Startups and privacy: How to build solid foundations from the beginning

August 3, 2022

As a startup, you may be thinking you’re “too small” to start thinking about privacy. Or you may even believe that privacy isn’t relevant to you… at least not at this stage.

Or maybe you’ve been tasked with the role of Privacy Officer (amongst your other responsibilities) and you’re unsure why or where to get started.

Our founder & CEO Phil Howie and Daimhin Warner, Principal & Director at Simply Privacy went live on LinkedIn to chat more about privacy readiness. You can watch the replay here, or below.

Understanding the basics of privacy

“The first thing to note,” said Daimhin, “is that privacy is a human right.”

At a high level, it’s fundamental to ensure individuals have control over their information.

For your startup, privacy is the foundation of trust when it comes to collecting or using personal information to deliver or develop services or products.

That trust needs to be there. “Privacy is about building that trust.”

Your customers need to understand what is going to happen with their data and feel confident in how you’re going to use the data in exchange for your product or service.

The Privacy Act in New Zealand, and privacy laws all around the world, take a risk-based approach. Data is vital to the economy, as well as, in Daimhin’s words, “the blood of most businesses.” So as much as data needs to be collected, used and shared, this needs to be for a legitimate reason.

What is Personal Information?

Personal information is any information about an identifiable individual, such as their full name, physical addresses, email addresses, photos, location, health and financial information.

The two key words here are ‘individual’ and ‘identifiable’.

“Individual means a natural person, not a business,” explained Daimhin. “So when we say natural person, I don’t mean someone who enjoys yoga and is vegan. What I mean is a real living human rather than a corporate entity or a business.”

So, while corporate policies or financial reports might be, they are not personal information and they’re not covered by privacy laws. This is a key difference between privacy and security, because security tends to apply to all organisational data.

The use of the word 'identifiable’ is deliberate, and means that information does not have to contain names or other identifiers in order to be personal information. As long as someone could look at the information and recognise that it relates to a particular person, then it’s personal information.

Privacy and New Zealand businesses

As a NZ business, you’re covered by the Privacy Act, though a small number of agencies – such as the news media and the courts – are exempt. We’ve had a Privacy Act in NZ since 1993, and in 2020 the Act was updated to bring it more into line with overseas privacy laws.

The New Zealand Privacy Act is based around 13 privacy principles covering the data lifecycle for any organisation from collection through to retention, security, use, disclosure, and so on.

“If you’re a startup, in particular a startup that is (or will in the future) offering software as a service to other countries, the Privacy Act makes a distinction between what we call, in European terms, data processors and data controllers,” shared Daimhin.

At the end of the day, the NZ Privacy Act “isn’t that onerous” and although there are “new mandatory privacy breach notification requirements,” it’s not quite the same as some other places globally, such as Europe.

Daimhin admits that “the consequences of getting it wrong in New Zealand are slightly lower,” but argues it doesn’t really matter, because you still want to avoid the damage to your brand’s reputation.

Privacy obligations in international markets

As a Kiwi startup, especially SaaS businesses, it’s quite typical to expand onto the world stage since there are no geographical bounds to selling your product.

And once you consider doing so, you’ll notice just how many privacy laws there are. In fact, over 80 countries have enacted their own privacy laws.

You may be questioning: “But I’m not ready to sell yet and I’m in New Zealand, how does that apply to me?”

According to Daimhin, most privacy laws overseas have “extra-territorial effect” — meaning, even if you’re based in NZ, if you’re collecting personal information about people in another country, then you will be subject to their laws.

“Our Privacy Act does it too, by the way,” added Daimhin.

The good news is, all privacy laws around the world are based on the same foundational privacy principles from the OECD. Most of these principles have found their way into New Zealand’s Privacy Act. So as a NZ business, if you’re careful to comply at home, you’ll likely also already be ready to comply with overseas privacy laws.

However, be aware that some overseas privacy laws, such as the EU GDPR, include privacy rights and obligations that are not present in the NZ Privacy Act, such as the right to delete personal information, the right to data portability, and the right not to be subject to automated decision-making. 

Getting started with privacy

Know your data

“Don’t be afraid of privacy,” assured Daimhin. “It’s not as bad as it looks.”

The most fundamental thing your startup can do is ensure that you know your data.

You can’t assess your privacy risk or make sure you’re compliant without knowing what personal information you hold.

This is step one, mapping your data—who you’re collecting it from, what you’re doing with it, where you hold it, why you need it, who has access to it. Privacy with a plan.

Make sure you’ve assigned a privacy officer

Accountability is a big thing when it comes to privacy. Appointing a privacy officer is a legal obligation within the Privacy Act. You need someone who is accountable and who cares about privacy, either an existing person, someone you’ve hired in, or you could outsource it.

“You know, no one’s too small to have a privacy officer,” said Daimhin.

Be aware of the risks of doing nothing

The NZ Privacy Act doesn’t include punitive fines like many overseas privacy laws do. Here, a complaint can be made to the Privacy Commissioner, who will try to resolve it and might issue a compliance notice advising an agency to take action to change their practices. There is also the risk that a complaint could eventually end up before the Human Rights Review Tribunal, which can order the payment of compensation of up to $350,000 to a complainant.

The biggest consequence in NZ will be to your reputation. “Partly because the media in New Zealand really loves a privacy breach.”

Does privacy still matter and why?

In the age of social media, many individuals may have the view that privacy isn’t important considering the internet knows so much about us.

However, privacy is no longer focused on secrecy and confidentially. It’s about autonomy, and how we interact today. Even if the information is out there, we deserve to have control about where and how that is shared.

As your startup scales, so do your privacy roles and responsibilities. It’s important to have a plan for privacy, not just to protect your reputation, but to ensure you can confidently operate globally with your customers front of mind.

Unbeatable cyber resilience 🦹

Winner of 2021 iSANZ Best Startup

"We wanted a solution that was fit for purpose, reflecting our age and stage, while delivering the outcomes we wanted for our customers and people. After looking at what was available, Onwardly stood out as serving this purpose perfectly."

Kendall Flutey

Founder & CEO