It’s estimated that within the next year privacy regulations will apply to 75% of the global population. In most cases, compliance with these laws will come down to corporate responsibility. Is your business ready?
Fair Information Practices: The core of data privacy
Data privacy regulations have picked up momentum in recent years, but they’re by no means a new invention. One of the foundational frameworks for protecting customer data was created in the 70s, with the Fair Information Practice Principles (FIPPs).
These nine principles include points like points like:
Consumers should be notified of how their data will be used before handing it over. An example is the data privacy disclosures at the bottom of email signup forms.
Consumers should have choices in what type of consent they give. When filling out a customer survey, for example, they should have the choice to opt out of marketing information even while submitting their survey information.
Customers should be able to see the information they’ve provided and update it to make it current. For example, an incorrect mailing address in a marketing database should be amendable by the customer.
Customers should be assured that the data they share remains accurate and stored securely. Credit cards saved after a purchase shouldn't be altered, and customers need to know that they can't be accessed by employees or others not required to use this data.
Finally, customers should have a way to hold organizations accountable to these principles, whether legally or criminally. If faulty privacy methods harm customers, they must be able to seek damages or be made whole from their losses.
A brief evolution of data privacy regulations
Following the Fair Information Practice Principles, best practices were put forward by the OECD (The Organization for Economic Cooperation and Development) in 1980 around how data should be securely transferred across borders. (These guidelines were then updated in 2013.)
In 1995, the European Union put forth the Data Protection Directive, creating guidelines on how an individual's data should be collected and used, along with protections around the free flow of data. Then in 1996 in the United States, the Health Insurance Portability and Accountability Act (HIPAA) instituted strict protections around an individual's health and medical data.
As digital transformation continued to progress, the amount of customer data being generated on a daily basis sky rocketed. As a result, many of these regulations were updated to reflect this new digital age. Perhaps most notably is the Global Data Protection Regulations (GDPR) that was introduced in 2018 (replacing the Data Protection Directive), which provided EU citizens with uniform privacy rights.
Even though the GDPR is EU-specific, it applied to any country that did business with EU residents, and also established a global precedent – mirroring consumers’ growing concern over how their data was being collected and used.
In recent years, we’ve seen companies start to implement their own policies in regards to user privacy, like with the phaseout of third-party cookies.
Third-party cookies have acted as the backbone of digital advertising for years, but this kind of retargeting has been increasingly off-putting to users – dredging up questions of who’s tracking them, and how is that personal data then being used? (One survey found that 75% of consumers distrust the way their data is shared.)
As a result, both browsers and government regulators have decided to do away with third-party cookies entirely, as seen in the timeline shared below. (For a more comprehensive guide to the third-party cookie phaseout, check out this guide.)
The importance of safeguarding data privacy
Companies that don't prioritize customer privacy face substantial risks, including:
Lawsuits
Government fines
PR nightmares
Customer loss
Privacy can't be separated from doing good business. In fact, it helps companies do better business.
Ensure business data protection
True to its name, business data protection refers to how companies are safeguarding their customer data – from best practices and policies, to certifications like ISO 27001, and specific user access controls or permissions (e.g., limiting the accessibility of personally identifiable information internally).
Email addresses, credit card information, social security numbers – these are all examples of customer data that needs to be protected. And when we talk about “protection,” we’re referencing things like security breaches and non-compliance with applicable data privacy laws.
A few ways to ensure business data protection include (but are not limited to):
Staying compliant with data privacy laws. This might seem like an obvious step, but these regulations are constantly evolving. It can be hard to keep up, and implement protections at scale.
Getting the proper certifications and attestations (e.g., ISO 27001, ISO 27017, FedRAMP, etc.).
Implementing multi-factor authentication (MFA) and/or single sign-on (SSO).
Appointing a Data Protection Officer to oversee efforts with compliance and security.
Regulatory compliance
Regulatory compliance is when an organization adheres to applicable privacy laws and regulations. Depending on your business, you may be subject to industry-specific regulations like HIPAA for healthcare or the Gramm-Leach-Bliley Act (also known as the Financial Modernization Act of 1999) for financial institutions.
Not paying attention to regulatory compliance would be disastrous for businesses from both a legal, ethical, and a PR perspective. As we mentioned above, appointing a Data Protection Officer or a Data Council can help keep a pulse on evolving legislation.
Segment’s Data Privacy Portal
Every business should be able to answer the following questions:
What customer data are we collecting?
Where are we collecting it from?
Where are we storing/sending this data?
As straightforward as these questions may seem, they can become increasingly difficult to answer as a company grows and grapples with data silos. Segment’s Privacy Portal dismantles those hurdles by providing visibility into the entire data lifecycle and offering controls to protect and automate data privacy at scale. Here’s how.
Establish a data inventory
A data inventory is an ongoing record of all the data a business collects and how that data is used. One of its goals is to create a single, centralized repository in which this data is stored, creating a complete, 360-degree view.
Having a data inventory is essential to keep up with privacy regulations, as it provides a clear view of what data is being collected, its source, how it’s structured, who has access to it, how it’s being used, and so on. (Also, the GDPR requires that companies keep a record of their data processing activities.)
Segment is able to create a dynamic data inventory by automatically detecting and classifying the customer data a business collects. When first accessing the Privacy Portal, Segment scans every Source connected to that workspace to show what data is being collected (using both exact and fuzzy matching to detect the property name and value).
In your Privacy Inbox, you can click into any field to instantly get more information about the events containing that field, the sources sending that field, and which matcher detected it.
Detect and classify PII
From there, Segment is able to automatically detect and classify personally identifiable information (PII). Segment contains matchers for many of the most common PII fields (e.g., social security number, password, credit card number), and then classifies that data as either Red, Yellow, or Green to signify whether it’s highly restricted, moderately restricted, or the least restricted.
Stakeholders can then review, confirm, or modify these classifications as they see fit (as well as adding their own).
Privacy controls
With the Privacy Portal, businesses have complete control over the data they collect, even having the ability to block data at the source level (so that it never enters Segment to begin with). And with real-time alerts, teams can automatically detect an unclassified data type for review.
Fulfill user deletion requests
What happens when a customer needs to be removed from your database? Segment can honor this request at scale, either completely deleting a user record or suppressing certain fields depending on the ask and situation.
We’ve seen a marked increase in these types of requests; Twilio Segment processed ~155% more user deletion requests in 2022 compared to 2021.
*Nothing in this article constitutes legal advice nor should it be construed as legal advice in any way. Instead, the content provided in this post is for educational and informational purposes only.