Data privacy: 4 things every business professional should know
1. WHAT CONSTITUTES PERSONALLY IDENTIFIABLE INFORMATION?
Personally identifiable information (PII) is any information that can be linked to a specific person. Examples of PII include:
• Name
• Address
• Phone number
• Email address
• Social Security number
• Driver’s licence number
• Social media handles
• Bank account number
• Passport number
THE IMPORTANCE OF DE-IDENTIFYING A DATASET
When non-identifiable information is linked to PII in a dataset, an individual’s privacy is lost. It’s of the utmost importance that consent is given before any PII is collected or made public. To protect privacy, one tactic is to de-identify data, or remove all PII from a dataset.
For example, if your company is tracking spending habits across various demographics, remove customers’ names, contact information, address, and credit card details, leaving only their demographics (for instance, age and gender) and purchase history. This ensures your company can still analyse variables of interest without putting customers’ privacy at risk.
The process of de-identification requires you to critically think about connections that can be made through data so it’s truly de-identified. Harvard Professor Latanya Sweeney, who’s featured in Data Science Principles, conducted research to discover how easily de-identified data can be re-identified. Re-identification is the process of combining two or more datasets to reveal identities, and it presents a significant threat to privacy.
In the course, Sweeney explains that information often assumed to be anonymous – like birthdate, gender, and ZIP code – can be linked to specific individuals in public, non-de-identified datasets, like voter lists.
“Eighty-seven per cent of people in the United States are estimated to be unique based on date of birth, gender, and ZIP code,” Sweeney says. “If somebody takes a dataset that’s supposed to be anonymous and re-identifies the people in it, all kinds of harm can happen.”
2. HOW TO PROTECT DATA INTERNALLY
While your company may collect and store customers’ data, all employees shouldn’t have access to it. PII should only be available on a need-to-know basis within an organisation. This prevents any accidental, or purposeful, misuse or publication of sensitive information.
Here are some simple but effective tips to secure data internally:
• Lock your computer when you get up from your desk.
• Lock any filing cabinets or drawers containing hard copies of data.
• Password-protect database access.
• Use a secure file transfer method.
• Properly store physical copies of data, and don’t leave them out where they could be taken, misplaced, or read.
• Don’t message or talk about sensitive data with others unless you’re in a secure, private meeting room.
Although some of these tips seem like common sense, they can go a long way in ensuring your customers’ data remains in the right hands.
3. IT’S A LEGAL RESPONSIBILITY
Data privacy is a legal responsibility with strict guidelines and repercussions. The laws that apply to your company depend on location and the type of data you handle. Familiarize yourself with the laws that pertain to the locations of your business and customers.
Here are a few examples of data privacy laws, who they impact, and what they generally require. In addition to data privacy, many of these laws include mandates pertaining to data security.
GENERAL DATA PROTECTION REGULATION (GDPR)
The GDPR is a data protection act passed by the European Union in May 2018. This law applies to any person or company that handles the data of Europeans. The seven pillars of the GDPR are:
• Lawfulness, fairness, and transparency: There should be no deception in the data collection process.
• Purpose limitation: Data subjects must be told why you’re collecting their data.
• Data minimisation: You must only collect the smallest amount of data necessary for your specified purpose.
• Accuracy: You must keep data accurate and up to date.
• Storage limitation: The data must not be stored for longer than the intended purpose.
• Integrity and confidentiality: Appropriate security measures must be in place to ensure confidentiality, and the data’s integrity must be maintained across format and time.
• Accountability: Data handlers are responsible for complying with the GDPR.
The GDPR is extensive and, at points, vague. If you’re collecting data from customers who live in the European Union, give this law a thorough read through to ensure you’re in compliance.
CALIFORNIA CONSUMER PRIVACY ACT (CCPA)
The CCPA, passed in June 2018, protects California citizens’ right to be aware and in control of what personal data businesses collect and store about them. The law comprises four key individual rights:
• The right to know about the data businesses collect about them and how it’s used and shared
• The right to delete personal
information collected from them (with a few exceptions)
• The right to opt out of the sale of their personal information
• The right to non discrimination for exercising their CCPA rights
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
HIPAA is a law passed in 1996 to protect the medical privacy of US citizens. The HIPAA Privacy Rule was put in place to provide explicit guidelines for any person or organisation that handles medical data. This includes:
• Health care providers, such as hospitals, doctor’s offices, and dental practices
• Health plans, such as insurance organizations and health maintenance organisations
• Health care clearing-houses, for instance, a company that transfers health care data from a health care provider to a business associate
• Business associates, whose duties include claims processing, data analysis, utilization review, and billing involving personally identifiable medical data
The HIPAA Privacy Rule aims to protect individuals’ rights to know and control who has access to their medical data and understand how it’s being used. It protects their right to privacy while still allowing for the transfer and use of data to drive medical advancement.
4. IT’S AN ETHICAL RESPONSIBILITY
Data privacy is not only a legal matter, but an ethical one. The ethics of data privacy can be boiled down to the fact that an individual’s consent is necessary to collect, store, and use their personal information.
The powerful nature of data can be enticing, but it’s important to judiciously use PII. Remember: There are real people behind your data points. They have identities and lives that could be at risk if their sensitive data ends up in the wrong hands, which makes your precautions and transparency well worth the effort.
PROTECTING YOUR CUSTOMERS’ DATA
Your compliance with privacy laws, internal precautions, and efforts to de-identify data help uphold your customers’ safety and right to privacy. In giving you their consent, they’re trusting you to protect their information and use it for a specific purpose – whether that’s identifying a trend that could lead to a new product, tracking spending habits to personalise their shopping experience, or backing a decision to increase funding for a specific health care initiative.
Understanding the ethical, legal, and logistical foundation of data privacy enables you to maintain their trust and use data to make a positive impact.
Taken from online.hbs.edu