I’m not sure when the term “data privacy” became mainstream, but it happened in the last 3-4 years. The 2016 U.S. Presidential election became a prominent example of how data could be used to sway public opinion. This led to a larger conversation on how companies should handle customer data.
From my standpoint, three factors are driving this change – new laws like GDPR, the increased role of data in our lives, and major events like the U.S. presidential elections. First, let’s talk about what data privacy is before moving on to how your company can ensure compliance.
Data privacy sounds like a term from the future. Data has existed for decades, but it wasn’t until recently that we, as consumers, became aware of our data.
As individuals, we now have data in the form of social media connections, sleep tracking, fitness workouts, shopping and purchasing habits, and more. We’ve all seen examples of ads that seem to know exactly how we think or act. Sometimes, these ads cross the line into “creepy” territory.
As businesses, we need to balance the benefits of data with the responsibility it brings. Data allows us to know our customers better, but it also provides opportunities for misuse and data breaches.
If you want to see the granularity of data tracking, simply open an app like Google Maps. By default, this app tracks all your activity and visits to physical locations into a single view called “Timeline.”
This is a view of a bike ride I did on a Sunday afternoon. I used Google Maps for directions for part of the ride, but Google actually knows all the different locations I visited. Over time, it will see my favorite coffee shops and businesses around town.
This is just one app among many that we all use regularly. What happens when all this data is centralized into a single customer view? I trust Google with my data, but I’m not sure about other companies.
As individuals, we need to be aware of who’s watching us and who has access to our data. As a corporation, we need to provide assurances to individuals that we aren’t abusing their data.
Companies have metaphorically struck gold in the form of data. It helps with your marketing, product onboarding, sales, financial projections, and more. Like gold, data should be protected in the most secure vaults.
In recent times, new regulations have forced companies to tighten their security protocols around data.
Laws like the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA) are driving this mandate. GDPR is a law passed by the European Union in 2016, and California passed the CCPA in 2018. HIPAA was passed in 1996 but has continued to be important for healthcare providers.
These laws establish guidelines for how companies should store personal data and the consequences of failing to do so. If you don’t think fines are a big deal, here’s a list of what companies are being asked to pay just under GDPR:
Besides the fines, data breaches are a big deal. A recent study by IBM estimated the cost of a data breach at “$242 per stolen record, and more than $8 million for an average breach in the US.” Think of how many records your company collects right now and what would happen if even a small portion of those were leaked.
This is the legal and financial perspective of data privacy. Within your company, you’ll also experience the workforce perspective.
All teams and individuals within companies want more data. Marketing wants to know the performance of their campaigns, sales want to know the behavior of prospects, engineering wants to know about technical issues, and so on.
Teams rely on this data to do their jobs and hit their goals. Telling them that they can’t have it because of “privacy concerns” won’t cut it. This is like asking them to build a house using only their bare hands.
Trying to organize your data can feel like drinking from a broken fire hydrant. Therefore, we need to rank how we consume and store it. Not all data has the same importance, and you shouldn’t treat each data piece equally. I break data down into 4 different categories – personally identifiable information (PII), customer-centric, anonymous, and qualitative.
Category 1: Personally Identifiable Information
Personally identifiable information (PII) is the data type that everyone worries about. It typically covers things like emails, phone numbers, social security numbers, and biometric data like faces.
PII needs the highest security possible, and you should avoid sending it to external services unless absolutely necessary. I recommend that my clients encrypt it before using so that they can still track users on an individual basis, without referencing their name or email.
The encryption here doesn’t have to be fancy. It just means that instead of using the actual user ID e.g. 123, you would encrypt so it would appear as 09823904. It’s still unique and only tied to one user but there’s no connection with your original system.
Category 2: Customer-Centric
Customer-centric covers things that aren’t PII but still includes customer activity. This might include purchase activity, customer support tickets, and email marketing metrics. This data can be shared externally, but be mindful when combining it with PII.
Category 3: Anonymous
Anonymous data includes website visits or anonymous surveys. You can easily share this data type with external services. This data type is slowly disappearing because of how easy it is to track and identify customers.
Category 4: Qualitative
Qualitative data include surveys, interviews, session recordings, and heatmaps. This data typically includes PII, but when removed, you can safely share this data with external services.
You must protect all 4 data types, but not all data needs the same security level within your company. Anybody who isn’t an employee should have tight limits to all 4 data types but within your company, you should set up groups with different levels of security.
As you embark on a data privacy journey, you need to be ready for 3 challenges – understanding what is going on, compliance rabbit holes, and supporting teams with data.
1. Understanding What Is Going On
Simply understanding what is going with your data is the first thing you need to be ready for. If your company has never had a data audit, you’ll be surprised at how complex data can be. Data is so easy to collect that most teams do it, but they may not be storing it properly.
I once saw a company with all its most sensitive data in Google Sheets that were being shared all over the place, including with external contractors. I saw another company sending PII to multiple tools, even though no one was actually logging in and using those tools.
2. Compliance Rabbit Holes
Compliance naturally means the involvement of lawyers, and when they are involved, nothing is easy. You must decide between what is “legally safe” versus what is “operations safe.” Lawyers tend to err on the conservative side, which means collecting as little data as possible.
I once had a client where the legal team vetoed everything that we wanted to do because of legal concerns. This is an extreme example of what might happen, but you need to be ready for this outcome.
3. Supporting Teams With Data
Next, you must figure out how to support pressing issues with data. And, you don’t have as long as you think to figure this out. Teams are in the middle of product launches, campaigns, and research projects, and they could all use data to do their jobs better.
I used to ask prospects when they wanted to start potential projects, and they always said the same thing. ASAP. I stopped asking this question because it became rhetorical, and this is what you should expect when asking teams when they would like more data.
People: Who’s Involved?
Determine who will be part of this project. Some questions to start your brainstorming:
Let’s imagine you’re starting with an audit. You will need the help of the technical people to understand how data is being collected and the people consuming the data to understand how it’s being used. You will also need to talk to compliance to determine if you’re breaking any rules.
Finally, you will need to assign people to own this process on an ongoing basis. If someone has a concern about data privacy, who do they talk to? These are the questions you want to answer in the “People” portion of the 3Ps.
Process: How Do We Collect and Store Data?
Process helps you figure out the mechanics of data. You need to design how data enters your company, where to store it, and how people access it. In your flow diagram, identify any weak points and ways to prepare for issues.
Fast forward three months, and imagine that the marketing team wants to add a new software tool that they saw at a recent conference. What data should this software tool receive? Can it handle PII? How does it fit into your overall strategy?
Data will continue to grow within your organization, and you need a way to determine how to handle new requests for data.
Providers: What Technology Do We Need?
Technology is a critical part of your data, and this is your chance to map it out. List any software tool that touches data and prioritize it, depending on the data category they store.
Technology can be prioritized based on the data it touches. Anything that stores PII will be at the top of your list. Other technology providers will be in subsequent lists. This is also your chance to establish strict security protocols like two-factor authentication (2FA) and limiting access to specific groups of people.
This post started with the goal of answering a simple question: What is Data Privacy? You can see how complex this topic is and why it is important that your company gets this right. It is also beneficial to have an external perspective as you go through this process because you can easily fall into the trap of breathing your own exhaust.
An external consultant will point out the things you cannot see, while also navigating the internal politics that plague data privacy initiatives. If you’re looking for help, get in touch today, and we can talk about how I can help your company audit your existing data collection, comply with privacy laws and improve data accessibility without compromising on privacy.