How You Can Make Privacy A Core Principle Of Your Business—And Why You Should
After all, if data is your stock and trade, as it is for many companies in 2019, protecting that data gives you a major edge over your competitors.
Not only that, but promising users privacy—as Apple does, notably—is a great way to earn the trust of your clients. Especially now, at a time when consumer trust in corporations is low and headlines about improper use of data and breaches emerge on a regular basis.
In June, Google and the University of Chicago were sued over sharing patient medical records without removing sensitive information. Amazon is also in legal hot water after allegations that Alexa violates the privacy of children by creating recordings of their speech. Users are taking extended breaks from Facebook and updating their privacy settings following a number of scandals.
There are so many cases of companies misusing data or not keeping it private that we hardly bat an eye when yet another story breaks.
When we’re talking about personal data, what exactly does ‘privacy’ mean?
Privacy rules regulate who has access to data, what data they have access to, what they’re allowed to do with it, and who they’re allowed to share it with.
- In the U.S., data privacy compliance laws differ by industry. For example, in finance, the Gramm-Leach-Bliley Act dictates that banks and other financial institutions have a responsibility “to explain their information-sharing practices to their customers and to safeguard sensitive data.”
- In healthcare, HIPAA covers both privacy and security regulations across a wide range of healthcare categories—pharmacy, radiology, laboratory systems, etc.
- In education, the Family Educational Rights and Privacy Act (FERPA) sets privacy standards for student records at schools that accept funds from the US Department of Education.
- Criminal Justice Information Services (CJIS) is a security policy covering the lawful use of criminal justice information.
But even with these protections in place, today, our personal information is being shared far and wide.
We’re in an era of privacy erosion.
Companies have been collecting and analyzing consumer behavior for decades. But today, we are constantly interacting with multiple devices and platforms that are rapidly generating information about us, making data an incredibly valuable commodity.
This is, essentially, why Facebook is free: It generates massive pools of valuable data. With that data, Facebook’s targeted advertising is incredibly effective and, thus, desirable and profitable. In 2017, Facebook made more than $40 billion in revenue, 98 percent of which came from advertising.
Social media, advertising, e-commerce—there are so many areas where your data is being collected. And that opens the door for misuse and sharing without your permission.
If you want to avoid seeing your company among these types of headlines, here are some common data privacy mistakes to avoid:
1. Companies don’t think about privacy as part of project-scoping.
Privacy must be a top priority during the project-planning process, starting on day one.
- What data is being collected.
- How data is being collected.
- How that data can be traced back to the user.
- How that data can be made available to users (as required by California’s new privacy act that I expect will be implemented nationally).
2. At large companies, there are often things going on that the privacy team isn’t aware of.
The privacy team (or person) needs to be involved at every turn.
If possible, embed your privacy people in every single company initiative and project. A lot of the time, big companies employ a central privacy office led by a chief privacy officer. This is great, but if you take this route, you need to make sure that the office’s policies trickle down to ground-level operations. Otherwise, things slip through the cracks and leaks result.
Also, education across the company is key. Every team member should understand:
- Key privacy items to be aware of and conscientious about during projects.
- How privacy relates to different product features.
- How data is stored and what it’s being used for.
- What specific product features might potentially create privacy risks.
3. Companies don’t even realize what data they’re collecting, or why.
Many companies possess massive pools of data that aren’t tracked or accounted for at all.
Before collecting data, companies should first determine whether they need to in the first place. Is there a better way to obtain needed information without collecting data? Anytime you can avoid collecting unnecessary data, you’re preventing an added privacy risk.
Selling this logic to companies in the advertising/marketing space is tough. In this industry, the general approach to data collection is: “Well, we may not need it now. But maybe we will somewhere down the line, so let’s collect it anyway.”
My default position is that you should never collect a piece of data from a user that doesn’t have an explicit purpose.
Regardless, every company that collects data should periodically review the data they have. Then they should create a map/master list to document and account for all of that data.
4. Companies don’t consider privacy until they’ve already amassed a ton of data.
In this scenario, companies are left scrambling to bolt privacy standards and procedures to products that weren’t built with privacy in mind. This, of course, is incredibly difficult—much more difficult than considering privacy during the design process. The solution? Point 1.
5. Companies move data around and duplicate it without proper procedure.
At large companies, traceability becomes difficult when data is constantly being duplicated, moved, and modified.
At our technology and design innovation firm, Tandem, we had a client in the automotive industry that had thousands of databases. They were constantly moving data between them without much care. And they weren’t even using most of this data—title registrations, license ID numbers, etc.—for anything.
This is the exact type of organization that needs to have a strong, well-defined privacy framework in place. But every company that collects and uses data on any level should, really. In the age of data leaks and compliance lawsuits and other consumer-trust-breaking privacy scandals, it’s a true competitive advantage that we don’t often consider.