Digital Marketing Solutions Summit | Forum Events Digital Marketing Solutions Summit | Forum Events Digital Marketing Solutions Summit | Forum Events Digital Marketing Solutions Summit | Forum Events Digital Marketing Solutions Summit | Forum Events

Posts Tagged :

Privacy Compliance Hub

10 ways to make privacy your competitive advantage in 2022

New year, new start. Nigel Jones, Co-Founder of the Privacy Compliance Hub discusses why and how organisations must put privacy compliance at the heart of their strategy for 2022…

Apple has allowed iPhone users to choose whether they’re tracked by apps, DuckDuckGo is trying the same thing for Android, and even WhatsApp has updated its policy after a multi-million-pound fine. These are sure signs that ‘Big Tech’ is waking up to growing consumer concerns about data protection and recognising that privacy is fast becoming a competitive advantage.

According to Statista research, 54% of UK consumers say they’re now more concerned about their online privacy than a year ago. That backs up a previous study that revealed almost two thirds (61%) of UK consumers worry about how their personal data is being used by companies and 55% prefer to be anonymous when browsing online.

This is serious for businesses. Add increased security threats because of remote working and a new information commissioner who may be more ready to issue fines, and there are plenty of reasons to adjust approach and attitude towards privacy.

Here are my 10 top tips for putting privacy compliance front and centre in 2022.

1. Take stock of where you are

Start with an assessment of your current compliance – there are free online tools that can help you with this. This is also a good opportunity for some light housekeeping, such as checking that you’ve paid your annual data protection fee, whether you need to appoint a Data Protection Officer (and/or register that person with the Information Commissioner’s Office), and if your Record of Processing Activities (also known as an Article 30 Record), Record of Vendors and Partners and Data Retention Policy are up to date.

2. Map your data flows

It’s vital to have a clear view of the personal data that’s under your control. You need to know what data you hold, what it’s for, where it’s located, where it goes, how long you keep it for and what you do with it when you no longer need it. Data maps should cover all data processing activities and is a job for all departments. Gather representatives from all functions in one room (or on one video call) and talk it out.

3. Review existing privacy policies

Privacy notices are often copy and pasted from other sites with the names changed or drafted by legal professionals who have little idea about how the business they’re writing them for operates. Once you’ve mapped your data flows, take a look at your existing policies. Do they need to change or be updated? Don’t be afraid to start again. The objective is to be transparent about what you are doing with the readers’ personal data.

4. Consider the impact of hybrid working

Staff privacy and remote work policies may also have to be updated, in light of the shift towards hybrid working. Cybercrime has spiked in the past year, with experts pointing to weaker security due to home working. Are your employees using personal devices, saving files locally or using unsecure Wi-Fi? They could be putting your business at risk of attack.

5. Empower staff through regular training

When 90% of data breaches in the UK are down to human error, having a well-trained team is essential in the fight for privacy. This isn’t just an IT project – everyone helps protect personal information. Focus on what staff really need to know about privacy in their day-to-day work and tailor each session accordingly. Customer data can often be an organisation’s most valuable asset. By making compliance familiar to employees, they’ll feel empowered to make the most of it safely.

6. Tighten up your marketing communications

The ICO handed out £1.7m in fines for marketing breaches in 2021. It’s easy for members of the public to complain if they’re not unsubscribed when they ask to be, if their data is used for something they didn’t sign up for, or if they’re contacted without giving prior permission. If you are cold emailing individuals in a business context, you must have a lawful reason for doing so, such as ‘legitimate interest’. And of course, if anyone requests to be removed from a contact list, you must remove them immediately and add them to a marketing suppression list so they’re not contacted again.

7. Be careful who you’re sharing data with

You’ve put the work in to make sure you’re taking privacy seriously. But do the partners and vendors you’re sharing customer data with take it seriously too? Make sure you only work with safe organisations that have policies in place to protect personal information, that will only act in accordance with your instructions when they process that data, and that can respond quickly to subject access requests from individuals. Ask partners to complete a risk assessment questionnaire or do due diligence on their privacy practises before working with them.

8. Encourage leaders to be proactive about privacy

Culture starts from the top and leaders need to set the tone. Be clear with the team that you care about privacy, that it’s a priority, and that good behaviour will be rewarded. Give privacy a place in the boardroom, assign responsibilities for regular updates and set targets around it. This isn’t the responsibility of lawyers, it’s the collective responsibility of the entire organisation.

9. Appoint privacy champions throughout the business

Whoever holds responsibility for privacy needs to appoint privacy champions in each department because they will need a lot of help. Luckily this is a topic that people are genuinely interested in, particularly those younger employees that have grown up with technology facilitating every part of their lives. They want to work for ethical companies that take privacy seriously. Ask for their help; you may be surprised by who puts their hand up.

