The pandemic may have abated, but the move to digital it catalyzed has not. Today, more consumer data is generated, collected, stored and activated than ever before. 

 

While the data promises rich insights, brands struggle to keep pace with laws and regulations governing it. And despite one’s best efforts, there is always the nagging fear of vulnerability or non-compliance. 

 

In this post, we explore 10 ways in which brands may inadvertently violate consumer data privacy laws - and suggestions to avoid it.

 

Summary

 

 

The new data reality and its challenges

 

Since 2018, when GDPR was enacted, multiple large companies like Facebook, Google, Yahoo, Ashley-Madison and Verizon have been fined for violating data privacy regulations. More importantly, they have suffered irreversible credibility setbacks. 

 

Before this period, companies seldom thought of data privacy as a strategic imperative. Even data security was squarely in the IT domain, not something that the CEO or CMO needed to worry about.

 

But today — thanks to the unprecedented digital footprint, big data analytics, ML and AI technologies, and growing consumer awareness — data privacy is inextricably entangled with data security, customer experience and business credibility. 

 

How business leaders handle it can make or break the business and brand.

 

The challenges with the new data reality

Nobody can argue against more stringent laws to protect consumers’ privacy. But there are multiple challenges to overcome on the path to a world where every business is compliant and every consumer is safe from predatory data practices - intentional or not.

 

Some of these challenges include:

 

  • Lack of clarity: evolving laws that are constantly being modified; as well as different laws in different geographies at state and national level, make planning a challenge

  • Expenses: more technology and manpower to manage new processes often means more investments in training people and infrastructure

  • Expertise: there is growing demand for legal and compliance experts, especially to hire in-house. Not every brand can afford or even access them 

  • Constant business pressure: to expand reach, drive conversions and generate more business 

  • Multiple stakeholders: it is challenging to align legal, IT and marketing priorities while keeping the customer at the center of priorities

 

10 Ways brands inadvertently compromise or violate data privacy - and how to avoid them

 

didomi-10_ways_brands_violate_laws_Body_1

 

Many brands are well-meaning and have every intent to protect consumer privacy. However, the reality is that a business today could be in violation of some law somewhere in the world, just in the regular course of conducting business online or offline. 

 

Companies may violate an individual’s - present and past customers, employees, vendors, partners - privacy rights unintentionally, when the collection, storage, transfer, usage and destruction of their data is not aligned with the stated and intended purpose; or in accordance with whatever laws and regulations apply to its processing.

 

Let's look at 10 ways brands can inadvertently violate data privacy laws, and our suggestions to avoid them.

 

1) A siloed approach to privacy, analytics and CX

With personal data, you can never be too thorough 


As a business, you may be investing in cyber security, data privacy, legal expertise, personalized experiences and more. But these investments, though large, may be disconnected and siloed, leaving gaping holes in which inadvertent violations may occur. 

 

How to avoid this mistake:

Leadership should commit to a holistic, privacy-by-design approach to data management and governance. This means privacy is embedded into the design and operation of IT systems, connected infrastructure, and business operations.

 

The IAB sets out the basic principles of such an approach as:

 

  • Proactive and preventive rather than reactive and curative

  • Privacy-first as the default setting for any process

  • Privacy embedded into all IT systems and infrastructure

  • Privacy through the lifecycle of each business process

  • Privacy as win-win for all stakeholders

 

2) Not investing enough on legal documentation

Some brands - especially startups - may put processes in place to protect data privacy, but may end up slacking on the use of legal experts to craft their policies and contracts. Some even copy-paste legal documents from best-in-class competitors, as a way to avoid reinventing the wheel.

 

However, this may inadvertently expose the company because each legal document is designed for a particular context and history. What is watertight for one brand may be construed as misrepresentation, or “unfair or deceptive practices” by regulating bodies for another.

 

How to avoid this mistake:

  • Create a legal policy framework that acknowledges the unique context of your business and industry especially when it comes to the data you want to collect and the reasons for the same

  • Your legal policies should reflect your core values as a business 

  • Your policy should address protection, transparency and control related aspects of data processing

 

3) Securing and protecting only consumer data

Consumer data is not the only data that needs to be protected. You may think you have sewn up all the loose ends for consumer data — but have you done the same for employee, partner or vendor data; the data of job applicants; and lapsed or inactive customers? 

 

How to avoid this mistake:

  • Treat any PII in your systems with the same rigor - no matter who the subjects may be (customers, vendors and partners, employees)

  • Have a data deletion policy for former employees and vendors, as you would for customers

  • Train people to share their personal data with due diligence over company networks

  • Make sure your public data policies and disclosures mention all possible constituents and not just customers

     

4) Over-collecting data 

The more data you collect and hold about your customer, the more vulnerable to violations you become. No matter how safe and secure your data collection practices are, if you do not have a specific and immediate intended purpose for each piece of data collected, it may expose you to not just hackers and cyber criminals but also to unintended privacy violations.

 

You will also spend more to address DSAR requests because you will need to purge data across a larger set of active and inactive data. Finally, negligent data disposal processes can leave you as vulnerable as negligent collection processes.

 

How to avoid this mistake:

  • Do not be tempted to store huge amounts of data just because data storage is cheap. The cost of keeping data you don’t really need is almost always going to be higher

  • Conduct regular audits to monitor data that is of no business value, to ensure collection is stopped, especially for legacy systems and processes. 

