New year, new start. Nigel Jones, Co-Founder of the Privacy Compliance Hub discusses why and how organisations must put privacy compliance at the heart of their strategy for 2022…
Apple has allowed iPhone users to choose whether they’re tracked by apps, DuckDuckGo is trying the same thing for Android, and even WhatsApp has updated its policy after a multi-million-pound fine. These are sure signs that ‘Big Tech’ is waking up to growing consumer concerns about data protection and recognising that privacy is fast becoming a competitive advantage.
According to Statista research, 54% of UK consumers say they’re now more concerned about their online privacy than a year ago. That backs up a previous study that revealed almost two thirds (61%) of UK consumers worry about how their personal data is being used by companies and 55% prefer to be anonymous when browsing online.
This is serious for businesses. Add increased security threats because of remote working and a new information commissioner who may be more ready to issue fines, and there are plenty of reasons to adjust approach and attitude towards privacy.
Here are my 10 top tips for putting privacy compliance front and centre in 2022.
1. Take stock of where you are
Start with an assessment of your current compliance – there are free online tools that can help you with this. This is also a good opportunity for some light housekeeping, such as checking that you’ve paid your annual data protection fee, whether you need to appoint a Data Protection Officer (and/or register that person with the Information Commissioner’s Office), and if your Record of Processing Activities (also known as an Article 30 Record), Record of Vendors and Partners and Data Retention Policy are up to date.
2. Map your data flows
It’s vital to have a clear view of the personal data that’s under your control. You need to know what data you hold, what it’s for, where it’s located, where it goes, how long you keep it for and what you do with it when you no longer need it. Data maps should cover all data processing activities and is a job for all departments. Gather representatives from all functions in one room (or on one video call) and talk it out.
3. Review existing privacy policies
Privacy notices are often copy and pasted from other sites with the names changed or drafted by legal professionals who have little idea about how the business they’re writing them for operates. Once you’ve mapped your data flows, take a look at your existing policies. Do they need to change or be updated? Don’t be afraid to start again. The objective is to be transparent about what you are doing with the readers’ personal data.
4. Consider the impact of hybrid working
Staff privacy and remote work policies may also have to be updated, in light of the shift towards hybrid working. Cybercrime has spiked in the past year, with experts pointing to weaker security due to home working. Are your employees using personal devices, saving files locally or using unsecure Wi-Fi? They could be putting your business at risk of attack.
5. Empower staff through regular training
When 90% of data breaches in the UK are down to human error, having a well-trained team is essential in the fight for privacy. This isn’t just an IT project – everyone helps protect personal information. Focus on what staff really need to know about privacy in their day-to-day work and tailor each session accordingly. Customer data can often be an organisation’s most valuable asset. By making compliance familiar to employees, they’ll feel empowered to make the most of it safely.
6. Tighten up your marketing communications
The ICO handed out £1.7m in fines for marketing breaches in 2021. It’s easy for members of the public to complain if they’re not unsubscribed when they ask to be, if their data is used for something they didn’t sign up for, or if they’re contacted without giving prior permission. If you are cold emailing individuals in a business context, you must have a lawful reason for doing so, such as ‘legitimate interest’. And of course, if anyone requests to be removed from a contact list, you must remove them immediately and add them to a marketing suppression list so they’re not contacted again.
7. Be careful who you’re sharing data with
You’ve put the work in to make sure you’re taking privacy seriously. But do the partners and vendors you’re sharing customer data with take it seriously too? Make sure you only work with safe organisations that have policies in place to protect personal information, that will only act in accordance with your instructions when they process that data, and that can respond quickly to subject access requests from individuals. Ask partners to complete a risk assessment questionnaire or do due diligence on their privacy practises before working with them.
8. Encourage leaders to be proactive about privacy
Culture starts from the top and leaders need to set the tone. Be clear with the team that you care about privacy, that it’s a priority, and that good behaviour will be rewarded. Give privacy a place in the boardroom, assign responsibilities for regular updates and set targets around it. This isn’t the responsibility of lawyers, it’s the collective responsibility of the entire organisation.
9. Appoint privacy champions throughout the business
Whoever holds responsibility for privacy needs to appoint privacy champions in each department because they will need a lot of help. Luckily this is a topic that people are genuinely interested in, particularly those younger employees that have grown up with technology facilitating every part of their lives. They want to work for ethical companies that take privacy seriously. Ask for their help; you may be surprised by who puts their hand up.
10. Create a culture of privacy by design and by default
Privacy compliance isn’t a one-off project that can be ticked off, or a new year’s resolution that will be dropped by March. Organisations looking to turn privacy into a competitive advantage need to create a culture of ongoing privacy by design and default. One where every time a new product or service or process is introduced, the question is asked – what does that mean for privacy?
Nigel Jones is the co-founder of the Privacy Compliance Hub, a former Google executive and head of its legal team for Europe, the Middle East and Africa. Nigel has more than 30 years of legal experience advising companies on technology, data protection, privacy and the pragmatic steps available to cut risk, meet regulatory requirements and manage data breaches. Take your free GDPR health check today.