Data privacy. It’s quickly turning into the business world’s buzziest buzzword.
With privacy regulations becoming both more common and more robust, and consumers increasingly expecting more control over their personal information, you don’t have any time to waste in building your privacy program. After all, data privacy is complicated. It’s normal to feel overwhelmed, confused, and like you have a thousand questions before you even start.
So what do you need to know? We’ve compiled a list of the top 6 most common questions our clients bring to us.
Fair warning: just like with a conversation with a three-year-old, some of these questions lead to more questions.
#1—Can we understand our own privacy policy?
Another question that goes with this one (I warned you!) is “When was the last time you read your privacy policy?”
New laws like the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) mandate updated, transparent privacy policies that explain how you are collecting and using consumers’ personal information and/or customer data.
If you want to both comply with regulations and meet best practice standards, you’ll ditch the four pages of dense legalese in your old policy and upgrade it with a new policy full of user-friendly language that clearly details your data collection policies. You might also think about creating a visual representation of the summary points, like a colorful infographic that uses icons and boxes to explain data use and collection.
One more question that comes with this one—do you know the last time your cookie banners were updated? If not, read the steps above, rinse and repeat.
#2—What do we know about the data we collect?
Ready for a laundry list of questions that fit with this one? Here goes:
- Do we know what personal data we are collecting?
- Are we collecting data we don’t need?
- Do we know where and how long data is stored?
- Do we know what we are doing with the data we collect?
- Do we know who has access to sensitive data like a phone number or birth date?
- Do we know who we share our data with?
These questions may seem overwhelming, but the answers will give you the roadmap you need to build a compliant, agile privacy program.
Having crystal clear insight into the lifecycle of a data record in your system will help you identify where your data is at high risk of being compromised, where your program is out of compliance, and which of your vendors are safe to use.
#3—Do we design our tech stack with privacy in mind?
Here’s the deal—it’s easier and more cost-efficient to build a privacy-friendly system from the ground up than it is to try and squeeze the functionality you need out of your existing setup.
Think of it like building a swing set. Instead of reading all the instructions, you throw it up in two hours on a random Thursday night. Two days later, you hear a dramatic screech every time your kids swing and you find a big crack down one of the support posts, all because you used the wrong screws and cemented it on an unlevel surface.
Here’s why you need to get your tech, data security, marketing, and privacy team all involved in designing your IT infrastructure:
- If you start out with privacy in mind, the programs you select and the processes you develop will be more agile and better able to quickly adapt when privacy laws/best practices change (which, trust me, they will).
- You’ll have to do less re-training for your employees, since they will already be following workflows focused on securing data.
- All your teams will have ownership of your privacy program, making them more committed to following through on training, engagement, and compliance initiatives.
(Bonus: this question didn’t have another question. You’re welcome!)
#4—Are we compliant with (insert privacy protection act name here)?
Ready for the sub-question? Do you know what privacy regulations apply to you? Depending on the size and complexity of your business, there may be more than one. If you don’t have an in-house legal team, a privacy compliance expert can take the guesswork out of your compliance program by making sure you fully understand your obligations and know how to meet them.
One big piece of compliance is handling data subject access requests (DSARs) or individual rights requests. The process consumers (also known as data subjects) go through to request access into what data you store on them and how you use it.
This goes with questions two and three. You need all teams on board so that you understand exactly what data you are collecting, how you are using it, where it can be accessed, and by who.
A little plug for Red Clover Advisors here—we’re the brains and legs of data privacy. We provide practical guidance in developing, implementing, and maintaining an affordable data privacy strategy that prioritizes exposure reduction and builds trust with your customers by placing their privacy at the core of your operations.
#5—Are we prepared for a data breach?
Most data privacy laws require you to take “reasonable security measures” to protect your data (so there’s your next question—do you have adequate safeguards to protect against a security breach?).
No system is perfect, which means at some point it’s likely you’ll have to deal with a hack that compromises the integrity of your data. In fact, research shows that 60% of small businesses are hacked each year. You need to ask yourself:
- Do we have an incident response and management plan that includes who in your company will be notified and in what order, what job each person has, how and how soon affected users will be informed, and which outside vendors can be brought in to help?
- Which government agencies/people need to be notified and who will do it? (In CA, the attorney general is currently responsible for enforcing the CCPA. In the EU, it’s the local data protection authority You don’t want to start off on the wrong foot by not looping in the people who can shut you down).
- How will we maintain business continuity while we are locking our system down for a forensic investigation?
- Will we need a media response? What will that look like and who will run it?
A data breach is, by any definition, a crisis, and you can’t prepare for everything that happens in a crisis. But there are things you know you will have to deal with, and preparing for them in advance will leave you the bandwidth you need to deal with the curveballs.
#6—Are we getting enough credit for what we’ve done?
We’re not talking about the kind of credit that comes with a credit card. We’re talking about credit from your consumers and your industry peers.
Most companies look at privacy compliance as a cost center, a drain on their resources they have no choice but to keep pouring money down.
I encourage my clients to see privacy more as a product or service they offer. Promoting your privacy program is a great way to give your organization some positive publicity and earn consumer trust.
Apple is a great example of a company that uses its privacy program to differentiate itself from its competitors. Chrome owns 69% of the browser market. Still, Apple dominates the conversation surrounding online digital privacy and internet tracking because they’ve made privacy a product that comes free with every iPhone or MacBook Pro.
Be like Apple. Put out a press release announcing your commitment to consumer privacy. Put a big, splashy announcement on your homepage. Send out an email to your privacy-compliant subscriber list that walks them through the options they have for controlling how you use their sensitive personal information.
It will pay off big in brand awareness and loyalty.
Privacy Checklist
Check out our Privacy Checklist for tips and practical guidance to establish a sustainable compliance program.
You’ve got questions, we’ve got answers
Red Clover Advisors specializes in simplifying data privacy practices so your business can build a privacy program that goes beyond compliance to build trust with your customers and give you a competitive edge over your competitors.
Give us a call today and let’s get started answering these six questions. Together, we can do it.