The main heroes and heroines of start-up companies are frequently the inventors of disruptive technology. It stands to reason, then, that such companies attract employees who are less likely to follow rules or “colour within the lines”. Silicon Valley and other cities known for a high concentration of tech start-ups (including Toronto) often promote a free-wheeling corporate culture: coupled with the in-house juice bars, on-site meals, playgrounds, and flexible (or non-existent) vacation policies, there is a certain disdain for rigid company policies and procedures.
This is fine where innovation is concerned. However, once a fledgling start-up begins to take flight, the need to incorporate compliance and risk management (including policies on privacy, anti-spam and data breach management) becomes non-negotiable. The challenge is how to do this while maintaining an independent spirit that drives innovation.
At Inter Alia, we work with companies of all sizes in helping them “scale up” where policy implementation and training is concerned. How do we do this, when many of our clients are the innovative types described above? It’s no easy task, to be sure, but it is possible. We start by making sure our clients are aware of the key laws that affect their business. For example, in Canada, recent legislative proposals under privacy law (Bill S-4) call for additional disclosure requirements in the event of security breaches. In addition, Canada’s anti-spam laws (“CASL”) that came into force in July, 2014, have already seen steep fines assessed against companies who have failed to comply.
After providing information about their legal obligations we create a plan to address the issues presented that is unique to each client and is designed to be rolled out in a way that fits within their culture.
To follow are some suggested steps on how to roll out corporate policies that can apply to privacy and CASL compliance, data breach security policies for information stored on-site, or even “Bring Your Own Device” (BYOD) policies. On the privacy recommendations, the Office of the Privacy Commissioner of Canada (the “OPC”) provides tremendous guidance to help organizations build a privacy law compliance plan (https://www.priv.gc.ca/resource/tool-outil/english/index.asp?a=logout:
- Build Your Plan Beginning with Senior Management Buy-In
Senior management support is essential to successful corporate compliance programs. When the message comes from the top, employees will be able to appreciate the importance and seriousness of matters such as privacy, anti-spam and data breach protection.
Put another way, you cannot expect your employees to take these or other issues seriously when they don’t see their managers doing the same. So, our first job is to have a top-level discussion with managers to explain the importance of the laws and the devastating effects of non-compliance. (In terms of data breach incidents and CASL, one need only look at some recent headlines to appreciate this). Management must embrace the implementation of the policies and convey the importance of the issues to staff with ease and clarity. This will allow employees of all ages, job functions and levels of experience to be able to relate.
- Appoint a Privacy Officer
Next, management must assign the responsibility of implementing a corporate privacy plan to a point person, known as the company’s “Privacy Officer.” Even in the most “maverick” corporate environments, there is usually at least one employee with an interest in and the capacity to take on this type of responsibility. So find out who is willing and able to assume this important role.
The Privacy Officer must be apprised of the company’s personal information usage, storage and disclosure practices, as well as human resources, marketing and commercial campaigns that require collection of personal information from employees or members of the public. The Privacy Officer is also in charge of reporting any issues to senior management, so appropriate communication mechanisms need to be put in place.
This person may also be best suited to oversee the rollout of other related policies as listed above. In that sense, they may function as the company’s “compliance officer.”
- Conduct an “Information Inventory”
It is important to find out what personal information (e.g., name, contact information, financial and/or demographic) the company collects and why, who collects and uses it, where it is stored and for how long, and when it is being disclosed. When conducting this inventory, keep in mind the 3 Rs recommended by the OPC – make sure the information you are collecting is Reasonable, Relevant and Really needed for your business. Also, find out who at the company is able to access this information (generally it should only be to employees on a need-to-know basis). At the end of the day, if you can’t explain why you need to collect or disclose a certain piece of information then most likely you do not need to collect or disclose it.
This fact-finding mission needs to be thorough. It is important in order to determine whether your existing practices are in compliance with privacy and anti-spam laws and recommended data breach programs and, if not, where modifications need to be made.
- Risk Assessment
Review legal obligations and best practices against existing security measures. In formulating the company’s plans and policies (which of course, will vary with the size and type of business), the Privacy Officer will need to work closely with the IT and other business units to understand the business and confront any gaps between the business and what is customary in the industry or required by law head-on.
Understand your vulnerabilities (not just technical ones – perhaps you engage third party vendors to use personal information without the appropriate contractual safeguards?) and design a road-map to address the gaps accordingly.
- Implement the Plan with Training and Education Requirements
Try to roll out the various policies along with training and education in a way that appeals to the average employee who is typically focused only on his or her own job duties. Keep the message as clear and simple as possible while still being thorough enough in the process.
Here is where the Privacy Officer, senior management and their legal counsel need to demonstrate a tremendous amount of empathy and patience in providing effective training in a manner that will appeal to the employees.
- Breach and Incident Management Response Protocols
Include a protocol on how to manage responses to any data breach incidents. Ideally, this will be designed in advance of any incident with the help of privacy lawyers, who will advise you of your legal obligations, along with public relations experts. (Perhaps the only thing worse than a data breach incident is not having an appropriate response ready in a timely manner for the general public and parties who may have been affected.)
These days, the message being conveyed to privacy lawyers and IT experts is not “if” a breach is going to occur, but “when.” This is frightening prospect, to be sure, but all the more reason corporate compliance plans need to be put in place.
It may help to first convey the cascading effects of a privacy breach on the company as a whole. Training may start with a review of some of the more high-profile data breaches that have made the headlines, and an explanation of the adverse effects these breaches have had on the relevant businesses. True, you don’t want to scare the employee too much, but they should appreciate the gravity of the matter sufficiently, and the importance of implementing any new compliance responsibilities into their job functions.
Create a process to review and maintain oversight over these protocols at regular intervals. Lessons can be learned at various times, and it is important to iterate on policies and protocols as necessary. Where an issue has occurred, management, the Privacy Officer and legal counsel should assess the effectiveness of the overall program to see where improvements can or should be made.
- Make Compliance Fun!
Don’t overwhelm employees with a bunch of lengthy, formal policies distributed all at once. Space them out in reasonable intervals, and, as much as possible, make sure they are worded in everyday language.
Finally, the Privacy Officer along with the help of legal counsel and management can take the lead in making compliance with the new policies as palatable as possible – maybe even fun! Activities in line with the organization’s corporate culture may help in this regard – these may include things like a compliance quiz that awards prizes, or a friendly competition among different business units Anything that encourages employee engagement and buy-in – the more the rollout fits with the “fun” office culture so prevalent in start-up organizations these days, the better the chances for success.
Please note: this article is for information purposes only and should not be construed as legal advice. If you or your company requires advice in the areas of privacy, anti-spam or data breach management, please contact me at firstname.lastname@example.org.