This guest post was contributed by Joel Adeyemi Adefidipe, a graduate of law from the University of Lagos with an interest in the tech industry and tech products.
Meta was fined $18 million in March this year for breaching GDPR (General Data Protection Regulation). Within a short time, the same Meta was fined $400 million over its treatment of children’s data on Instagram, again in violation of GDPR. In the last few years, Meta has been embroiled in data privacy lawsuits, the most recent being a class action by some Facebook and Instagram users in October against the company for circumventing Apple’s new data privacy restrictions and breaking privacy laws.
These developments show how data privacy sensitive the world has become. There is only one explanation for this: technology runs on data. In an era of Big Data, there is a large volume of data transactions that occur every day. Although data is neither good nor bad, it could be deployed towards creating innovative solutions or causing harm to the public. With data malpractices of major tech companies being exposed, data protection and privacy have become a concern to many. Countries have, therefore, swooped in with laws and regulations to ensure that the collection, processing and integrity of personal data of data subjects are regulated, and to mitigate the injury that may be occasioned to the public from harmful data practices. If a tech giant like Meta has been caught by the regulatory net for improper data practices, how much more startups?
Startups are at the core of the global tech industry. Every day, they interface with data making them a hotspot for data malpractices. One of the measures adopted by regulatory authorities to clamp down on wrong data practices and engender ethical data practices is the requirement of data protection audits. This article demonstrates why startups should ensure they conduct frequent data protection audits.
What is a data protection audit?
A data protection audit is an assessment of the data practices of a company and its compliance with data protection regulations. Nigeria’s National Data Protection Regulation (NDPR), for example, provides that companies that collect, use and process data should at intervals stipulated deliver a data protection audit to the National Information Technology Development Agency (NITDA). The NDPR also details the contents of the data protection audit. Similar provisions can be found in the General Data Protection Regulation (GDPR) of the European Union.
The importance of data protection
Many tech startups offer transnational services and collect personal data from persons who live in various parts of the world. The various data protection and privacy laws of various countries and regions apply to them. For example, the GDPR applies to any data controller (any organisation that collects data and determines the purpose or the use to which the data is put) or data processor (an organisation that processes data on behalf of a data controller) that processes personal data of data subjects who reside in the European Union even if such processor or controller is not established in the European Union.
The GDPR and NDPR require that a data controller or processor conducts data protection audits. Failure to submit the audit attracts penalties, as prescribed by these regulations. Fines are imposed for the breach of the provisions of these regulations, and they could run into tens of millions of dollars. Startups cannot afford to lose money that could be used for other profitable ventures. Once a startup begins to interact with personal data of a certain volume, it becomes imperative to prepare an audit. Audits could be done either by the startup itself through its data protection officer or an external data protection expert (or through a data protection compliance organisation (DPCO) in Nigeria). Audits are done to comply with regulations. Penalties attached to noncompliance with data protection laws are sometimes so significant that they could ruin a startup or a small company.
Aside from regulatory compliance, audits also help a startup identify any lacuna in its data practices. A data protection audit is used as a report card assessing the commitment of a startup to the implementation of its data policies and procedures. Through regular audits, a startup can also measure how its practices fare against changes in international standards and best practices. A startup at an early stage must formulate and learn how to maintain healthy data practices. The world is increasingly becoming sensitive to how data is used. Hence, a startup should not fall into the temptation of data misuse or inadvertently allow a lacuna in its data practices.
Furthermore, data protection audits can also help a startup stay competitive. Data protection is a source of concern to many. Many companies make empty promises that they are data protection compliant without any evidence. A report by KPMG titled “The new imperative for corporate data responsibility” has shown that many consumers in the US do not believe their personal data is used according to the law and is protected against compromise. By publishing audits, a startup can substantiate its commitment to data protection to potential consumers and partners thereby giving it an economic advantage. A startup may also mix data protection audits in the cocktail of marketing strategies by including their data protection audits in marketing materials. Apart from just attracting customers, publishing audits along with marketing materials also builds trust as consumers know how their data is used. This makes for a loyal and lasting customer base.
Tech startups are the heartbeat of the global tech industry. This means they cannot avoid interfacing with the personal data of those they offer services to. If startups are to avoid what happened to Meta, one hurdle they must surmount is to ensure that data is collected, stored, processed and used according to the law. The integrity of data within their coffers must be safeguarded and guaranteed. Thus, quality data policies and procedures in accordance with international best practices must also be adopted by startups. Data protection audits remain a veritable means through which a startup can monitor and uphold healthy data practices in a data privacy sensitive world. Startups could also scale up their marketing yields by publishing data protection audits while simultaneously complying with laws and avoiding huge fines. A win-win!