Capturing and storing customer data is a nearly universal challenge for businesses today. The knowledge gained from customer interactions can catapult a business forward, but if a company isn’t careful with user data, it can face significant risks. European regulators handed out more than $1.25 billion in fines in 2021, charging companies like retailer H&M more than $41 million, Italian telecom company TIM $31.5 million, along with tens of millions in fines for the big tech companies. This isn’t just Europe either – the Cyberspace Administration of China fined ride-hailing giant Didi Global the equivalent of $1.19 billion USD. Even the state of California is getting tough, fining cosmetics retailer Sepora $1.2 million as part of the first enforcement action for the CCPA.
It’s clear that while the principles of privacy by design have been around for many years, the implementation of standards like privacy by default could still use improvement. GDPR requires the ability to erase all records about someone, and U.S. states are beginning to require adherence to the Global Privacy Control, a proposed privacy standard that automatically signals a user’s privacy preference to website owners. But to be honest, many companies aren’t really ready for these kinds of requests. With the U.S. Supreme Court’s Dobbs ruling overturning Roe v. Wade combined with restrictive abortion laws in many U.S. states, the risks and implications of data privacy can result in real human impacts based on the data many companies capture today.
It doesn’t have to be this way – companies can build and reinforce a culture of privacy across their organization. If a company puts the right processes into effect, it can see the pay off in customer confidence, and most importantly, increased trust that the company is doing the right thing.
Building a Privacy-Focused Culture
One of the primary roles for any Data Protection Officer (DPO) is educating their workforce with company-wide training on best practices and procedures. Training is important, but many companies take a “one size fits all” approach that leaves employees feeling like the training isn’t related to their job, which makes requirements easier to forget over time.
Many DPOs see their role as isolated from the rest of the business. They have their legal privacy domain, but they may not have insight into how the organization is using data, or what data is being captured that isn’t really needed. Privacy affects every team within an organization, but employees don’t always know how it affects them. When I’m training teams at Fivetran, I have basic requirements I review, but I also tailor the training to each group so they can see how privacy impacts their daily responsibilities.
As part of this training, I walk our employees through the process of recovering from an ID theft or online threats, including replacing credit cards, monitoring credit for years, or dealing with extortion from the misuse of their private information. It’s important to make this real for people to hit home on the potential impact.
Moving Beyond the Basics
Starting with empathy and the human impact of a breach is important to make privacy important for employees. A culture of privacy can also reduce risks and give companies a strategic advantage with customers. Here are a few tips to help you improve your practices.
- Reinforce ROI – Privacy isn’t a revenue generating activity, but the money you save if you mitigate a breach is significant, and the real payoff comes from building trust with customers over time. By reducing risk for your customers, you can ease their concerns and close more deals. Within your company, remind leaders that the money your company saves from avoiding or mitigating a breach is significant. Cisco’s 2022 Privacy Benchmark report found that spending on privacy delivers a 1.8X ROI benefit.
- Leverage social psychology and influencer marketing – In my training sessions, I’ve noticed that everything I’ve learned from the social sciences about influencing behavior is incredibly helpful in promoting better privacy practices. The textbook “Transformational Security Awareness” has insightful recommendations on how to leverage social science to improve security, and these often apply to privacy as well.
- Meet your audience where they are – I touched on the importance of tailoring content for different business groups. Privacy concerns for engineering teams are different from sales teams. Explain how privacy affects each team and provide a range of articles, resources and materials for your teams – visual learners will do best with videos or graphs, while technical teams may want detailed specifications and examples to guide them.
- Privacy takes more than lawyers – Ensuring legal compliance with privacy regulations is the primary role of a DPO or Chief Privacy Officer, often a licensed attorney. But a mature privacy program needs a project manager, compliance specialists and privacy analysts to identify the correct stakeholders in each group, and to help run internal audits and track metrics. This approach helps the broader privacy team focus on upcoming business priorities while optimizing budgets.
- The importance of governance – As user awareness around privacy laws grows, expect an increase in requests to delete data. When someone exercises these rights, you need to address the request with confidence or risk fines. Start with a data map that identifies and categorizes sensitive vs. non-sensitive PII. Your data infrastructure can’t be a black box – you need to see who has access to specific data and understand why. Then when you do get a privacy request, your data map can give you confidence that you’re in compliance.
Most people don’t realize how much of their personal information is out there today. Helping people understand that their actions go beyond a financial and reputation risk for the company, that a lack of attention can actually hurt someone is really important. The growing number of SaaS data sources and integrations is making privacy more important every day – and as a data movement company, we do our best to make this a priority for the whole company, because any company large or small can face these issues today.
A data breach or privacy violation could cause a significant hit to a company’s immediate bottom line, slowing hiring and stalling revenue growth. Fines could make this worse down the road. But the real hit comes to a company’s reputation – and that can make it tough to land deals and impact top-line growth.
Most companies just don’t want to be the worst out there when it comes to privacy and security. But a commitment to privacy builds trust with users, empowers teams to make the right strategic decisions, and ultimately reduces the risks of a data breach by reducing your exposure. If you start with privacy in mind, and make it relevant across your company, you’ll be in a much less risky position in the long run.
About the author: Seth Batey is senior privacy counsel at Fivetran, the leader in modern data integration. Seth has dedicated his career to privacy and security legal issues. Prior to his experience at Fivetran, he spent several years at Rocket Mortgage, and a year at Notarize, building privacy programs from the ground up. He has earned the CIPP/US, CIPP/E, CIPP/C, CIPM, CIPT, and FIP privacy certifications.