Whether it’s B2B or B2C, if you want to scale your business effectively then privacy can no longer be an afterthought nor a check-box compliance. Customers are less inclined to buy your services if their personal data is not properly protected. Those are pitching lines for the new upcoming workshop on privacy regulations for startup founders at Infobip Shift, the largest developer conference in Southern Europe.
Infobip Shift takes place in Zadar, Croatia from September 15 to 17. For the first time, the popular tech event spans three days, gathering thousands from the global IT industry for the fourth consecutive year. This expansion helped to introduce more great workshops, including one that intrigued us: “GDPR: the Hitchhikers Guide for Startups and Founders”.
In anticipation of the event, we decided to reach out to two privacy experts leading the workshop. Kristina Mandic, Privacy Expert from Infobip, and Nikola Kasagic, Senior Privacy Counsel at Booking.com shared their thoughts on the latest privacy trends, AI/ML compliance, and implementing ‘privacy by design & default’.
Mastering privacy regulations is critical for startups who want to scale
We start off by commenting latest privacy trends that startups should be aware of. Nikola points out increasing emphasis on consumer control over personal data in recent years…
Established regulations like the GDPR in Europe, California’s CCPA and Brazil’s LGPD have already granted users more rights to access, delete, and transfer their data. But this trend is expanding, Nikola reminds, as new privacy laws emerge across the United States, South Korea, and China, each bringing its own set of rules that businesses must navigate.
Nikola stresses the importance of staying ahead of evolving privacy trends as startups scale.
“Startups must be proactive in building systems that respect these rights and adapt to the diverse legal requirements of different regions. The ability to manage and protect personal data in compliance with a complex global landscape is becoming a critical factor for companies aiming to grow sustainably.”
Kristina also highlights other key trends beyond new global laws:
“First, data localization is here to stay and startups should learn how to address that. We’ll talk about that in the workshop. Second, PEC techniques will be of more significance. Lastly, I think that data protection regulators will be even more active in ensuring compliance due to two facts – individuals are becoming more aware of their rights and are filing complaints to the regulators; at the same time NGO’s such as NOYB in the EU will continue with their strategic litigation efforts.”
European Center for Digital Rights or in short NOYB, has already caused significant changes in the data protection field which has had a significant impact on global business. It is only the beginning, Kristina concludes by giving an example of recent NOYB’s complaint they filed against X over its AI training data plans.
How to successfully integrate privacy as a core of startup strategy?
Nikola advocates startups to embed privacy into their products and services from day one, to make sure that personal data is automatically protected. He compares privacy by design & default to laying a strong foundation when building a house.
“This approach is particularly important for new businesses because it can help them to avoid costly fixes later, earns customers’ trust right away, and keeps the startups in line with privacy regulations as they grow.”
To implement that principle, startup founders must embed privacy as a core value across the company, ensuring everyone understands its importance.
However, Kristina warns there’s no one-size-fits-all solution when it comes to embedding privacy-first mindset, each organization is unique in its processes. “The GDPR recognizes the risk-based approach and during our workshop, we’ll discuss in more detail what exactly this implies and what are some of the first steps they can take to assess their level of risk and take appropriate action.”
When it comes to implementation, startups looking to navigate the complex world of privacy obligations have access to a range of tools, frameworks, and resources. However, Nikola highlights it’s crucial to remember that no single solution fits all needs. You can use privacy management tools for tasks like data mapping and consent management, but make sure to customize them.
Kristina suggests budget-conscious startups explore free resources from regulators. “For example, you have the Olivia – tool developed by the Croatian and Italian regulators. The French and Spanish regulators also have some very useful materials published. I will give more details about these resources in the workshop.”
It’s not just a legal obligation, it builds trust
Data protection is not just a legal obligation, it is a crucial way to build trust with your customers and partners, Nikola thinks. That’s why he insists it is also important for founders to be transparent with customers about how their data is handled. It builds trust and can be a differentiating factor in the market.
So pay attention to these four principles when collecting data, and especially when performing marketing activities:
- Collect only what you need, and avoid unnecessary data.
- Be transparent: Cleary inform individuals about what data you are collecting and why.
- Make sure you have a valid legal basis for collecting and processing personal data. If personal data is available online, it does not mean you can use it. Make it easy for individuals to opt out at any time.
- Respect privacy preferences: Never share or sell their data without permission.
During the workshop, participants will learn more about implementing those principles in practice and how prioritizing privacy can drive business growth.
What to do with AI?
With the rise of AI tools in data processing, startups face new privacy challenges depending on whether they use third-party AI tools or develop their own. Here is what Nikola advises for each scenario.
When using third-party AI tools
Startups must be cautious about how 3-party tools handle personal data. If the data provided as input is used to train or fine-tune the AI, personal data could become embedded in the AI, making it hard to remove (a challenge when addressing the “right to be forgotten”). This data sharing introduces risks, as startups may not have full control over how this data is processed, stored or shared. They can navigate these challenges by thoroughly vetting AI vendors.
When developing in-house AI
Startups must ensure data security from the start by implementing robust encryption and preventing AI models from unintentionally leaking personal or sensitive data. They should also ensure that datasets used for training do not contain personal data, or that they have a valid legal basis for its use. As deleting personal data becomes complex once integrated into AI models, startups should adopt a “privacy by design” approach, considering data protection at every stage of AI development.
Next steps to stay ahead of privacy regulations
As demand for more control over personal data increases, privacy regulations are expected to become stricter and more widespread globally. For startups, staying ahead of these changes means taking a proactive approach. Here are a few steps Nikola and Kristina point out:
- Staying informed: Keep track of changes in privacy laws, especially in the regions where you do business. This could mean subscribing to updates, attending webinars, or getting advice from privacy experts.
- Investing in privacy by design: Make privacy a core focus in product development and business operations from the start so you can handle evolving regulations smoothly.
For startups that fall in the high-risk segment, Kristina suggests dedicating a person/team just for these data protection/privacy matters as soon as possible, and as soon as you can afford it.
“Find yourself a counsel who will understand your core business, is knowledgeable about the regulation and will enable you to navigate this landscape strategically, so it works to your advantage.”
With all that in mind, don’t forget that privacy is an ongoing commitment, Nikola advises to regularly update practices to stay ahead of regulations and risks. Join them on the upcoming workshop at the Infobip Shift conference to learn more.