designate personnel in your company that are responsible for your privacy program.Executives should provide leadership and prioritization to effectively plan, build and implement privacy by design features as well as to inspire and communicate them to the organization. Your legal and compliance personnel (or outside counsel) can provide guidance on legal and regulatory requirements, industry self-regulatory practices and other policy issues. Marketing and Sales should understand company privacy policies so that they properly collect, use and share any user information. Your technology team including CIO, product development and engineers, should understand how to properly code and develop products and services to align with company policies.
- Develop an internal privacy risk assessment process that covers product design and development as well as employee training.
Incorporate threshold questions regarding the collection, use and sharing of information into your business requirements and development documents. Communicate your company’s privacy principles at new hire orientation, post privacy materials on your intranet and conduct periodic computer based learning on privacy issues.
- Implement controls designed to mitigate identified risks.
Consider a compliance process that defines low, medium and high risk activities and technology functionality and the accompanying levels of review. Here is an example of how that might work:
- Low risk activities such as basic information collection or direct marketing may only require business review and documentation;
- Medium risk activities like online behavioral advertising or internal data analytics may require the completion of a privacy checklist and review by legal and compliance; and
- High risk activities like collection and use of location or biometrics data may require a more thorough privacy impact assessment, review by legal and compliance and approval by a privacy committee comprised of representatives from legal, IT and executives.
- Conduct appropriate oversight.
- Periodically evaluate and adjust your privacy program.
Include privacy topics in the discussion during your annual business planning and budgeting process.
Effectively incorporating privacy by design into your technology will provide a series of checks and balances to promote compliance with your privacy program. It will also send a clear signal to VCs that your company is mature and forward-thinking and to users of your technology that their privacy concerns are taken into consideration.
Editor’s note: Got a question for our guest blogger? Leave a message in the comments below.
About the guest blogger: Alexandra Ross is Senior Counsel at Paragon Legal, working onsite on a project basis with clients such as Avon. Previously, as Associate General Counsel for Wal-Mart Stores, she managed privacy law and compliance for domestic and international ecommerce, marketing, social media and mobile initiatives. She is a certified information privacy professional and practices ecommerce and privacy law.