2022 is set to bring more new technologies than ever, with innovation being the word of the day (or year, really), and that means more opportunities for businesses to capitalize on their benefits.
That means even more data, and an even stronger need for data privacy enforcement. In fact, G2 found data privacy tech to be growing 7x faster than most other tech at an astonishing rate - 178% to be exact.
On the other side of the coin, we have an increasingly skeptic population who find these new technologies intrusive and are losing trust in businesses.
How do we find the balance?
Let's start from the beginning.
What is data privacy?
Data privacy - or information privacy, if you like - encompasses the steps taken by a business or organization to responsibly manage and protect the data that it collects from users.
In some ways, data privacy has been seen as a social responsibility to handle any data that you collect from your users with the utmost respect and care. While that may well still be true, businesses are realizing the further potential of establishing that two-way communication and trust with their users.
Four years ago, data privacy seemed to be mostly a legal reality with weak enforcement, whereas today it is a consumer demand driving significant change within the developing digital economy, pushing the biggest players to reorient their services around end-user consent and advertisers to consider data privacy as reinforcement of brand reputation.
Why is data privacy integral to digital business and experiences?
Data privacy and security are top of mind and a growing concern for almost everyone online - 86% to be precise (according to a KPMG survey of 2,000 adults and 250 business leaders in the US). The last thing you want is to be behind the curve, and end up alienating potential users and customers.
In a lot of ways, protecting your users’ data is also a social responsibility. In any potential leakage of data, you don’t want to risk your users’ data seeing the light of day.
Of course, it’s crucial for your business, too. By committing to data privacy, you’re sending a trust signal to potential customers and clients, and avoiding any heavy legal issues, which is always worth remembering.
Here are 5 steps you can take to demonstrate your commitment to data privacy.
1. Practice minimal data collection
Get started the right way - by minimizing the amount of data that you’re storing. This will make life easier for you when it comes to managing the data, and ensuring compliance with data privacy legislation (more on that below).
The best way to break it down is whether data is ‘need-to-have’ or ‘nice-to-have’.
Yes, it’s true that data itself has become a need-to-have in recent years for any business conducted online, but by avoiding an accumulation of data simply because you might like to use it one day, you’ll save your back further down the line.
Instead ask yourself - is it necessary for tracking, or for the company itself to function? If you can find a solid use case for it, for invoicing, customer contact, or documentation for example, then chalk it down as a need to have. Don't be afraid to conduct more analyses if you’re unsure, such as a risk-concern analysis.
What is PII?
PII stands for personally identifiable information, which is any kind of information that can be used to identify a particular individual.
What does personally identifiable information include, exactly? Yes, the usual suspects such as name, email address, phone number, or social security.
However, PII can be pretty much anything in a certain context.
For example, if you have a group of 100 people who all visit the same store and one who does not, that information alone could be used to identify that individual.
As you’ve probably guessed, there can be some grey areas when it comes to PII, so make sure to take it on a case-by-case basis, within the context of your own business.
TIP: Keep the useful data while dropping potentially problematic PII by anonymizing it, which can even be automated by selected tools.
2. Make sure you stay up to date with ever-evolving legislation
Data privacy legislation is the key guidelines that you should follow when managing your data, not least because they exist to empower your users with the right to choose how much data they share.
To stay applicable to the fluctuant nature of new technologies, that means they too must frequently change. That means that you need to stay alert to updates and make sure you’re ready to meet those new demands, avoid any legal implications.
Which legislation you'll have to abide with depends on which countries you operate in, two of the biggest being GDPR in the EU and CCPA in California (and beyond in the US).
As a business or organization with an online presence, being compliant with data privacy laws and being transparent about what data you process, how you handle website visitors' data, is both a legal requirement in most parts of the world today and a strong consumer demand.
What is GDPR?
GDPR stands for the General Data Protection Regulation, and covers the entirety of the European Union (EU).
GDPR exists to protect the data rights of EU citizens, and ensure their data is not being used inappropriately. How a company handles data and complies with these regulations are reflected in certifications issued through GDPR.
Though it came into enforcement under a solid headline in 2018, the contained legislation has actually been around for decades. GDPR actually just aims to simplify the complexity of data privacy rights to be understandable by all online users. So yes - that likely includes yours!
