Privacy in Action — How to protect your business data
The world has its eyes on the unfolding of the Facebook-Cambridge Analytica scandal and Australia’s Privacy Commissioner is just one of the investigative bodies to have launched an official inquiry into the matter.
Meanwhile, for its part, Europe, with its growing discontent with the state of data breaches, has acted swiftly to enact the new GDPR rules.
What does this signal? That the nature of business — indeed, of the way we interact with each other at all — is rapidly shifting. And, in that seismic shift, things are bound to get caught and disrupted in fault lines.
In this case, the disruption involves data.
The pervasiveness of digital technology is no longer a possible future but, rather, has traversed to such an exponential extent that the only question left is, ‘What’s next?’
Source: Australia Bureau of Statistics
Clearly, in 2016, businesses felt that mobile internet access technology was of the utmost importance while cybersecurity and IoT were simply not in the purview. Fast forward just two to three years later, however, and IoT is a buzzword.
That’s how fast digital is changing.
As we move on through the 2010s and beyond, we’ll see a further trend towards cybersecurity as a priority, especially in light of these data breaches. In fact, in 2015-16 alone, 16% of businesses experienced internet security incidents or breaches.
Things are already heating up. What should businesses know and enact in order to protect their business and client data?
Australia’s Official View on Privacy
Business information and intelligence as well as client data and information: Australia has an opinion on it, which is expressed through the Privacy Act 1988, as outlined by the business arm of the Australian Government.
There are 13 principles that govern the act called ‘Australian Privacy Principles‘ (APP). And while these principles tell businesses what they should do, they don’t necessarily outline how.
Before we get into the how let’s take a look at the what of what businesses should be protecting and the definition of a customer’s ‘data’.
If business owners are collecting personal information, that’s an asset. It’s up to them, then, to protect that asset, especially as it concerns the privacy of clients. The details of their lives and decisions are no small thing.
Protection of personal information covers:
- Theft outright
- Misuse of information
- Unlawful interference
- Loss of data
- Unauthorised access
- Modification of any kind
- Disclosure without consent
A client’s information includes:
- Personal and biographical details like name, telephone number, address, date of birth
- Email addresses and digital (or physical) signatures
- Medical records
- Bank account or financial details
- Information on where they work
- Photos and videos
- Information about their opinions or even their decisions, preferences, and behaviours
Project management privacy is not only about compliance — i.e., asking if the ‘rules’ of the policy are being followed. It’s also about examining and asking what data, specifically, is being accessed, identifying vulnerabilities and following up to seal these vulnerabilities off on a case-by-case basis.
1) Need-to-know basis
There are three parts to this ‘need-to-know’ basis recommendation.
- When collecting information, collect only what is necessary at that time. That may be, for example, a name and an email on a sign-up form — and no more. If at a later date, the individual’s job position suddenly becomes relevant, that must be collected at that time.
- At every point that data is being collected, the business must disclose this and have the individual agree. This can be through a small, pop-up message that has an ‘Accept’ button, for example.
- Lastly, ‘need-to-know’ also means those internally who ‘need to know’. Businesses should have some kind of hierarchy for access or a role-based access protocol for employees. As an example, a business storing data ‘in the cloud’ or using cloud solutions for marketing or financial management would allow access to real customer data on a role-based, need-to-know basis. If there’s a justification, they can allow it. The default is no-access.
2) Keep it secure
It’s the business’s responsibility to keep client data secure. This means if they’re choosing to collect and store this data, either on their own servers or outsourced to a secure data protection centre, they are ‘on the hook’ to make sure this storage solution is actually secure.
The ‘old-school’ equivalent of this would be shredding sensitive paper files when they’re no longer relevant.
3) Decide on how to handle a complaint of a breach
The last thing a business wants to do is get ‘caught’, so to speak, without a cohesive response in a moment of crisis.
Often, what stops the escalation of the issue in its tracks is simply the perception from a client, for example, that there is a process in place to respond to and protect their sensitive information
If a complaint of a breach should happen or if actual data gets leaked, what will be the next steps? That’s what every business should be detailing and deciding on.
4) Overseas protection (you may be liable)
The Australian government’s laws say that, if there is a chance that the data will be used, accessed by or transferred to an overseas individual or business, in quite a few cases, the original business is liable for what the overseas business does with the data and how they use it.
In such cases, businesses can use a combination of legal contracts like non-disclosure agreements (NDAs) and technology (such as role-based access) to regularly monitor and control the access of data.
5) Appointing a privacy officer
Who is going to be responsible for checking, following-up, refining and improving this policy? If the company is small enough, with a small batch of core clients, a business owner could feel comfortable doing this themselves.
Otherwise, it’s wise (even if the operation is lean), to appoint a singular person. This would be a ‘privacy expert’ or officer who deals solely with matters of privacy and raises questions about possible vulnerabilities.
As the nature of data access and data collection evolves, lawmakers and businesses will have to ask the following question: Fundamentally, are we looking at data in the wrong way?
Businesses who collect data do so for marketing purposes, to improve offers and services, to actually tailor content and products to a customer’s need or to find trends in aggregate data. In other words, businesses collect data to use for business purposes.
The intention is rarely for identification on an individual level.
But, instead of collecting data, can we perhaps use it in the moment? This is not only about not collecting identifying information (such as names and addresses) but stretches to re-imagining the way data comes in and is read.
Several VPN providers, for example, promise premium clients a ’no-logs-policy‘, where there is either minimal data that is stored or data about users is stored without collecting any identifying information. The data is limited to clicks, decisions, places visited, etc.
This kind of ‘no-logs-policy’ could also be where a business provider uses technology — namely, Big Data analytics platforms — to analyse real-time responses and read data as it comes in, thus spearheading marketing efforts, without the need to actually collect the data for a prolonged time.
Data is digital’s singular unit but as digital changes, the way we think of and use data will have to as well.
Contact Wollerman Shacklock Lawyers for more information about what they can do for you.