10. Create a culture of privacy by design and by default

Privacy compliance isn’t a one-off project that can be ticked off, or a new year’s resolution that will be dropped by March. Organisations looking to turn privacy into a competitive advantage need to create a culture of ongoing privacy by design and default. One where every time a new product or service or process is introduced, the question is asked – what does that mean for privacy?

Nigel Jones is the co-founder of the Privacy Compliance Hub, a former Google executive and head of its legal team for Europe, the Middle East and Africa. Nigel has more than 30 years of legal experience advising companies on technology, data protection, privacy and the pragmatic steps available to cut risk, meet regulatory requirements and manage data breaches. Take your free GDPR health check today.

OPINION: Don’t rip up the UK’s data privacy rules

A major announcement earlier this month of a consultation on overhauling current data legislation made by the former Digital Secretary Oliver Dowden, has been questioned by a leading expert in data privacy regulation. Privacy expert Nigel Jones (pictured), Co-Founder of the Privacy Compliance Hub and ex-head of legal for Google in EMEA, urges against ripping up the UK’s privacy rules…

The stated aim of the consultation is to drive greater innovation and growth in the UK’s data sector and better protect the public from major data threats.   However, there are a number of issues with the announcement. While I broadly welcome some aspects of the consultation, there is actually little by way of explanation in the announcement as to why the UK’s current data rules and regulations are insufficient to enable all these things to be addressed without the planned reforms.

The stated aims of the proposed reforms – to boost international trade; reduce burdens on business; deliver better public services; drive economic growth; boost innovation including reducing barriers to responsible innovation; protect the public; and strengthen public trust in use of data are ones that most organisations – as well as the general public – would agree with.

However, my view is that there is little, if anything, in the current legal framework that is stopping the UK from executing the aims of this consultation now, and there is insufficient detail in last week’s announcement to explain why such a consultation is necessary. Changes to the current agreement may threaten the very important adequacy decision that the UK has with the EU.

The announcement last week contains many references to science, healthcare and research and how the use of data in these areas needs to be simplified.  It is unclear what the Government feels is wrong with the current rules as they apply to science, healthcare and research.  It refers to advances made by Moorfield’s Eye Hospital and University College London in identifying eye disease by making use of AI, but those advances were successfully made under the current data framework using the power of Google Deepmind.  What exactly do they think is wrong with the status quo?”

The announcement also claims that there are plans to impose tougher penalties and fines for nuisance calls and text messages. My view is that there is nothing in the announcement that explains why this is necessary as current penalties are already very stringent.  Under the UK GDPR, the current maximum fine is already up to £17.5 million or 4% of worldwide turnover – that this is sufficient deterrent.

The announcement refers to disproportionate burdens for compliance on many organisations. While it is logical for the announcement to claim that a hairdresser shouldn’t have the same data protection processes as a multimillion pound tech firm, this ignores the fact that the current regime doesn’t require a hairdresser to have the same processes as Facebook. Also, how many hairdressers do we hear complaining about the burdens that the current UK data framework places on their business?

The consultation states that a shakeup of the Information Commissioner’s Office (ICO) is proposed, to include an independent board and chief executive.

The tenure of Elizabeth Denham, the current Information Commissioner, comes to an end this year.  She has come in for criticism during her time in charge from those that feel that, as a heavily funded regulator, the ICO should be able to achieve much more, especially in the area of enforcement.  Perhaps the government feels that by taking power away from the Commissioner and putting it in the hands of an independent board which it can appoint, it will be able to ‘take back control’ of data regulation.

However, I’m very much in favour of the statement in last week’s press release that the government plans to “replace box ticking with common sense.”

We couldn’t agree more. Data protection has never been about box ticking and it never should be. It is about creating a culture of continuous compliance and we take great heart from the government’s apparent enthusiasm for what it calls ‘Privacy Management Programmes’.  All companies that process data should build a culture using such a Privacy Management Programme which makes all its staff understand privacy, care about it and do their bit to use data wisely and securely.”

I also agree with the aim outlined in the plan to mitigate the risk of bias in algorithmic systems. This is a hugely important objective but it will be interesting to see how the government proposes to improve the current framework which exists under the UK GDPR.

It is intriguing that the government feels that the UK’s current data legislation is in some way holding the country back in areas such as international trade, public services, innovation, research, healthcare and hairdressing.  While of course any improvements in these areas are to be welcomed, we should bear in mind that the current rules are based upon a framework that has been in place for a very long time and that those rules already allow for much flexibility.

The government should make changes at its peril, and be careful to make sure that any planned amendments don’t threaten the very important adequacy decision that we have in place with the EU, our largest trading partner.  In our view, it would be better to make use of the existing flexibility we have than to suggest ripping up existing rules and starting again.