Building a privacy program is the clearest example of the Pareto Principle, aka the “80/20 rule” – that 80% of results come 20% of inputs. Privacy laws are complex and achieving 100% compliance is hard. For the typical early-stage company, here’s where to start:
1. Basic analysis and planning. Know what personal data the business holds and what laws apply to this data. No compliance effort can succeed without a foundational understanding of your privacy obligations.
2. Website privacy notice. This is the window into your company’s privacy program and its biggest source of liability. Make sure it is accurate and up to date. While a well-drafted privacy notice is not a guarantee of compliance, a poorly drafted one makes it painfully obvious to the world that you can’t be trusted with personal data.
3. Marketing use restriction. While there are some gray areas, using personal information that was collected for another purpose to market to those individuals without their consent makes it very obvious and annoying that you don’t respect their privacy.
4. Respect marketing opt-outs. Whether the law requires opt-in consent or opt-out only, nothing will get you angrier complaints than marketing to someone who has requested to unsubscribe or opt-out from your marketing.
5. Don’t be creepy. You don’t need a privacy expert. If people tell you that your product or business practice is creepy, don’t do it. It’s probably a serious privacy violation.
Where to Focus next:
6. Security Security Security.
7. A rigorous compliance gap analysis and remediation plan.
8. Privacy training for employees.
9. Nailing your contract privacy terms.
10. Appoint a DPO (if required).
11. Adopt a written internal Data Privacy Policy (not your external Data Privacy Notice(s)).
12. A Basic data subject request handling process (if occasional DSRs are an issue).
When the goal is perfection:
13. Comprehensive data mapping and inventory.
14. Run a fully-staffed and funded privacy program conforming to recognized standards and frameworks.
15. Get the board to pay attention to privacy.