Why African start-ups cannot ignore data protection compliance anymore


African start-ups cannot ignore data protection compliance anymore. PHOTO | POOL

During a visit to the French Data Protection Authority in the month of October, one of the things that stood out for me is how it has witnessed an increase in the number of venture capitalists seeking guidance on the privacy implications of investing in data-driven start-ups.

According to the agency, many start-up investors are looking at privacy compliance as a key metric before they decide to invest in a start-up.

A recent article published by the International Association of Privacy Professionals highlighted how several silicon valley venture capital firms that specialise in early-stage investment have started demanding that a start-up be compliant with data protection laws before they can invest.

A few years ago, data protection and privacy would not have been a priority for investors before they choose to invest in a start-up.

However, the rise of data protection laws around the world and the hefty price that comes with non-compliance are making investors insist on the need for compliance before they invest.

READ: Boost for data privacy as new rules take effect

During the Africa Early Stage Investor Summit 2022, I got a chance to meet several venture capitalists who invest in African start-ups. Some of them informed me that they were starting to also look at how compliant a start-up is with data protection laws before they invest.

This has partly been driven by the number of African countries that are now adopting data protection laws. It is estimated that about 33 African countries have enacted some form of data protection law.

This, therefore, begs the question: how can African start-ups ensure that they comply with data protection laws when creating their products?

One of the fundamental steps to compliance is the adoption of privacy by design and default in the creation of their products. What this means is that, from the get-go when you are creating your product data protection and privacy are factored in and not considered as an afterthought.

Ann Cavoukian, the former Information and Privacy Commissioner for the Canadian province of Ontario, developed seven key pillars that one should consider. These pillars are also highlighted in various data protection legislation in Africa.

These include that as a start-up you should take proactive and not reactive measures when developing your product. This means, that you should be able to foresee the privacy flaws in your product and address them before they occur.

The privacy should be the default setting in your design. This means that when designing your product users should have the default setting of how their data is used to one that ensures their data is safeguarded.

A good example is the encryption of data when it comes to its storage, the automatic deletion of data if it is no longer relevant to your company and the product you create or the collection of data that is strictly necessary to enable your product to work.

READ: Saccos, SMEs lag in data privacy laws compliance

The other principle is that privacy should be embedded in the design of your product and not as an add-on. When creating your start-up in each stage privacy should be considered.