U.S. Data Privacy legislation
Things are a little bit different in the U.S.
If you’ve been left scratching your head over the lack of comprehensive data privacy legislation in the US, you’re certainly not the only one. For example, the 'new' California data privacy law may also be applied to the wider US, though it isn't enforceable by law outside of the state. However, the states of Virginia and Colorado have their own data privacy laws (VCPDA and ColoPA respectively), and that doesn't even touch on the industry-specific legislation, such as the Gramm-Leach-Bliley Act in Finance, and the Health Insurance Portability and Accountability Act (HIPAA) in Healthcare.
The California Consumer Privacy Act (CCPA) was the first law of its kind in the US, and requires extensive transparency about what data is being collected and what it will be used for (among other things), and grants users the right to refuse businesses to sell their data.
TIP: Don’t forget that the California Privacy Rights Act (CPRA) takes effect on January 1, 2023 and becomes fully enforceable on July 1, 2023 – with a lookback period from January 1, 2022.
What if you operate in both the EU and the US?
Naturally, you need to be compliant with any and all legislation of the country or countries that you operate in.
But - if you are an EU company operating in the US (or any non-EU country), you need to take a step further.
Data stored outside the EU was previously approved by ‘Privacy Shield,’ but as of 17th June 2020, Privacy Shield has expired.
Now, our recommendation (and our own action) is to sign a Standard Contractual Clause (SSC) with all data sub-processors in those non-EU countries. Read more about SSCs on the European Commission (EC) website.
One more thing...
If you (an EU company) is transferring information outside of the EU, you must also sign a Transfer Impact Assessment (TIA) in addition to the SSC. This provides extra safeguards for the data transfer and complies with EU legislation called ‘Schrems II’.
3. Own your data, but don’t forget consent
Data privacy is already a big USP for many browsers, search engines, and operating systems (looking at you Apple and iOS). 2022 will likely only see that trend continuing, and that’s bad news for 3rd party cookies and cookie-based tracking (not to mention a potential phase-out by Google in 2023).
What then, is the alternative?
Our Digital Marketing expert Lars Skjold Iversen says:
“Server-side tracking will soon be the new default when it comes to data collection on websites.
I would advise everyone to start looking into owning all your data. Instead of relying on cookies and third-party systems, therefore I would recommend going towards server-side and first-party data collection.”
If you do decide to adopt a new approach to tracking, you still need to make sure that you keep your data privacy compliance up to scratch with a dependable consent management platform (CMP), like Cookiebot by Usercentrics. That way, you can automate your compliance strategy, stay on top of tracking and take control of an otherwise impossible to manage area of your site.
Having a competent consent management platform that can detect and control all cookies and trackers brings a high level of expertise to a company’s data privacy practices. The platform can enable the right data protection to be compliant with comprehensive data privacy laws, while at the same time satisfying consumer demand for transparency and choice.
4. Audit your data, and on a regular basis
Now you’ve cut down your data to what you need, structured it, and ensured it complies with all relevant regulations. Job done, right?
Not quite.
It’s your responsibility to manage your data as it comes and goes. As mentioned in the first section, legislation is always changing - and the last thing you want is to lag behind and find yourself with a monstrous data audit in order to maintain compliance.
Instead, you should audit your data collection at least once a year. By taking a look at the data you collect and deleting what is out of date or no longer needed, you'll be staying ahead of the game.
5. Be transparent
Let’s revisit that statistic from the very beginning - that whopping 86% who are increasingly concerned about their data privacy online.
In that same KPMG study, 40% don’t trust companies with their data, 47% are worried about data being leaked or hacked, and a whole 51% were concerned about their data being sold.
That means that brands who do not in fact sell their users’ data are missing out on the opportunity to strengthen their trust with users and improve retention.
Don't miss that opportunity - capitalize on your solid compliance strategy by being open and transparent about what data you collect from your users.
Consent collection, data management transparency and offering a free choice – these are central to striking a balance between data privacy and data-driven business in the digital economy.
For inspiration on how to be transparent about following these data privacy best practices, check out Umbraco’s Trust Center.
Many thanks to the team at Cookiebot by Usercentrics for sharing their expert insight, and for working with us as an Umbraco Tech Partner!
