If one were to chart the most important developments in the business landscape over the last 20 years, top of the list would surely be the growth of consumer data as a precious resource. Never before have companies had access to such powerful stores of business intelligence. Never before have they had such a pressing responsibility to manage that resource carefully. In 2019, data management is very commonly the difference between success and failure. The disastrous consequences of mismanagement can impact the company in question. More importantly, it impacts consumers that put trust in companies to protect their information.
If a business is serious about succeeding, it is imperative to build a dependable data privacy management operation from the ground up. That starts with defining a robust and comprehensive user data policy.
Let us walk through fundamental principles that should be top of mind for any team drafting such a policy. While some of these points may seem like common sense, too often in recent years common sense has been conspicuously absent in approaches to data management. Stick to these points, and avoid the mistakes of others.
Respect for the User is Uppermost
As the final and the arguably most crucial principle of Dr. Ann Cavoukian’s “Privacy By Design,” this is a primary consideration for development teams at all times. Developing a reliable digital product is the sum of countless design micro-decisions, and at every step along the way, this is a question that is in the affirmative. If businesses respect the user first, then other conditions of a sound data policy come naturally. For instance, transparency and privacy as a default setting will logically follow.
Data Captured Must Have a Legal Basis for Collection
Data captured is a crucial consideration for crafting a coherent data policy. In many parts of the world, it is a legal basis for data collection, and the law explicitly requires it. Article 5(1) of the GDPR stipulates personal data must be processed “lawfully, fairly, and in a transparent manner.” Also, it provided six conditions under which the collection of data can be considered lawful.
In Brazil, the LGPD lists ten conditions for the same. For private companies and brands, most often “legal basis” equates directly to “consumer consent.” Any team building data collection and management infrastructure must think proactively about consent as a system feature. Retro-fitting consent onto pre-built systems is a recipe for disaster….and legions of consumer protection lawyers licking their chops.
Think Proactively About Theft – Prevention & Response
There is a temptation for organizations to pay too much attention to their shiny new data collection system. In reality, that is not enough. Orgs need to pay more attention to storage and theft prevention measures. Further down the list of an average marketing manager’s considerations might be the contingency plans for responding to a data breach.
However, technical teams can start prioritizing these concerns in the absence of instruction from non-technical members of the organization. After all, the legal requirements under GDPR are precise. Article 32 (1) mandates “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.” Furthermore, articles 33 and 34 detail the required responses to data breaches that include notifying both the relevant authoritative body and the subject. If an organization does not have processes in place for these measures to be carried out within 72 hours, then it holds liability regardless of whether or not damage results from the breach.
It is a non-technical principle that yields considerable technical implications for any data collection and storage system. As a governing principle, it is essential in helping dev teams make the right decisions at every stage of development. There must be a system for updating data policies and sharing with system subjects. There must be transparency at every juncture of the collection process. Additionally, there must be processes in place for handling Subject Access Requests (SARs) in a streamlined, efficient manner. The only instance in which the GDPR permits an organization to withhold personal data from a user request is likely to restrict the rights and freedoms of others (Articles 12-15), but this is a rare occasion and treated as the exception that proves the rule that withholding a user’s data from them is mostly forbidden under the GDPR and other comparable data policies around the world.