5 steps to improving data privacy in your business
Do you know what kind of personal information you collect from your customers—and how you are protecting it? Basic information such as a name, an email address and banking information are often all hackers need to carry out sophisticated identify theft schemes. Yet, many business owners don’t have a clear idea of what personal information they are holding and how they should be protecting it.
Turning a blind eye to data privacy can be costly for businesses. In June 2022, the Superior Court of Quebec approved a $200.9 million settlement in a class-action lawsuit against financial cooperative Desjardins. The company was found to have allowed gaps that enabled an employee to steal the personal information of 4.2 million people.
The proliferation of breaches and consumer demands for privacy and control of their own data have led governments to adopt new regulations, such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA). The provincial government of Quebec introduced a data privacy act in 2021. It sets a precedent in Canadian privacy law by introducing new standards for individual privacy rights and corporate data management policies, among other measures.
At the federal level, Bill C-27, which is currently before Parliament, seeks to add more teeth to Canada’s data protection legislation. If passed, it could lead to fines of up to 5% of global revenue or $25 million (whichever is greater) if a company hasn’t done enough to protect its sensitive data.
Data privacy should be top-of-mind for all Canadian businesses in 2022 and beyond.
In my experience working with small to large businesses across Canada, the data privacy programs that most companies have fall short of consumer expectations and some of many of the requirements of this proposed legislation.
Consumers themselves are also becoming conscious of data privacy.
I recently refused to do business with a dry-cleaning company because they asked for my name, phone number, address and email for a simple service. They were not able to adequately explain why they needed this information and were not clear about how they would use my personal information.
And I’m not alone. Consumers are not willing to share private data for transactions they view as less important.
A 2020-21 survey by the Office of the Privacy Commissioner of Canada found that:
- 71% of Canadians have refused to provide personal information due to privacy concerns.
- 40% of Canadians said they had stopped doing business with a company that had experienced a data breach.
Businesses need to expect more astute questions from customers about their data privacy programs. Yet, in my experience working with small to large businesses across Canada, these programs fall short of consumer expectations and the requirements of the proposed legislation.
What is personal information?
Personal information is anything that can directly or indirectly identify a person. This can include:
- an individual’s name
- date of birth
- contact information
- credit card number
- social insurance number
- IP address
- location data
From a consumer perspective, data privacy is the ability to understand and have control over:
- what information is being collected about them
- who is accessing it and who is storing it
- for what purpose
- how long it’s kept
- how it’s disposed off, if at all
- how it’s being protected
- whether it’s being transferred or sold to third parties
If done well, the way you handle data privacy can become a point of differentiation and even a source of competitive advantage for your business.
5 steps to prioritizing data privacy
1. Look at the data you’re collecting and storing—and why
The dry-cleaning company I declined to do business with is not unusual in collecting more information than they need. It’s important to consider what private information you truly need to serve your customers.
- Are you simply following a template?
- Is your approach consistent with what a reasonable person would expect?
- Are you clear about the value for your customer?
The more data you collect, the more risk you take on for protecting and storing it, and the more expensive it is—whether you store it in paper files or digitally. If you’re not intentional about the data you collect and retain, you could be accumulating wasteful data storage costs. It’s also more complicated to search larger data stores.
Remember: Good data governance includes a collection and retention strategy that aligns with your needs, industry regulations and your customers’ privacy expectations.
2. Define who should have access to the data
In the Desjardins data breach, one employee was ultimately responsible for compromising the privacy of millions of customers. That’s because they were essentially able to walk around in a digital vault and help themselves to whatever data they wanted.
There are various ways of preventing this. The most common is to define roles and the access associated with each role. Then, certain privileges are granted, while others are limited. This may seem obvious, but most of the businesses I work with don’t do this with rigour. The principle of least access is a good general approach.
- What are your formal user ID registration/deregistration processes? Are these linked to your HR processes related to onboarding/exit and change of role?
- Do you have a defined process to grant and revoke access? A good practice is to limit shared access, link individual IDs to people, and record and periodically review access rights.
- Who can access important business applications for HR, payroll and accounting platforms where a lot of sensitive data is found? What levels of access should each person have, (e.g., read, write, delete, download, etc.)?
Although security and privacy are often the last things companies want to spend money on, the unfortunate truth is that many would not survive a data privacy breach.
3. Understand the risks to the data
When I ask clients about their digital security and how they are managing data privacy, almost all of them say, “Our data is on the cloud and it’s secure.” And it’s true, cloud platforms do have stringent security features.
Yet, no matter how secure the environment may seem, a business still needs to review data risks:
- the value of the data;
- the cost of losing the data;
- the privacy implications of gathering the data;
- the cost of various solutions to address the risk.
A risk assessment will help you determine if you need to implement additional security controls to lower, transfer or avoid the risk by changing a process.
The value of IT monitoring services
Cloud misconfigurations are a leading cause of cyber breaches. Users and applications can pile up access permissions beyond what is necessary, for example. These excessive permissions are sometimes granted by default when a new resource or service is added to the cloud environment. These default permissions can be targeted by attackers who exploit them to steal sensitive data and disrupt operations.
Services that continuously monitor your entire IT infrastructure in real-time, including cloud deployments, to quickly detect and respond to security events can help protect your business data and safeguard your business.
4. Train employees about data privacy and their role
Human error and misbehaviour are another common cause of cyber breaches. To prevent them, it’s important to train your employees about how they can contribute to overall cybersecurity and data privacy.
This training should help them understand the risks of failing to follow data privacy protocols for the business and its clients.
Tools that can help you with this include:
- annual cybersecurity and data privacy training
- phishing simulations to gauge training effectiveness and reinforce the required behaviours
- ongoing communication about the benefits to the business
More knowledgeable, confident employees will feel empowered to detect and avoid common cyber and privacy threats, which is a boon to your company.
5. Go beyond the bare minimum
There is nothing wrong with simply complying with local laws. After all, non-compliance could lead to fines, reputational damage, personal accountability, etc.
However, simply focusing on compliance can sometimes lead to doing the bare minimum and missing out on opportunities to stand out from your peers.
By consciously building data privacy into your products, services and business processes, you can shift the focus from what is or isn’t allowed to what creates value for your clients. This will help you take advantage of new technologies, while minimizing unintentional and undesired consequences from the start.
Get expert help
We can help you show your customers and employees that their sensitive information is secure. Contact us to learn more about data privacy certifications.