9 steps organizations can take to get ahead of new data privacy laws
If there was ever a time for companies to step up their privacy practices, this is definitely the year. With the California Consumer Privacy Act of 2018 due to take effect by January 2020 and a potential new U.S. federal privacy law that could supersede it, business leaders would be wise to start taking stock of their privacy practices.
It doesn’t have to be difficult. Companies that are serious about upping their privacy game can get a head on legislation with these 9 privacy principles:
1. Become a Data Steward
Change your corporate culture from “data user” to “data steward.” Remember that you are not just protecting a business asset. You are protecting information about people – people who could be harmed if the data is lost, disclosed, stolen or misused. Your customers trust you with their data, so make sure you live up to it. Apply best practice standards for data security, restrict access to a “need-to-know” basis and make sure data is properly encrypted.
2. Be Accountable
Be respectful, and transparent about your privacy practices – don’t bury them in long-form legalese. A company that is proud of its privacy practices will prominently display them when users first encounter their service. Honor customer requests to have their personal data corrected and deleted. When something goes wrong, be honest and open about what has happened, do your best to contain the harm and provide your customers and affected third parties with reasonable support to fix the situation.
3. Don’t Use Consent to Excuse Bad Practices
Make sure your privacy practices are lawful, fair and in the interests of your customers before seeking their consent. Don’t ask customers to agree to unfair or unreasonable privacy practices, or to consent to something they have no hope of understanding.
4. Provide User-friendly Privacy Information
People are more likely to understand how their personal data is being collected, used and shared if you explain in plain language what you will do and why when you collect their data. Remember to keep the information relevant and easy to understand. Don’t be vague. Be precise about what you are sharing, with whom and for what purposes.
5. Give Customers as Much Control as Possible
You should give customers easy-to-use privacy controls and make privacy a default, not an add-on. Request the minimum personal data that you actually need. Don’t just rely on an online template form that requires all personal information fields to be completed before proceeding.
Make sure to also have an easy process for customers to request deletion of their personal data. Don’t hide the options to delete account and personal data – make them prominent and easy to use. Allow users to withdraw their consent and honor that request.
6. Respect the Context
No one likes surprises. Imagine if your online dating interactions were shared with a credit reporting agency. Or your fitness location data was used for targeted advertising for something completely unrelated like online gambling. Or your messaging app contacts were sold to an election campaign. Don’t be that company. Limit your use of personal data to the purpose for which it was collected. Don’t allow unauthorized or unwarranted secondary uses of personal data.
7. Protect “Anonymized” Data as if it was Personal Data
Even though privacy laws may exclude anonymized data, a smart company will still protect it as if it were personal data. There is always a risk that the data was not properly anonymized initially and someone could trace it back to the person to whom it relates. Also, consider the risk that even anonymized data could sometimes be used to single out an individual, and to potentially discriminate against him or her.
8. Encourage Privacy Researchers to Highlight Weaknesses, Risks or Violations
Just like security, getting privacy right is hard. That is where outside experts can help. Invite privacy researchers to report privacy vulnerabilities or violations that they may discover and offer an open and transparent process for responsible disclosure. As you develop new services or product features, consider inviting an audit from independent privacy experts. If you can make the results of those audits public, you would be contributing to the general pool of knowledge about privacy in design.
9. Next-generation Privacy Standards
Be the company that is known for setting the next generation of privacy standards. For example, consider offering customers a convenient record of what personal data you collected and their consent to its handling, like a “consent receipt.” You could also extend extra privacy protections to the personal data of third parties that have been uploaded by customers and look into better ways to handle privacy preferences of group data (e.g. a group photo).
Trust is not an easy thing to earn, but it’s critical to maintain customer loyalty. Take the time to get your privacy practices up to code and you’ll reap the rewards of long-lasting customer relationships based on genuine trust.