We learned our data privacy basics in high school

By Bob Siegel, CIPP/US

Thinking back to high school I often recall the “adventures” I had with my closest friends. We kept these shared experiences to ourselves with the knowledge that if our peers or parents found out it would be embarrassing at best and punishable at worst. Over time, the memories have faded or have lost their significance, but the details helped us to build a profile of each other; our likes and dislikes, lifestyle preferences, hobbies, other friends and spending habits.

Today things are not that different. Businesses share shopping experiences with consumers, gathering their preferences in products, their contact information, budgets, financial account information and much more. These shared experiences help us build profiles of and relationships with consumers, key components to generating revenue and keeping our businesses thriving. With our ability to collect personal information and our use of the increasing sophistication of computer applications to analyze it, consumers have grown concerned about how we protect their data. Forty-six states have responded with statutes to protect their residents.

Business stakeholders need to comply with the laws of each state in which their consumers (and employees) reside, a complex undertaking at best. However, there are some basic lessons we learned in high school that can help. As was the case when we were teenagers, the cost of taking these steps is low, but the cost of failing to safeguard information can be high. (The Ponemon Institute has estimated that if you lose customer personal information it will cost about $194 per record to remediate the situation.)

Set expectations
Close friends implicitly know how much personal information they can share. For consumers, you need to be explicit by creating a Privacy Policy for your business and sharing it. A Privacy Policy is an internal document that lets employees know what personal information they may collect and how to protect it.  The policy defines how your business respects the responsibility of protecting personal information.

Based on the policy make a Privacy Notice available for consumers telling them what personal information you collect, how it is collected and how you protect it.  It is vital to do what you say in these documents or the brand damage done will significantly affect your revenues and you may get a visit from the FTC.

Keep personal information to yourself
If you broke a friend’s trust you would probably lose the friend and have difficulty finding new ones. The same is true with customers.

Protecting information you have collected with computer safeguards such as encryption, firewalls, and antivirus software is critical. Depending on your IT complexity, many of these items are part of modern operating systems or available at reasonable cost.

In addition, your business practices may share information with suppliers and service providers. A review of these practices will determine if you share too much information or are putting information at risk.

Forget things over time
As time passes, we forget the details of some things and forget others completely. These memories added to our experiences, but they have lost their individual value to us. The same is true for personal information you have collected.

Establishing a data retention/disposal policy will set guidelines for your staff to destroy information that is no longer useful. An immediate, bottom-line benefit is that you will free up data storage and file cabinet space saving you money. More importantly, you cannot lose what you do not have.

Editor's Note: This article first published in the Worcester Business Journal.

Bob Siegel, CIPP/US, CIPP/IT, is founder and chief privacy strategist at Privacy Ref and is a member of the IAPP Certification Advisory Board for its Certified Information Privacy Manager program. Most recently, Siegel served as senior manager of Worldwide Privacy and Compliance for Staples, Inc. For more information about Bob Siegel and Privacy Ref, please visit www.privacyref.com.