You are an entrepreneur who made a leap of faith and decided to follow your dream of starting a business. You have 100% confidence in your product. Its positioning is right, the product itself is right, and it is already attracting interested investors. Along this journey, you cross paths with potential big clients who require you to have what seems like a million policies and procedures for protecting data. But where do you start?
Risk Assessment
If you’re moving fast trying to build your company, it can feel intimidating, even scary, to assess where your security and privacy risks are. Consider it empowering instead, to understand the weak points, even if you don’t fix them all right away.
Once risks are assessed, identify the protective measures that are low-hanging fruit and implement those. Maybe the easiest, highest-value step is some sort of technological measure. Maybe it’s a human measure - policies, procedures, staff training or contractual language.
Then make a plan for covering the rest, based on what your stakeholders demand, the relative risks, and your capacities for implementing these measures.
The Human Measures
Ensuring that your organization complies with relevant regulations (such as GDPR, CCPA, HIPAA) can be frightening, but ultimately it’s essential. We’ve found there are two viable ways for resource-constrained startups to tackle these initially - DIY or Off-the-Shelf. Consultants with expertise are usually too expensive.
Doing it yourself can cost less cash. Your people do the research, write policies, and the review of your operation. It isn’t done by an expert in the field, but it’s done by someone who knows your company well and can tailor a response to your needs and capabilities.
An off-the-shelf alternative, like standardized policies and procedures, can be produced by someone with expertise but cost less than an expert consultant. You spend some cash to save your bandwidth. But the solution isn’t tailored to your business, and there can be some pain in applying them to your business as a result.
Whatever you start with, something is better than nothing, e.g.
Establish roles
Policies and procedures for protection
Policies and procedures in case of a breach
Post-mortem reviews
Training
A Lawyer’s Role
Your lawyer can help you match the requirements of the law against your company’s risks and resources and then help you decide how to approach security and privacy compliance. Our job is not just to point out problems and offer overbearing solutions. We can help you make a realistic plan and pursue it.
コメント