"Ultimately, every step you take towards protecting users and complying with regulations is a critical one. This is true at every level of the company, from how you manage vendors and partners, to how you train staff and enforce policies."
Joe Martin, Product Marketer @ PostHog
When you’re building a great product, staying on top of privacy requirements isn’t easy. It’s harder to implement privacy principles into the product and operations after you’ve already started, and the more advanced you are, the harder it becomes to consider privacy and compliance requirements.
What is the ‘A-List’?
hoggo’s Trust Hub uses a sophisticated algorithm to assess vendor risk and build vendor risk profiles. The Trust Grade is then assigned to each vendor based on the assessment. In our ‘A-List Privacy Tips’ series, you will hear from our A-List (i.e., vendors who achieved a Trust Grade of A) what they are doing right so you could learn from their journey and experiences.
PostHog is an open source product analytics company.
Their open-source platform lets developers track product usage, understand the impact of new features on user behavior, and integrate product and user data with data warehouses – all without sending any data to a 3rd party.
Keeping up with privacy regulations isn’t easy for analytics companies, since they track usage and behaviors. PostHog, however, seems to be doing things right:
- They are transparent and allow their users to choose hosting locations.
- They have a comprehensive FAQ page regarding privacy and
- They are very responsive to any privacy-related questions or clarifications regarding their Data Processing Addendum questions.
Privacy Tips From PostHog
The tips Joe Martin shared with us could be of benefit to any company, whether it is just getting started or already has some roots.
Do you see data privacy as a mere legal obligation or do you think there are other aspects to it? If yes, which ones?
“PostHog is an all-in-one platform for analyzing, testing, observing and deploying new features — which means we ingest a huge amount of user data every day. It’s incredibly important that we respect user privacy, and that we empower our users to do the same for their users.
That’s why, for example, we offer guides to help users deploy PostHog without cookie banners, or to build cookie banners themselves. Even when we aren’t compelled by law to empower users to think about things such as data minimization, we still do it out of principle!”
💡 Key Takeaways: Giving customers privacy features and going the extra mile has a significant benefit. The result is trust, and from now on, your customers will always search for these things, and they’ll remember you offer them. Similar approaches can be seen in big tech companies like Apple, which offer privacy features like “privacy browser” despite not aligning with their business model.
What key strategies or practices would you say have contributed most to the success of your data privacy program?
“We obviously try to stay informed about all the latest rulings, but what’s helped us most is talking directly to our users about what their needs are. This means we make informed decisions about what matters most to our customers and focus time where it matters — rather than just pursuing every privacy certification we can needlessly.”
💡 Key Takeaways: Consider not only legal requirements but also your users’ privacy expectations.
How do you drive internal collaboration around privacy matters?
“PostHog’s is small, 100% remote, and divided across 10+ countries — so we’ve thought a lot about how to make collaboration easier. Mostly, it comes back to two aspects of our culture: that we’re transparent and meeting-averse.
Transparency encourages our teams to work in the open and to take responsibility. It also means all decisions have a clear trail of documentation, which makes it easy for others to iterate and build on our work. It’s a key part of how we ship so quickly, and how we approach compliance and privacy projects.
Having fewer meetings (to the point that we have two no-meeting days each week) means we focus more on getting things done than getting consensus. Meetings often sound collaborative, but they are often just performative. Having fewer meetings helps us accomplish more individually, and together!”
💡 Key Takeaways: Transparency is essential to maintaining strong data privacy programs by ensuring clear documentation and accountability.
Can you share one specific challenge you’ve encountered related to privacy management within your company and how you overcame it?
“SOC2 compliance was a big challenge for us with such a small team. There were only 30 team members at PostHog at that point, and only three people in the Ops team that was leading the project.
We overcame the challenges as a result of our approach to internal communication. At all times we had a single person who was leading the project, an organized list of tasks that was visible to all team members, on-going conversations with other teams to collect information, and regular company-wide updates.
We even had the item on our public roadmap, where users had voted on the importance of SOC2 compliance — this helped us stay motivated.”
💡 Key Takeaways: When it comes to compliance goals or certifications, internal communication is essential. A good strategy would be to have one person lead the project and have an overview of the other people’s responsibilities.
Are there any emerging trends in data protection that you think other organizations should pay more attention to?
“The biggest trend we see is that companies are getting better at data minimization. Teams are realizing that they should only hold the data they need in order to provide a great service, rather than finding ways to commodify it. The more data you hold, the harder it is to justify it and the more risk you accept.”
💡 Key Takeaways: Data may be the new oil, but collecting vast amounts of it without a clear purpose poses additional risks.
In your opinion, what are the most critical steps that all companies should take to ensure data privacy and compliance with regulations and customer expectations?
“Ultimately, every step you take towards protecting users and complying with regulations is a critical one. This is true at every level of the company, from how you manage vendors and partners, to how you train staff and enforce policies.
One often overlooked step in my experience is having a clear response plan for potential incidents before they occur. If an incident occurs you need to have clear procedures for notifying users and mitigating damages, as well as criteria for when this should happen.
A good response plan helps you react faster, calms staff, and encourages you to make sensible decisions that are understandable later. Create one, and review it regularly.”
💡 Key Takeaways: Having an internal response procedure in place before a breach occurs is essential to minimizing damage, both for the company and the users. Don’t wait for something to go wrong, be proactive and prepare for the worst.
Do you think data privacy could help companies build trust with their customers? If so, how?
“We see this as a minimum expectation from users which companies need to meet. Our users are incredibly data-literate and have high expectations about how data should be collected and used. For them, data privacy isn’t a value-add — it’s a basic requirement!”
💡 Key Takeaways: Users expect privacy. Neglecting it might affect business opportunities and lead to loss of customer trust.
This interview with Joe provided a lot of good insight into how data privacy isn’t just a legal requirement, it’s a market expectation and has a lot of business advantages.
By using TrustHub, you can enhance trust with your customers and users today by claiming your company’s Privacy Passport. Consequently, the privacy due-diligence process you are either conducting or undergoing (or both) can be shortened by at least 37%.
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, which builds transparency around data privacy practices.