In a Startup, Privacy Isn't Someone's Job, It's Everyone's
I'm putting the finishing touches on my e-book and I've been sending out early copies to some select folks to solicit feedback. Someone, who will remain anonymous, asked, "Why are you targeting startup founders and not the developers?" I thought this would be obvious but apparently I'm too enmeshed in my own little world.
I explained that I'm targeting the head of the startup because privacy is everyone's responsibility. The responsibility does not fall on a single individual's (or team's) shoulders and therefore it's the company leader that needs to make sure everyone is on board. The response to that simple explain still was still insufficient and required a more detailed explanation.
Given that, I thought it was worth sharing my explanation of how everyone participates in making sure the startup tackles privacy issues and compliance correctly. But, quickly, just to make sure we are all on the same page, recognize there are five things you must do to Do Privacy Right™:
- Be fully transparent about what you are doing with personal information
- Get users' permission for the things you intend on doing with their personal information
- Give users control of their data, including the ability to update and possibly even delete their personal information
- Provide adequate protection to personal information
- Do as your policies say
Note: Before I begin, I do understand that in an early-stage startup many of these roles fall under a single individual. I also understand that I've combined some things that might not fit in all companies. I believe the larger point still holds true though.
The founder (or CEO, president, etc.) needs to make sure everyone understands their role. The role needs to line up legal counsel to get the policies written and ensure that people are following what the policies say.
Marketing Communications & Sales
The marketing and sales team needs to make sure they are properly using (in accordance with laws and policies) the personal information the company is collecting. They also have the opportunity to use the privacy-sensitive stance of the company as a way to build user trust and garner some good press.
The person in charge of setting and vetting a project's requirements needs to be the internal expert on what laws the company needs to be compliant with or at least what is required by those laws. In a larger organization there would be a privacy officer, compliance department and/or legal counsel -- startups don't have that luxury but some level of the services those functions play in a large organization need to spearheaded by someone, and the person closest to the product should be that person.
This role should have some sense of what the laws and regulations require of a company but should look to the CTO or project manager for guidance. However it is critical that this role know best how to protect (and monitor the protection of) the personal data the company is collecting, transmitting and storing.
I discuss in some detail in my e-book the importance and difficultly of transparency and the role in charge of UX is critical in ensuring that the execution of transparency (and informed consent) is done in such a way that it is meaningful to users. I can not overstate just how important this is. If everyone else is doing their job with regards to privacy then the company is likely compliant with all of the laws and regulations, but if the UX role nails transparency the company earns a trusting and loyal user base (kind of nice to have, right?).
I think that covers it. I hope this post helps others understand the role privacy plays throughout a startup. (By the way you could certainly expand these roles and responsibilities out to larger company if you wanted.)