Startup legal playbook

Protecting your customers’ data


  • Torys’ Emerging Companies and VC Group

Watch this if: you want to know key steps to protect your customers’ information

You might also like: Data governance strategies for founders

Go deeper: Operating your startup


Tyler Cassack (00:05): Protecting customer privacy is a key element to a successful startup, regardless of the industry that you operate in. Failure to ensure your customers data is safe can have significant legal, financial and reputational consequences. I'm Tyler Cassack, and I'm here with Molly Reynolds to discuss key questions your startup should ask itself about protecting customer information, and the questions you should be ready to answer from customers and regulators.

Tyler Cassack (00:30): So, Molly, what should founders be focusing on when they're thinking about protecting their customer data?

Molly Reynolds (00:35): The first thing at its most basic is ask yourself what type of customer data do you handle? If your customers are individual consumers, you probably have their personal information. So you should check if it's basic data like an email address or name, or more sensitive information like financial or payment data, copies of IDs or health details. If your customers are businesses, you've probably got basic contact information about their representatives.

But you also need to check if you have more sensitive, confidential commercial information like trade secrets, business financials, or even data about your customer’s employees. Now, once you have that type of data mapped, then we can determine what data protection laws apply to that information. So for customer personal information, you need to look at where individuals themselves are located and where your company is located.

In Canada, you're likely subject to the federal privacy law known as PIPEDA and if you're a startup or your customers are based in British Columbia, Alberta or Québec, then you might also be subject to additional provincial privacy laws. All of those laws impose certain obligations on your startup, such as you need to have a privacy policy that describes how you use and share personal information.

Your customers need to consent to that policy. You need to apply security safeguards that are appropriate to the sensitivity of the data. And here, it's important to keep in mind that those security safeguards aren't scaled down based on the size of your company. Now, if you have business customer information, those customers might pass on confidentiality obligations and contracts or ask you to comply with laws that they themselves are subject to.

For example, financial institutions might ask you to comply with banking laws. Medical clinics might expect you to comply with provincial health care laws. And if you have customers globally, you also need to think about what other countries’ laws might apply. And it's impossible to comply with every country's privacy law. So what you might do is identify a high standard like the European GDPR and decide to apply that to all of your data handling globally.

Now lastly, you need to map out which of your vendors are handling customers’ data and how they're handling it. Ask yourself if the contracts you have with vendors contain data protection terms that allow you to meet legal requirements. Do they spell out the ways that the vendors can use your customer data for their own purposes like analytics? Do you know what countries the vendors process your customer data in?

Tyler Cassack (03:13): And if that wasn't enough, you also need to be prepared for common customer questions about how to handle their information and also have answers or even written summaries ready to give them that type of comfort. You're going to get questions from business customers about data protection. And companies are often going to ask you to explain what laws you comply with and what industry standards you align to, such as the ISO 27000-series, or the NIST Privacy Framework.

You can expect to be asked to describe your security framework, including whether data is encrypted in transit and at rest, what type of threat detection and cyber monitoring tools you use, whether you use multi-factor authentication on email, and customers will also expect to be notified about any actual or potential data breaches. You'll also likely be asked what type of security and cybersecurity insurance you have and what the coverage limit is.

When your customers are individuals expect them to ask for copies of their personal information, whether you've sent their data to third parties or not, and to remove them from marketing lists. You may also be asked to stop sending customers’ data to third parties or posting it publicly, for example, in instances where you have an online forum for customers.

Molly, we've gone through the questions that founders should ask themselves and those they can expect from customers. But what about data protection questions that they should be prepared to answer from regulators?

Molly Reynolds (04:31): So, in the privacy context, customers could make complaints to a federal or a provincial privacy regulator who can then start an investigation. But those regulators can also initiate their own investigations. For example, if they see media stories about an app that raises privacy concerns or about a data breach. Now a privacy commissioner might reach out to the company and ask for more information, as well as who your designated privacy officer is, so which employee is responsible for privacy compliance in the company?

They might also ask for copies of your privacy policy, your internal procedures, for proof that you obtained consent from customers for how to handle their information, or for details of the third parties who have access to your customer data. You'll want to have this type of information documented so that you can show the regulator you have a privacy management program in place. Even if your company is relatively small.

Tyler Cassack (05:29): And if you have a data breach, the regulators may ask for details of what happened, what type of information was affected, how many individuals are impacted, and what you've done to protect these people and prevent a breach from happening again in the future.

    Safeguarding your customers' data is a crucial part of building a successful startup, with major legal and reputational implications.

    In this video, Molly Reynolds and Tyler Cassack discuss key steps every startup should take when assessing how best to protect their customers’ information, including:

    • considerations for individual vs. business customers
    • data protection laws
    • common questions customers have

    To discuss these issues, please contact the author(s).

    This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

    For permission to republish this or any other publication, contact Janelle Weed.

    © 2024 by Torys LLP.

    All rights reserved.

    Get to know our ECVC practice