Every other week, regulators around the world bombard their constituents with new data protection laws and acronyms. As the person who was just voluntold you’re now responsible for privacy at your startup, in addition to all your other duties and without any additional resources, how can you possibly be expected to keep up—let alone contextualize that information to maintain compliance?

Privacy, at its core, is an ethical issue, which means the solution to your privacy challenges is deceptively simple: do the right thing and be transparent with your customers. That’s it. That’s what everyone means when they say “privacy by design.”

We know: easier said than done. Sometimes, it requires a cultural shift, and doing the right thing doesn’t always align with the short-term business objectives of a startup. You’re not alone—plenty of marketing teams think that “data minimization” is a four-letter word. They’re not trying to be evil, but being pragmatic or reckless can be a matter of opinion. Below are some helpful arguments to convince even your most stubborn stakeholders to invest in privacy and earn trust with your customers.

If you’ve been tasked with this, informally or with the DPO (“Data Protection Officer”, which is Legalese for something in between a hall monitor and a scapegoat) title, this post is for you.

For the sovereign citizens who don’t think regulations apply to them:

Regardless of where you operate, what industry you’re trying to revolutionize, or which market you want to serve—privacy applies to your business. It’s literally a basic human right, specifically called out in Article 12 of the United Nations Universal Declaration of Human Rights. If that weren’t enough, 80% of the world’s population is covered by some form of national data protection law, and those 80% tend to be overrepresented in the audience buying services from startups. The two most notable frameworks—EU’s GDPR and China’s PIPL—even have an extraterritorial scope, meaning data protection authorities can levy fines even if you’re not operating in that jurisdiction.

If these stakeholders still refuse to acknowledge privacy applies to the business, and ask you to pad the budget for potential enforcement actions, let them know it might actually be cheaper to comply. Between 2018 and 2025, the average GDPR fine was roughly €2.4 million ($2.8 million), and the number of fines issued increases by about 10% every year.

For the cave(wo)men who think privacy and security are the same:

We like to use a human body analogy to clear up this misconception:

Imagine your business as a human body. Think of all the data as blood, with each organ representing a different business unit. Security is the blood vessels—facilitating and protecting the flow of blood/data. Privacy, on the other hand, is like the autonomic nervous system—it regulates how much blood/data goes to each organ/business unit so everything functions properly. The goal isn’t to restrict flow entirely—it’s about balance, ensuring the body (your business) works harmoniously.

This metaphor can also be extended to data breaches. You can probably clean up a minor bloody nose/data breach on your own, but if you want a doctor on standby just in case, you probably want a detection and response story (we can help with that).

For the shopaholics who want to throw money at the problem:

You might be tempted to indulge these stakeholders by engaging outside counsel. This isn’t a bad idea, but it won’t solve all your problems. If you do engage counsel, it’s best to have a targeted approach. Questions that are money well spent with outside counsel include:

We’re launching in [country]. What data protection laws apply to us? How do we adjust our contracts to reflect the new countries we operate in?
We want to collect and process lots of personal data. Can you help us craft a consent notice, and review the privacy policy, and cookie notice we drafted?
Hypothetically speaking, if we had a privacy breach, we’d need to provide notice to some customers and regulators. Can you help us craft that message appropriately, and teach us how to appropriately protect internal discussions?

If you’re more cost conscious, you can start with Latacora’s GRC team. We offer advice based on actual operational experience and help you both understand and do the work needed to achieve compliance. Useful questions for us might include:

What do I need to do to comply with [data protection law]?
Fielding customer requests
1. We were asked to sign a data protection addendum. Can you review to see if this is reasonable and if we comply?
2. A customer requested a copy of our technical and organizational measures (TOMs), record of processing activities (ROPA), transfer impact assessment (TIA), and data protection impact assessment (DPIA). Can you help us create these documents?
If we stand up a new data center in [region] will it make it easier to comply with local data protection regulations? What impact would that have on our technical infrastructure?
How do I compile a list of subprocessors?
Can you help us build a Data Subject Access Request (DSAR) process?

For the anxious people-pleasers who bombard you with questions:

Their hearts are in the right place—they just need some tools to self-serve (read: self-soothe). Try this script:

" Hey! It’s nice to know there’s someone else here who respects the sanctity of protecting personal data. We’re still assessing how relevant [super random regulation they asked you about] is to us and will prioritize accordingly.

In the meantime, we use these privacy principles to guide decisions about personal data:

Lawfulness, fairness, and transparency: We do our best to align with best practices when it comes to handling personal data, whenever possible our customers should explicitly consent to our use of their data, sometimes this consent can be assumed because of contract requirements with our customers.
Purpose limitation: We identify a use case before collecting personal data, and use data only for its specified purpose.
Data minimization: We don’t collect data we don’t need, and when we are done using data for the purpose specified we do not retain it for longer than necessary.
Accuracy: Personal data is kept up to date. If data is inaccurate it’s erased or rectified as soon as possible.
Storage limitation: We have a data lifecycle that includes deletion. If we want to retain data for longer than we explicitly need it for, we obtain consent from the data subject.
Integrity and confidentiality: Where possible we build in preventative and detective controls to make sure data is handled to preserve its integrity and confidentiality.
Accountability: Our customers are entrusting us with their data, it’s our responsibility to respect their privacy and demonstrate that respect at all times.

Hopefully this helps you too, and if you come across any projects or initiatives that are in conflict with these principles, feel free to loop me in. Thanks again!”

For the sales bros who prioritize revenue over privacy:

Remind them: you earn trust before you make profit, and transparency is the fastest way to build that trust. It may not be one of the Ferengi Rules of Acquisition, but in a modern data-driven environment trust is as valuable as latinum.

Latacora recommends gently reminding the sales team to a) not be creepy and b) ensure that privacy principles are included in sales processes and tools. The next time they come up with a harebrained idea like using an AI tool to scrape the web for customer data, then proactively sending those customers emails advertising how your product/service could have helped with that problem the customer posted about on LinkedIn last March, remember that you don’t always have to be the one to say “no”. To borrow a lesson from improv, sometimes “Yes, and” is a more effective approach.

You can give them enough material to build their own trap! Explain to them that they can absolutely deploy this AI tool, IF they can first obtain customer consent for the explicit purpose, make it easy for customers to opt-out, and incorporate their processing of personal data into the DSAR process.

Disclaimer

Obviously, our impertinence towards your stakeholders is purely for entertainment. We’re not encouraging passive-aggressive workplace behavior. Absolutely nothing in this post should be considered legal advice. That being said, these tactics can help you secure stakeholder buy-in when you’re starting a privacy program. And in our experience, regulators and customers alike go easier on you when you can show that you’re doing the right thing—or at least earnestly trying.