  • Build a culture of purposeful data collection within your organization — people should always question the need for any data that is being collected

  • Each piece of data collected should have an expiry date, after which it is deleted from the system in a safe and compliant manner to reduce any liability. This is especially true for data about former employees, vendors and customers

 

5) Inflexible data management policies

Data policies are not a fill-it-and-forget-it thing. One of the most common violations of privacy is when data is collected for one intended purpose but ends up getting used for something else or a new opportunity that comes up later. 

 

How to avoid this mistake:

  • Run constant reviews to ensure all processes and policies are in step with changing business needs and activities

  • Make new hires aware of current data collection intent, and highlight anything that is out of scope today, so that new initiatives do not operate on assumptions

 

6) Not investing enough to manage insider threats

In today’s distributed, remote workforce world, the threat is as much from within the business as outside. Employees need to be trained, accountable and empowered.

 

For example, making employees use old devices with outdated security features may save money in the short-run, but could end up costing a lot more in case of a breach or privacy lapse. 

 

How to avoid this mistake:

  • Secure all end-point systems, and review privacy settings on a regular and periodic schedule 

  • Empower employees to be more productive and safe with the  latest devices with stronger built-in security features

  • Create a need-to-know, access-controlled data ecosystem to minimize exposure, reduce the risk of accidental or malicious misuse

 

7) Inadequate data governance

Being a small company does not excuse you from the need for rigorous data governance. Especially if you have ambitious scale plans, know that things can change and escalate very quickly if not planned for.

 

Build with a privacy-by-design approach from the start to avoid inadvertent violations as you grow.

 

How to avoid this mistake:

  • Regularly map and document the policies, processes, and people responsible for handling data throughout its lifecycle within the system 

  • As you scale, it is crucial to think through the long-term implications of each piece of data so it doesn’t come back to bite you later

 

8) Over-reliance on vendor and partner systems

In the SaaS age, a lot of vendors store data in the cloud. Nearly every SME and even enterprises with an online business rely on finance, invoicing, accounting, and HRMS software hosted by third parties in the cloud.

 

Data sovereignty is a huge point of vulnerability for all businesses, but especially for sensitive or regulated industries such as healthcare, financial services and edtech. 

 

How to avoid this mistake:

  • Cloud providers should be able to confirm where they host their data. The best vendors offer hosting in a range of jurisdictions and are able to demonstrate compliance in each of those jurisdictions. 

  • Any data you collect, you are responsible for — even after it leaves your environment and direct control. So ensure you always have 100 percent visibility into the path data takes once it leaves your premises, and the systems your partners use to handle and process it.


9) Believing data anonymization, randomization, ''noising" or masking are foolproof

While these are mandated practices (no data can be stored in plain text) they are not infallible. Many leaders - especially in sensitive and regulated industries - are under the impression that if the big data sets they hold are anonymized and do not include any PII, it cannot be tied back to an individual. 

 

This is a significant mistake today, where advanced data analytics, semantics, and deep learning re-identification networks have ensured there’s no such thing as guaranteed anonymity.

 

Too often, a competent data scientist or worse - a cybercriminal - will be able to crack the anonymization shell by stitching together characteristics from large data sets to identify specific data subjects.


How to avoid this mistake:

  • If you are moving big data to the cloud for analysis or transfer, get an expert opinion on the right technique- which can range from masking out, nulling, encryption, scrambling, blurring, substitution and more - for your intended purpose.

  • Top leadership must be involved in strategic decisions around balancing the risk of re-identification with intended data use; and accountable for meeting obligations under GDPR, CCPA or any other prevailing law

  • If you are using external tools to execute the randomization or anonymization, ensure a data privacy expert vets vendor credentials and their suggested anonymization technique

     

10) The devil still lies in the details

While the big initiatives around privacy will remain important, it is the daily use-cases that often leave you vulnerable to inadvertent privacy violations.

 

Make sure you have processes in place so that no complacency creeps into daily data handling use-cases such as:

 

  • Using google analytics (transferring personal data over GA violates GDPR - as evidenced by the recent NetDoktor and Google Analytics and validated by Australia and France)

  • Inadvertently collecting and storing data from social media in violation of GDPR and other laws

  • Collecting data via forms across multiple online properties, landing pages and other tools. For large brands, this may happen in the thousands every day. Even one form where consent is taken without a clear explicit action (not just pre-ticked boxes) can leave you vulnerable

  • Not giving customers adequate opt-out options — for any reason and under any circumstances — at any point in the relationship, including after the relationship ends. The moment an individual withdraws consent, the company needs systems to stop processing that data in any form. Any delays can lead to violations and penalties, even long after the event.

Not investing in consent and preference management systems that can ensure you are in compliance at each touchpoint, consistent across all your digital properties, in every geography — all without compromising the CX

 

With personal data, you can never be too thorough

 

Didomi-10_ways_brands_violate_laws

 

There’s growing public concern about the protection of personal and sensitive information. It is important for every organization to periodically re-evaluate both - IT security infrastructure, and data privacy and protection policies.

 

This includes threat detection, data loss prevention and other vulnerabilities, a tested data-breach response plan, and a universal data processing policy across all operations. 

 

When it comes to consumer data privacy, no detail is too small. So in addition to checking the boxes with the best practices, it is important to regularly scan for cracks in daily operations that leave your business vulnerable to inadvertent violations.

 

Book some time with one of our experts to find out how Didomi can help:

 

  Request a demo