Privacy-enhancing technologies shouldn’t be an afterthought for startups

Running out of cash is a common cause of startup failure. Many fledgling organisations focus on growth strategies such as customer acquisition and product development. This means data privacy may not be high on the list. However, the cost of a data breach can be catastrophic.

Cash-strapped startups should keep privacy-enhancing technologies in mind when developing their data-privacy strategy. Privacy-enhancing technologies, or PETs, are deployed by businesses when collecting, storing, and processing information.

A business might use these technologies in the hope that they will provide the organisation with a minimised risk of data breaches, all while preserving the data’s utility.

Some of the key PET techniques and applications are:

– Anonymisation tools

– Encryption techniques

– Trusted execution environments

– AI-generated synthetic data

As businesses become increasingly dependent on data and collect more and more of it, it’s crucial for startups to weave their consideration of PETs into their strategies from the very beginning, as part of a wider consideration of good governance of data.

A privacy-focused culture from the outset

Though startups often have their core values centred around growth and progress, incorporating PETs at the inception is about more than just complying with regulations. It’s also about creating a culture that prioritises privacy and building a strong foundation for future growth and limiting risk.

Even established businesses are getting their approach to data, privacy and the adoption of new technologies, including AI, wrong. Our own survey of organisations both in the UK and the US found that only 34% of businesses had undertaken any data mapping, the process of understanding all of the data you hold and where it is.

On the other hand, the attitude towards AI adoption was considerably more enthusiastic, with 81% of organisations saying they were using or planning to use some form of AI technology. This dichotomy is concerning, given that AI is built upon the data in which it is fed. Getting this right from the offset is important as it could have huge cost implications if it all goes wrong.

The value proposition of privacy

Cybersecurity breaches are reported in a near-constant manner. With evolving techniques and increasingly sophisticated criminal behaviour from groups with intimidating scale, cybersecurity can feel like a losing battle. The cost implications of letting your focus on cybersecurity slip can be catastrophic for all businesses, not least emerging startups where funds are scarce. IBM has reported that UK organisations face an average cost of £3.4m for data breach incidents in its annual ‘Cost of a Data Breach report’.

As a startup, you might think that you’re not a prime target, but it’s not the value of your business, it’s the value of your data that is the target. Therefore, it’s important to have secure foundations and really understand the tech that you’re putting your trust into.

Recent cases in both the UK and US have offered cautionary tales of accidental data sharing with third parties. Claims that these were inadvertent data exposures do not stand up in legal proceedings, regardless of the infancy of the organisation.  If you’re going to adopt tech, any tech, you need to have a full grasp of what you’re working with and the potential risks it exposes you and your customers to.

Non-compliance with data privacy regulations can result in hefty financial penalties from the ICO and irreparable damage to a company’s reputation. Furthermore, demonstrating a sound understanding and implementation of privacy regulations make a start-up more attractive for future investment rounds.

Not all privacy-enhancing technologies are equal

The tale above might lead you to believe that PETs can provide the catch-all solution to your data privacy concerns. However, you should proceed with a critical eye and caution before taking any forward.

Organisations should be wary when implementing PETs to achieve their desired outcome. There should be a comprehensive understanding of how the PET works, and how it will be used within the existing organisational governance structure. At minimum, a nominated individual should be responsible for oversight by monitoring performance and escalating issues to ensure appropriate PET protection.

In addition, organisations should ensure any adopted PETs scale in line with business growth, continually reviewing their efficacy in achieving the desired privacy goals. A rigorous understanding that PETs aren’t foolproof and that their implementation still requires human oversight is critical to any data governance plan.

Adopting PETs

Before adopting any PETs, you should also first review the Information Commissioner’s Office (ICO) information. The ICO provides comprehensive guidance outlining each technology’s key features, functions, and considerations. This guide enables startups to incorporate a ‘privacy-by-design’ approach that considers data privacy implications in all aspects of business, from product design to customer interactions.

Startups can also seek advice from privacy experts or legal technology firms specialising in data privacy. These resources can help translate the technical aspects of PETs into actionable insights. Also, participation in communities and forums focused on data privacy can offer valuable insights and practical tips for implementing PETs.

Privacy shouldn’t be an afterthought for startups. It should be integral to the business strategy from the very start. By prioritising privacy, startups can foster customer trust, comply with evolving regulations, and build a more robust, resilient business.

After all, privacy is more than just a regulatory requirement – it’s a commitment to your customers and an investment in the future of your startup.

Katie Simmonds is a managing associate at Womble Bond Dickinson.