Would you allow IKEA to come and look in your wardrobe?
21 Dec 2023 - Frans Vanhaelewijck
Image generated with OpenAI’s DALL-E
Data privacy concerns typically come up in many sales conversations, especially in industries dealing with sensitive information. A common question that arises during sales calls is: “How do I know you won’t sell my data to my competitors?” This question is not just about legal assurances; it’s about trust and operational integrity.
A genuine concern
During a recent forum discussion, someone explained that his prospect raised this very concern. His startup is building a CRM for a niche market and one of his prospects asked following question: “How can I be sure you are not selling my contacts and my leads?”. He was surprised by the question and felt that he did not succeed in convincing his prospect.
The consensus in the forum leaned towards solving this concern by including a confidentiality clause in the contract. Many people explained they already had this in their standard agreements, so what is the issue?
But is that enough? A contract is a foundational step, but trust goes beyond legal documents. The post author suspected if the prospect felt unsure about the confidentiality of his data, he would not be persuaded by a contract clause.
The real issue: Trust beyond the contract
The real issue is about ensuring that your customers can trust you with their data. This trust isn’t built through words or contract clauses alone but through robust internal processes that safeguard their data. In my previous job as a CEO of a software company, I understood that access to sensitive data must be restricted and monitored, not just promised.
Operational procedures for data handling
Limited access: Just like in the medical device company I led, access to sensitive data in any company should be highly restricted. Only essential personnel should have access, and only for critical tasks, and only after explicit agreement from the customer.
Audit trails and approvals: Every access or modification to client data should be documented and audited. In cases where access is necessary, such as fixing a specific bug, the explicit customer approval is logged.
Data encryption and anonymization: To further secure data, employ encryption and anonymization techniques. This minimizes the impact even in the unlikely event of a data breach.
Transparency and audits: Transparency is key. Be open about your data handling practices and welcome audits from clients, or be ready to share audit reports from previous audits you underwent. This demonstrates your commitment to data security.
Note: there may be other (e.g. legal) reasons why data needs to be accessed, and the processes for handling these kind of requests are outside the scope of this post.
Imagine you’ve just bought a new wardrobe from IKEA. It looks great in your bedroom, and you’ve filled it with your belongings. Now, how would you feel if IKEA personnel could inspect what’s inside at any moment? Sounds absurd, right? This analogy surprisingly parallels the concerns many have about data privacy in the SaaS world.
Trust in data privacy isn’t just about what’s written in the contract. It’s a commitment reflected in your company’s daily operations and attitude towards data security. By embedding these practices into your business ethos, you assure clients that their data is in safe hands, beyond just a legal promise.