Applying FIPPs to startup B2B organizations

Startup owners and small business leaders often only associate Fair Information Practice Principles (FIPPs) with government organizations, international trade or federal agencies. However, these guidelines provide a straightforward data privacy baseline for small companies operating under a business-to-business (B2B) model. Though this framework was initially developed on a foundation of sectoral laws, actionable strategies have developed out of the five FIPPs documented by the US Federal Trade Commission (FTC), that can be applied with ease to startup companies. Enforcing FIPPs best practices such as consent collection, transparency and security within B2B organizations provides a robust framework for ensuring that personal data, a customer’s most critical asset, is protected.

FIPPs are not legal frameworks or meant to be a stranglehold put in place by a government agency - they are recommendations for data protection. These best practices were enacted in the 1990s by the FTC to guide privacy as a function in electronic and online marketplaces. The principles for privacy are:

1 - Notice

2 - Consent

3 - Access

4 - Security

5 - Enforcement

The primary value of the five FIPPs components? They’re simple. A startup, scale up or small B2B organization can put these practices into action, with little lift. They do not require the hiring of a team of privacy consultants, nor the purchase of expensive and unwieldy cybersecurity tools.

Notice

Making a customer aware of the information you collect on them can be covered with ease in your online privacy policy. It is a data privacy best practice to explicitly disclose the information you have access to regarding a customer or business partner and to provide specifics on how that information will be used.

Disclosing this detail is not an onerous task: a small organization, aligned with the regulatory frameworks they are held to (including but not limited to GDPR, CPRA, etc.), can write this into their website’s privacy policy.

Consent

Obtaining consent from your customers to use, process or store their data is considered table stakes for any business that collects external information from business partners. Regardless of whether your small business is held to a regulatory framework or an international privacy law, it is expected that B2Bs will obtain consent for data access from the businesses that purchase their products or utilize their services.

Fortunately, as consent gathering is now a standard practice for businesses collecting data, it is easier than ever to obtain a “yes to processing my information” check from customers. Two popular and seamless methods are the use of Opt In/Opt Out collection features and the use of contract language.

Opt In and Opt Out checkboxes are available as a standard feature on most website building platforms and content management systems. Enabling them on the homepage of your small business is often done via a website building template, with the click of a button. A second method is to include consent collection provisions within the contract between you and your B2B customer. This path can be done by leveraging your legal counsel to include specific terms relative to data collection and consent for processing within the master services agreement.

Access

Data privacy is paramount in 2022, as the focus for B2B companies has shifted to be less on security and more on the protection of data collected from customers. As such, allowing a customer to have access to the data you have on them or to be informed on what those specific data sets are, is now a business fundamental. Regardless of the type of data your small business gathers, a bedrock of information processing is allowing data access for those purchasing your product.

Like the previous principles mentioned, explicit disclosure of the data you are collecting, as well as granting free access to it for your B2B customers can be a stress-free process, permitting your startup has defined standard operating procedures (SOPs) in place.

Written standard operating procedures for how to respond to data access requests from your customers will provide the framework for what information can be disclosed and how the data sets can be sent electronically to customers. These simple SOPs should be written in clear language, free of privacy engineering jargon and incorporated into your organizations information security policy. SOPs detailing the steps to manage access requests from your business partners ensures that simple, repeatable procedures for disclosure and transmission of information are followed in each case. Making sure that your processes are followed exactly as written in the policy each time an access request is sent by a customer is a data privacy best practice.

Security

The fourth principle calls for guaranteeing that the data gathered by your startup is maintained with integrity and stored in a secure manner. This is perhaps the most difficult principle to follow due to the shifting risk landscape and the ever present threat of security vulnerabilities and breaches.

However, security best practices to protect customer data oftentimes do not require the purchase of unwieldy security tools or platforms. This principle, though laborious, does not have to translate to “costly”.

Enabling encryption on the customer data you store in the cloud, enforcing multi-factor authentication for your employees that may touch that data and conducting quarterly access reviews on customer data, are three simple, but effective security controls that can be put in place by any company, no matter how small.

Enforcement

Enforcement of the above principles is technically out of the hands of a startup and scaleup organizations, as it is handled by the FTC. Keep in mind these are considered recommendations by the agency, though they are what federal and state laws are often built upon.

FIPPs enforcement is an effective measure to ensure that your small business employees are following the above fair practice principles. Referencing that an agency exists to uphold these principles and monitor that they are operating effectively, even in small companies, means that there is backing to these data privacy best practices. It guarantees that they are not empty promises for the customers you serve.

An enforcement arm does not have to be interpreted as a terrifying, overarching agency to be feared by your small company. Instead, it can be viewed as a function that ensures your business is following the privacy best practices that customers expect as the cost of entry.

Oftentimes, small companies, start ups or scale up businesses can see data privacy as an onerous project that seems too big to tackle when the organization is still young or green. Businesses that are willing to disregard privacy practices and controls will lose out on customers who see data protection as a minimum offering. Fortunately the five FIPPs offer a simple framework for data privacy control implementation that can be done by a business, even if they are new, small or consider themselves in the startup arena.

All that is required to start building your data privacy foundation on these principles is transparency with your customers, simple security control implementation on your website, and consent collection via a written form or checkbox. No longer will data protection be an impediment for your small business, when FIPPs guide your B2B’s path.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.