KRISTINA PODNAR, HOST: After years of collecting as much data as they could, organizations everywhere are starting to realize that all of that data has an evil twin: risk. Data breaches are commonplace, misuse of personal data are everyday headlines.
It’s clear that consumers are becoming more aware that their data is a valuable resource, and they’re asking more questions about how it’s used and who has access to it. It’s no wonder that in a recent Pew survey 79% of U.S. adults said they have concerns about how their data would be used by companies that collect it, and 59% have very little or no understand what businesses do with their data.
Governments, too, are starting to pay attention, as demonstrated by the General Data Protection Regulation (GDPR), the California Consumer Protection Regulation (CCPA), Nevada’s Consumer Privacy Law, South Africa’s POPIA, Brazil’s LGDP and others.
Data privacy laws are the new norm, and proposed regulation is sprouting up in the US and around the globe. Even in China, where one might think of data privacy as non-existent, we saw in December the Cybersecurity Administration of China (or CAC) and three other ministries working on measures around lawful collection of data by companies.
But there is so much more to data privacy than the required compliance with laws. And certainly, a lot more than the common privacy statement in the footer of your website. So, what does that look like and why think about privacy beyond the minimum required to check the box?
As I recently wrote in my monthly newsletter, companies that are adopting privacy as a programmatic component are seeing the same type of benefits that you can:
- Decreased compliance costs as they proactively adopt privacy principles and have them in place ahead of new regulations.
- Preventing data breaches, which can cause thousands (or even millions) of dollars, not to mention the headache of such a security incident.
- Saving users and employees the disruption that goes along with data breaches, in some cases, physical ones, as criminals boost their omnichannel crime opportunities.
- Boosting go-to credibility with users. In another Pew report, 93% of users surveyed said it was important to them to have control over their data and who sees it. Enough said.
- Allowing investors to trust and boost venture capital infusion into the business.
- Positioning the organization as a leader against competitors who are lagging in privacy practices.
- And interestingly enough, there is a drive in innovation as businesses consider how best to incorporate privacy into products, leading to new ideas that have marketplace relevance.
So when we look at who is doing this in real life, it might seem like the good privacy stories are not making any headline. Apple has recently hyped its commitment to privacy, and we’ve seen Google, Brave, Microsoft and Mozilla get together to talk web privacy. But that’s the big tech and as we know, it is more shine than it is substance. But under the quiet veil of these stars, there are real life companies doing a good job at data privacy. Some of the ones I have come across are:
- Slack, which is very clear about the fact that what data is created by teams belongs to the teams, and stays that way.
- The Guardian, which demonstrates to the user benefits of giving data to the Guardian and provides transparency around the money earned from advertisers.
- Audi, which writes many of its notices and cookie consent statements to a 10th grade reading comprehension level, also focuses on complete transparency in how and from where it collects data about you, including dealership, online referral sites, and your car.
- Salesforce, which as a platform allows many organizations to do things that don’t align with privacy principles, has made it clear that it does not sell any information that organizations host on its platform and provided transparency to underscore that commitment.
- And there are other everyday unsung heros out there for whom the struggle is real, but they are fighting the good fight. I have not seen anyone nail this 100%, but that is unrealistic to start with given the age we live in. But everyone who is doing a good job has fundamentally adopted privacy as a pillar of business operations and is steadfast in respecting user privacy.
If you belong to a company that has yet to even start a privacy effort, and I see many of these every day (just not large corporations), make sure you get started with the very basics. As I explain in my book, the minimum required around privacy is having a statement on your website. And while adding a privacy statement to your website is important for compliance, it’s not a policy. From a policy perspective, I encourage you to adopt the goal of GDPR—privacy by design—and start collecting only the data you really need.
Here are some other things to think about for your data privacy policies:
- Revising contact forms to collect only essential information.
- Getting explicit consent to use consumer data for marketing/promotional purposes.
- Establishing protocols that ensure the consent you get is legitimate (Children, for example, may not be legally able to grant consent for the use of their personal information. User-generated content is another example: A photographer can grant consent to use a photograph from a copyright perspective, but they can’t give you the right to use the likeness of other people in the photograph.)
- Keeping records that prove how/when consent was given.
- Establishing triggers for automatically deleting consumer data (for example, when a former customer doesn’t engage with you for six months).
Ultimately, the goal is to implement policies that reflect the philosophy at the heart of the GDPR and most other regulations: to strive for privacy by design. In other words, instead of implementing privacy policies as bandages for patching up broken processes and policies, it’s better to design new processes and policies that reflect the “new” reality—that personal data belongs to the customer. Your organization can only “borrow” it, and you can’t even do that without permission.
To sum things up, data privacy should be a top concern for all organizations—large or small, for-profit or not-for-profit.
If your organization already has a privacy statement and policy, and you’ve done the basics to get a privacy program up and running, this is the time to start running a bit faster. I urge you to:
- Gain executive support, including from the Board of Directors. The fiduciary responsibility of these individuals is ensuring the success of any privacy program to protect the organization from risk, which translates into money and stock performance. Senior leadership needs to demonstrate commitment to the privacy cause through funding, championing, and participating in the privacy program. If you have a mandate to stand up a privacy program but you don’t have the staff and a budget to go with it, it is doomed to fail.
- Ensure accountability for the program. I recommend that the digital policy steward for your organization own the program, with accountability for managing privacy through the entire lifecycle, from initiation, through rollout, and measurement and reporting back to the executives.
- Develop the policy and training. Remember as I already said, a statement on your website is not a policy. And a policy is not a document that lives on SharePoint. Make sure that you provide training, job aids, and other support to enable privacy in the organization.
- Make sure that privacy requirements are expended to your vendors and third parties. Ultimately, you are on the hook for what your vendors do. And if they don’t integrate privacy into your mobile application, or if a marketing agency collects unnecessary data that is later exposed, your users will have nobody to blame but you. So work with procurement to tighten up that aspect of the privacy program.
- Implement privacy measures and mitigation plans. I used to work with someone who would always say “You can’t manage what you don’t measure”. How true is that? You need a sense for how well you are doing as an organization around privacy and make sure that the reality matches your objectives. If there is a discrepancy, make sure to address the underlying issues and correct them.
And remember that no matter what you do, whatever policy you develop, the training you put in place, the reminders you send out, it comes down to the individual behavior of every employee and consultant, and it comes down to deliberate actions which stem from individuals and your culture. To that end, I have two exciting guests this month on the podcast.
- Amaranatho Maurice Robey, will give us the inside scoop on how being mindful and practicing deliberateness allows for privacy practices that are natural to the organization. I am so honored that he found time to share his insights, and I promise you won’t want to miss that conversation.
- Also, I am happy to welcome Hema Lakkaraju to the podcast. Hema has an incredible compliance background and will share how you can address privacy compliance holistically, so that you are not continually experiencing the whiplash of new regulations, such as GDPR, CCPA, LGDP and POPIA. While her focus is in healthcare, the methodology and privacy approach that Hema shares are applicable to any industry.
With that in mind, join me next time on The Power of Digital Policy. Until then, be well and do good policy work.