If one were to chart the most important developments in the business landscape over the last 20 years, top of the list would surely be the growth of consumer data as a precious resource. Never before have companies had access to such powerful stores of business intelligence, and never before have they had such a pressing responsibility to manage that resource carefully. In 2019, data management is very commonly the difference between success and failure, and the disastrous consequences of mismanagement can impact both the company in question and the consumers that trusted the company to protect their information.
So, if you’re a business that’s serious about succeeding, it’s imperative to build a solid data privacy management operation from the ground up. And that starts with defining a strong, comprehensive user data policy. Below, we list 5 key principles that should be top of mind for any team drafting such a policy. While some of these points may seem like common sense, too often in recent years common sense has been conspicuously absent in approaches to data management. Stick to these points, and you’ll avoid the mistakes of others:
- Respect for the User is Uppermost – As the final and arguably most important principle of Dr. Ann Cavoukian’s “Privacy By Design”, this is a key consideration for development teams at all times. Developing a strong digital product is the sum of countless design micro-decisions, and at every step along the way, this is a question that must be answered in the affirmative. If user respect is kept paramount, then other conditions of a strong data policy – for instance, transparency and privacy as a default setting – will logically follow.
- The Data to Be Captured must have a Legal Basis for Collection – Not only is this a key consideration for crafting a coherent data policy, in many parts of the world a legal basis for data collection is explicitly required by law. Article 5(1) of the GDPR stipulates that personal data must be processed “lawfully, fairly, and in a transparent manner”, and provided 6 conditions under which the collection of data can be considered lawful. In Brazil, the LGPD lists ten conditions for the same. For private companies and brands, most often “legal basis” equates directly to “consumer consent”. It follows that any team building data collection and management infrastructure must think proactively about consent as a system feature. Trying to retro-fit consent onto pre-built systems is a recipe for disaster…that sound you hear is legions of consumer protection lawyers licking their chops.
- Think Proactively about Theft – Prevention & Response – There’s temptation for organizations to pay too much attention to their shiny new data collection system and not enough attention to storage and theft prevention measures. Even further down the list of an average marketing manager’s considerations might be the contingency plans for responding to a data breach. However, technical teams must prioritize these concerns even in the absence of instruction from non-technical members of the organization; the legal requirements under GDPR are clear. Article 32 (1) mandates “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”. Furthermore, articles 33 and 34 detail the required responses to data breaches that include notifying both the relevant authoritative body and the subject. If your organization doesn’t have processes in place for these measures to be carried out in a timely manner (within 72 hours), you can be held liable regardless of whether or not damage results from the breach.
- Never Withhold – It’s a non-technical principle that yields considerable technical implications for any data collection and storage system. As a governing principle, it’s essential in helping dev teams make good decisions at every stage of development. There must be a system for data policy updates to be shared with system subjects. There must be transparency at every juncture of the collection process, and there must be processes in place for handling Subject Access Requests (SARs) in a streamlined, efficient manner. The ONLY instance in which the GDPR permits an organization to withhold personal data from a user request is likely to restrict the rights and freedoms of others (Articles 12-15), but this is a rare occasion and must be treated as the exception that proves the rule that withholding a user’s data from them is essentially forbidden under the GDPR and other comparable data policies around the world.