Karima Noren

Getting privacy right

Scaling legal
July 7, 2020

Privacy and compliance are paramount, but a lack of understanding can make it challenging for scaleups to implement these privacy policies. How can lawyers enable teams to lead with privacy in mind?

This is a chapter from our 'Legal for scaleups' eBook, featuring legal leaders from some of the world's fastest growing companies. Download for free now. 

It doesn’t matter how awesome your product is - if no-one’s buying, there’s no business for you to enable. A sole counsel at a scaleup should always focus on enabling sales to close faster, but in the back of every lawyer’s mind is the nagging reminder of risk. When it comes to privacy, even a small business offering its product on a freemium model could still have a substantial privacy risk.

I was the second lawyer hired by Google in Europe. I left eight years later to work with scaleups - it was time to go back to the fast-paced nature of smaller businesses with large dreams. The reason why I co-founded The Privacy Compliance Hub was because my legal clients focused on enabling sales, but at the complete expense of risk and privacy.

It’s a common misconception that privacy and compliance sit with the legal team. In truth, everyone is responsible

Misconceptions around privacy 🤔

Picture the scene: you recently joined as the general counsel at a fast-growing technology company. It doesn’t take long before you are swamped with work. Alongside the firefighting and daily legal grind, you’re also expected to handle how the company - and its employees - manage personal information.

Does this sound familiar? This scenario involves some biggest misconceptions around privacy and personal information, and in order to broach the subject, GCs need to accept three things:

1. Everyone ‘does’ privacy

It’s a common misconception that privacy and compliance sit with the legal team. In truth, everyone is responsible. You have to reach people in different departments and bring them on board to understand the importance of privacy, as well as the role they play so issues don’t arise in the first place.

2. You need a team

We call them ‘privacy champions’ - and these are the employees from various departments who will teach others the best privacy compliance practices. This is important, especially when you’re the only person in the legal function, and ties back to the first point - everyone is responsible for privacy.

3. Leaders need to lead by example

Make sure the founders and leadership team are on board with the changes you’re trying to implement. Resolving privacy issues and building a structure from the ground up is far more challenging if you don’t have leadership supporting you.

Privacy is so vital because it concerns all of us in our private lives, and how companies handle our personal information matters. A company will only have a product or service that handles personal information well if it seeks to build and maintain a culture of continuous privacy compliance. Given the current world we live in, it’s easy for that carelessness to backfire, with serious consequences.

Apple CEO Tim Cook phrased it well: “if you’ve built a chaos factory, you can’t dodge responsibility for the chaos”. It’s important to build responsibly and consider privacy right at the beginning of your company’s journey.

Scaleups move fast. Thinking of privacy from the outset and incorporating it every aspect of the business will prevent mistakes that cause data breaches

Programme vs policy 📜

Many people don’t understand privacy compliance. Depending on the function at your organization, you view it as a singular item - security encryption, the privacy policy on your website, or marketing database, for example. Privacy is much more than that; it’s a scope of elements, habits, and culture within your business - and that’s why I recommend implementing a privacy compliance programme, instead of a privacy policy.

A culture of continuous privacy compliance is the ultimate goal; the only way you can get there is to help your colleagues create habits. And the only way to create habits is to implement a programme that is easy to maintain.

A privacy programme details every single element you need to consider in order to be compliant. These elements make you think about privacy in a logical way. Should the company be collecting this personal information? How should the company safeguard this information? How does the company want employees to foster its privacy culture? Which vendors should the company share information with? How can the company safely and securely share information?

At the Privacy Compliance Hub we built a privacy compliance programme centered around eight privacy promises. These promises help staff understand the importance of processing personal information with care and integrity. It pushes the company to build and maintain a privacy-centred culture in its work.

A company that understands the importance of privacy from the get-go will have a programme in place to safeguard any quick decisions. Scaleups move fast - whether it’s innovating, expanding into new jurisdictions, or targeting new markets - and thinking of privacy from the outset and incorporating it every aspect of the business will prevent mistakes that cause data breaches.

Go from square one to creating, building and scaling a robust, dynamic legal function - download 'legal for scaleups' today.

Resources and collaboration 🤝

In the early stages of working at a scaleup, the lawyer is extremely busy - the first thing they will do is get a grip on their contract management. Once this has been achieved, they will turn to risk. It’s essential to get buy-in from leadership before they start to work on a privacy programme, and there’s a mountain of work to do in order to get the company to a state of compliance.

The only way to get everyone in the organisation to do privacy is to have a privacy compliance programme that is continuously implemented. But who is going to create this privacy compliance programme? The sole counsel could try to do it themselves, but it will be challenging to balance with daily tasks, sales enablement, and other business priorities. Luckily, there are a few options out there that can ease the burden:

  • Hiring: Hire a compliance officer or a law grad to help you create the privacy compliance programme. With the additional hire focusing on building the programme internally, you can dedicate time to other legal work
  • External consultants: Most lawyers at scaleups face the problem of getting buy-in to hire - understandably, the business wants to invest in commercial growth. External resource can mitigate this problem but you must ensure that the external consultant is building a privacy compliance programme that is sustainable. Privacy is a journey - not a destination
  • Online tools: A DPIA (data protection impact assessment) can help you identify and reduce the data risks of a project. If your business is planning a project that involves handling personal data, the assessment can help mitigate the high risks involved. It’s important to remember that completing a DPIA is only a starting point; it does not replace the need for a comprehensive privacy compliance programme

And, of course, GCs could use The Privacy Compliance Hub, where the programme, templates, records, training and methodologies are created for you. The Privacy Guy is another great resource - he makes privacy fun.

Taking control of your privacy 💪

As a scaleup starts to grow in size, it also grows in complexity. It’s so easy to fall into the trap of zero accountability, especially where privacy is concerned. Building out a privacy programme early on is essential. When you’re in a team of 50 employees, these habits are easier to enforce and implement than when the company scales to 500.

Privacy doesn’t exist to block innovation - it’s there to ensure that the information and data you collect is managed responsibly. Create a programme; rewrite existing privacy policies for new markets, new products, and new customers; focus on transparency; and continue to engage the business in ongoing conversations around compliance. Set these programmes, habits, and cultures in place - and you can future-proof the business.

This is a chapter from our 'Legal for scaleups' eBook, featuring legal leaders from some of the world's fastest growing companies. Download for free now. 

Get in touch and see how Juro can help you agree and manage contracts in one unified workspace. Alternatively, check out our free confidentiality and data processing agreement templates:

Karima Noren is the co-founder of The Privacy Compliance Hub

Instantly book a personalized demo

  • Schedule a live, interactive demo with a Juro specialist

  • See in-depth analysis of your contract process - and tailored solutions

  • Find out what all-in-one contract automation can do for your business

4.8
4.8

Schedule a demo

To learn more about the use of your personal data, please consult our readable Privacy Policy.

Your privacy at a glance

Hello. We are Juro Online Limited (known by humans as Juro). Here's a summary of how we protect your data and respect your privacy.

Read the full policy
(no legalese, we promise)