Related Posts
Thanks for starting this!!
Any tips to learn dsa?
Additional Posts in Privacy Law
Can you incorporate SCCs by reference in a DPA?
Anyone take the CIPM recently? How was it?
New to Fishbowl?
Download the Fishbowl app to
unlock all discussions on Fishbowl.
unlock all discussions on Fishbowl.




Mentor
Startups are never compliant. Their job right now is to grow. Privacy is a nice-to-have until their risk exceeds their risk tolerance. You help them calibrate risk, you don't dictate their tolerance level.
This. Just keep an eye on things as the company grows and advise on risk to help set thresholds.
In addition to the points made previously, I would emphasize the vast difference between a risk-based approach (which basically means doing little for most startups until they get some decent funding, especially if they aren’t in a privacy-sensitive area) vs. actually wanting to do incredibly risky, or even malicious, things with data.
This is unrelated, but I am so happy to see some nuanced thinking here. It is so tiresome when people see things only in black or white terms.
Startups' risk tolerance can be high, but privacy law can be black and white.
Try to understand whether there are business-side folks who are open to creating a culture of compliance. If not, decide whether you can live with the risk level.
Mentor
Neither of those examples are black and white, especially in the US. Those are the places you CAN push things.