One approach to promoting privacy best practices is to bake in privacy protection at every stage of your business process. Adopting this approach, known as “privacy by design,” can help build consumer trust. Even if your business practices are well established, you can rethink how you handle data throughout your operation to make privacy a priority. Start with these steps:
What types of data does your business collect? If you collect data that can be reasonably linked to a specific customer, computer or device (e.g., cookie data), consider it personal data. Classify information according to privacy risk, paying particular attention to sensitive categories such as social security numbers, credit card or other financial information, and location data. Track the flow of personal data throughout your business to get a complete picture of:
Collect and store only the data you need to run your business and to meet legal requirements. You may be able to eliminate data elements you don’t need by changing default settings in your online forms or database software. Remember, you have a responsibility to protect all personal data you collect, so limit your burden and your risk.
Lock it up
Review your data security practices to ensure you’re protecting customer data from identity theft and cyber threats. Address each of the following security must-dos:
You can find more data security tips from the BBB at “Data Security – Made Simpler.” (bbb.org/data-security)
Pay attention to special data categories
Certain kinds of data collection and use are subject to specific legal requirements. While we can’t cover all of these here, be aware that you will have additional compliance obligations if your business engages in certain common practices:
The FTC provides useful guidance on these and other privacy topics. You may wish to consult an attorney with any specific questions.
Dispose of data responsibly
Keep data only as long as you need it. A written retention policy will remind you when to discard various categories of data, and help you plan for its secure disposal. Use a commercial shredder for paper records and destroy or wipe PC and server hard drives. Don’t forget copier hard drives, which can store personal data among thousands of digitized images.
Create a privacy culture
Promote privacy as a core value in your business by ensuring privacy policies and procedures are clear and consistently enforced. Identify employees who must have access to customer data to do their jobs and make sure they’re trained and accountable. In your business, this could include receptionists, sales representatives, repair technicians or delivery staff, as well as account managers and bookkeepers. Employees who don’t need access to personal data should never see it. Train your employees using examples related directly to the tasks they perform. Post simple written guidelines and reminders. Require new employees to sign an agreement to follow your company’s privacy and security standards. Finally, designate a privacy contact your employees can go to with questions and concerns.
Now that we’ve covered the basics, Part 3 will address special privacy topics for small businesses on the move. Whether you’re going global, hosting ads on your website, or launching your first mobile app, we’ll guide you through the privacy challenges and potential pitfalls as you take your business to the next level.