We often hear about the power of data. When gathered, curated, analyzed and leveraged properly, good data becomes information and information can trigger optimized actions. As a result, organizations can delight customers, connect members, improve processes, create products or offers which actually sell and meet expectations, all while continuously gaining new business insights.
Of course, the headlines also seem to scream daily about the dark side of data – the breaches, disclosures, identity theft, fake news, fake ads and third-party sharing of personally identifiable information (PII). Because of all this, jobs that focus on cybersecurity are among the hottest, highest-paying and hardest to fill.
Now consumers and organizations must contend with GDPR – the General Data Protection Regulation, which recently took effect for organizations either in the EU, or which utilize data pertaining to EU residents. The new rules have caused a deluge of “updated” privacy policies and Cookie notices that required acceptance.
While the legal world is quite murky regarding the ownership of data, GDPR brings about a new set of asserted rights associated with our personal data. Specifically, the law requires that enterprises obtain explicit consent for the collection, processing, storage, and transmission of data subjects’ personal information – hence the deluge of “permission requests” referenced above. Similar regulations may ultimately become law in the United States, but for now U.S. data policies tend to focus on specific classes of data, such as healthcare, information involving minors and location data.
It would be wise for organizations to practice good data stewardship principles well before they are required to. Proactive organizations can avoid the chaos and disruption that can accompany compliance. Strong voluntary data policies today can also be a competitive advantage, not only in terms of being prepared for regulation before the competition, but also from a customer confidence standpoint. Here are four stewardship guidelines to consider:
Declare your purpose
- What data elements do you gather? (personal demographics, search history, web browsing behavior, ads viewed/clicked, voice interactions, etc.)
- Why are you asking for information? (to deliver requested services, fulfill business functions, comply with regulations, etc.)
- What do you do with the data? (save or store it, combine it with others’ to see patterns, share with third parties, sell it)
- How will the user/consumer benefit by providing the data to you?
Ask permission
As mentioned at the start, most of us have encountered permission requests over the past few months. There are many ways to ask permission, from subtle “click here to accept” banners to pop-ups that block further processing until acceptance is addressed. But do ask, then keep a record of the response.
Membership-oriented and professional organizations have it the easiest here, as they are by nature comprised of groups with some sort of common affiliation; making connections and sharing interests being a primary goal. B2B businesses have similar leverage. Permission is more difficult to obtain for commercial enterprises that have no previous relationship with users.
Lock it up
Protect your data – this is a business imperative (already required of public companies through federal Sarbanes-Oxley law requirements). Encryption is just a starting point. Wrap processes and controls around the data. While your business purpose is to leverage the information, your culture can also embrace respect, care and stewardship as well.
Recurring announcements of data breaches may have yielded a degree of overall numbness to such incidents, but make no mistake: The cost to remediate is high, and the cost to reputation is even higher.
Keep your own promises
With apologies for being direct: Don’t be like Facebook, where data privacy controls for users until recently have been hard to find and complex; data has been shared externally both by intent and inadvertently. Avoid the PR nightmare of recurring new disclosures offered without specific endorsement, here is an example of a transparent and understandable “What We do with your Data” statement from Google. You may or may not like it, but when you accept you know what you get.
The lesson learned here is that strong, proactive and clear policies on how your organization handles data privacy is bound to become a point of differentiation. And that can work to any organization’s advantage when considered early and often from the customer’s vantage-point.