Are you a General Counsel who needs to create a privacy program and doesn't know where to start? Going from zero to 100 regarding privacy can be daunting, given the many potential risks your company might face now and in the future. However, the most important thing you can do today to mitigate your risk is to start building your program, no matter how small, and make it in a way that can be operationalized and scaled.
We recently covered this topic at the TechGC Privacy Forum where Stephanie King from Playco, Esteban Morin from Drizly, Jennifer Chaloemtiarana from Doximity, and Tim Parilla from LinkSquares dove deep into what they’ve learned at their companies.
Below are four takeaways from that panel that you can use today to start building your privacy program.
Determine where to start and expose your company's most significant risks by putting together your risk profile.
Begin by looking at your company profile (your company's size, scale, and locations), the types of data you handle, and your customer profile.
After that, think about areas where a consumer might be caught off guard by anything that your company is doing. What are their reasonable expectations regarding how you use their data? Conduct a brainstorming session with leaders from multiple departments and write down any hypothetical concerns –large or small – that users might have.
You can then turn these bullet points into areas you need to investigate within the company and sketch out a clear privacy roadmap with urgent areas that need to be addressed now, along with less-urgent concerns that you can handle in the future.
Always remember that you don't need to reinvent the wheel. Reach out to other General Counsel in companies that are similar to yours to get a second opinion on your risk assessment. One great way to do this is via TechGC's private member forum.
Your privacy team can't just be you. And if you're at an early-stage startup, you likely don't have the resources to assemble a team of attorneys. Instead, focus on building a cross-functional privacy team composed of key stakeholders across your organization who touch company data. Breaking down barriers between legal and the rest of the company will help you solve problems you won't be able to solve on your own.
Remember those folks you brainstormed with to assess your company risk? Incentivize them to become privacy champions by framing privacy as a critical company concern rather than a compliance box the legal team has to check. People outside of the legal team and across your organization should recognize the work these privacy champions are doing, and it might even be possible to make this work part of their OKRs and career development within your company, further incentivizing them as privacy advocates.
Eventually, these team members can serve as the canaries in the coal mine when issues arise, whether those stem from an upcoming product launch or a potential data breach. It's unrealistic that legal will have the capacity to check in with multiple departments about privacy concerns constantly. By having members from marketing, customer support, products, and sales, legal will be able to have their ear to the ground across the organization so that privacy issues are handled proactively rather than reactively.
Even if your team grows enough to have a budget for additional attorneys, you'll still need this team of privacy advocates to raise the flag for the legal team at critical moments.
You might think you can't establish a good privacy program without a comprehensive understanding of your data. While it's true that in an ideal world you'd understand every single way data flows into, out of, and within your organization, don't let good be the enemy of perfect.
It's better to start small than not at all. You and your team of privacy champions can put together a spreadsheet with a list of all your internal and external systems. As long as it’s maintained by stakeholders, this process can work great as your company grows.
Don't forget that as you create privacy processes, it's vital that you tailor them to your business type, size, and capacity. You put yourself in a much worse position by having detailed policies that you don't follow than by having more straightforward procedures that your team adheres to and builds upon.
A great way to identify your team's gaps is by conducting a tabletop exercise. This is a discussion-based exercise where a team talks through how the company as well as individuals would respond to a specific hypothetical emergency situation.
Gather your privacy stakeholders together and work through what would happen in scenarios like these:
These exercises allow you to work through hypothetical scenarios in real-time to understand where your team and processes are lacking. Ideally, you should bring in members from your C-suite so you can more easily get buy-in on any resources you need to plug your privacy gaps. However, this exercise can be beneficial even if it's just you and your privacy advocates.
If you have a lot of processes in place but they fall apart once things hit the fan, you’ll know that your privacy program needs work.
Operationalizing your privacy program is not something you set and forget, so as your company grows, these processes will likely need to be revised and reexamined. Having a program that you can audit and scale from the beginning will save you a lot of time and headaches, so starting to build your privacy program today is one of the best investments you can make in your team and company’s future.
Want to learn from other GCs about staying ahead of global privacy changes? Apply to become a member of TechGC today. You can also read our other posts from our privacy forum about staying ahead of global regulations, Web3, and working with your marketing team. If you’re already a member, join us for the TechGC Going Global Forum on July 19th, 2022.