After years of big data breaches from companies like Equifax, Target, and Marriott International — and potential political interference from abroad — consumers are demanding more secure data practices. And legislators are listening. Protecting personal data is no longer just an ethical choice; it’s now mandated by law.
We all just caught up with the requirements of the General Data Protection Regulation, and now California’s Consumer Protection Act is here. These data privacy and security laws can be confusing. Here’s a step-by-step guide to creating smart data privacy policies for your small business.
Data is spread across your business and touched by all functions, so you need a cross-functional effort to create a clear, measurable, and integrated policy.
Audit your existing data and cybersecurity policies. You need to understand how you get consent and then collect, track, and store customer and employee data before creating an effective policy. Review the requirements of GDPR and the newly enacted CCPA. A quick rundown:
This regulation went into effect in May 2018 and changed worldwide data collection and handling processes. Any company that collects data on an EU citizen must comply. So even if you’re not physically located in Europe, you’re still on the hook.
GDPR’s scope is wide, but some key points are:
- Businesses must inform consumers data collection and use
- Businesses are responsible for reporting breaches within 72 hours
- Consumers have a right to access their data
- Consumers have a right to data deletion
- Certain companies must appoint data protection officers
- Businesses face fines of €20 million or 4% of worldwide revenue, whichever is greater
The most stringent data privacy and protection law in the United States enacted to date. Similar to GDPR, companies that collect data on any California resident are responsible for complying. Among other requirements, CCPA says that businesses:
- Must inform consumers of data collection and use
- Must delete consumer data when requested
- Cannot sell personally identifiable information (PII) of individuals under 16 to third parties without explicit consent
- Face fines of $7,500 per incident for intentional violations and $2,500 for unintentional ones
- What’s the difference between PII and non-PIII?
- How are we inventorying PII?
- How are we getting and tracking consent to collect consumer data?
- What is our consumer access request plan? That is, how do we get information to our consumers when they ask for it?
- What do we do in case of a breach?
- For how long are we keeping data?
- With whom are we sharing data?
- Who has access to sensitive data?
All members of your staff need to share and respect policies for meaningful adoption to happen. Educate employees about your company’s data collection and privacy policies, along with their role in compliance with the following steps:
- Help employees see they’re responsible for careful handling of data
- Consider creative ways to share data policies. Employees are unlikely to read company-wide emails with thick blocks of text — give them the TL;DR where possible
- Mandate training for all employees but pay special attention to those handling the bulk of sensitive data like HR, marketing, finance, and IT
- Teach staff to recognize breaches and report accordingly. In the case of GDPR, your company must report breaches to impacted consumers within 72 hours, so they can take measures to secure their information
- Designate a data point person — commonly referred to as an “owner” — to stay in the know of relevant data changes
- Enforce disciplinary consequences for employees who violate GDPR, CCPA, and company data policies
Use tech to help with security
Smart businesses centralize data in a single database. Where do you store email addresses, IP addresses, and employee information?
Because we’re so accustomed to sharing copies of documents and data, employee and consumer data ends up living across spreadsheets, documents, Gmail, Dropbox, Slack and more. This is a bad idea. It makes securing data tricky, and handling consumer requests to destroy data challenging or near impossible.
- Store all consumer data like names, email addresses, and IP address in a single database
- Rely on HR tech to centralize all employee data — some of the most sensitive data you store
- Tag data as PII or non-PII for ease of access
Stop collecting unnecessary information
There was a time when data was billed as the answer to all our business woes. Now it’s more likely a cause of problematic breaches and costly penalties.
Stop collecting and storing data you don’t need on consumers and employees. Beyond making your marketing team’s pools of data saturated and unwieldy, unnecessary personal information creates bigger and more expensive risks for breaches or GDPR and CCPA-noncompliance penalties.
The message here is simple: the less data you collect and store, the better.