You are setting up your business and have a million problems to worry about. Languishing toward the bottom of your painfully long to-do list are the words “privacy policy for website.” You plan to find a precedent online at some point and use that for now. After all, nobody actually reads privacy policies, right?
Data protection compliance can seem like a tick-box exercise. At a very basic level, you need to publish a privacy policy; if you are using email marketing, you need to get consent to add people to your mailing list. However, in order to be compliant with privacy legislation, you must dig deeper to understand what personal data (information that identifies a natural person) you process, what you do with it, who processes it on your behalf and the legal justification you have to carry out such activities. I believe this process can be really valuable in perfecting your business offering to ensure that it meets both the needs of your customers and legal obligations. Understanding how your business uses personal data is absolutely crucial to its chances of success. For me, there are 3 reasons why getting the data protection analysis right is paramount to your business: (i) user experience, (ii) making it easy to become and remain compliant and (iii) managing your risk.
User experience
Imagine that you are setting up a dating app. You have designed fantastic graphics and really innovative features. You begin to think through your sign-up workflow – the process that your users have to complete in order to be able to use your app. What information do you need? Name – to ensure that you can ID the user within your own system; email address – to create a user account for them and to be able to send them payment and system communications. What about the gender they identify as, their sexuality, body type, sexual preferences, allergies, illnesses, job, earnings, location? All of these things are potentially useful to you and may be something that users would like to post on their profiles. But do you collect them at sign-up, or later when you get the user to create their profile? Do you need them at all?
Experts in user experience will generally advise you to request the smallest amount of personal data from new users. You should collect only what you need to set them up on your app. New users are fickle and are likely to lose interest if they can’t easily fulfill their objective: getting access to your service. Once a user has been granted access to your service, they are then more likely to provide further information to unlock additional features.
So our new user has now created an account, and can view other people online. The next step is setting up their profile. Do you really need all the data listed above? You may feel that having a huge amount of data could be useful in the future but doesn’t follow a legal basis for collecting it. Data protection legislation states that you must only collect personal data that you need and process it only for as long as you need it. Collecting personal data because it might be useful in the future is likely unlawful. But even more than that, will your users be comfortable giving you information about their job, health conditions or sexuality? People are increasingly aware of their online safety, particularly while using a dating app where they are perhaps feeling more vulnerable than normal. You want to instill a feeling of trust in your users – asking them for unnecessary and intrusive personal data isn’t the way to do that.
Keeping your compliance obligations easy to meet
Certain types of personal data (relating to health, sexuality, race, criminal records etc.) are defined in law as “special category data” to which more onerous rules apply. If you collect and process special category data, you must ensure that it is processed in a secure way (generally encrypted and with access protected by multi-factor authentication), and you as the controller of that data are subjected to greater limitations on what you can do with it.
Similarly, if you process personal data relating to children, you must ensure that your privacy documents are intelligible to children, you must allow children to request deletion of their data in an accessible manner, and you owe a higher standard of care when you use their data.
Processing special category data and data relating to children increases your compliance costs – you must spend more on security, have policies in place accessible to children and ensure that you act wholly in compliance with the more onerous obligations imposed by law. Limiting or avoiding entirely the processing of these types of data will make your life much easier.
Related: Cyberattacks: Why Cybersecurity Needs to be a Priority for Startups
Risk management
A key principle of data protection compliance is managing risk: to your data subjects and your own business. A compliant business is a business that has identified and managed its risk with regard to data protection.
Back to our dating app, we are processing the chats of our members, some of which may be highly personal. We may also hold information about them that is highly personal, including their sexuality. The law requires that we are clear with our users what we will do with that data, and what rights they have in respect of it. Our privacy policy will detail how we will use different categories of personal data – including to manage our app, categorize profiles so they appear to appropriate audiences on the app and invoicing our users. It will also explain to our users how to exercise their rights including how they can request a copy of the personal data held about them, and how to ask for their personal data to be deleted.
However, what is key to managing our risks as a business is ensuring that our systems and processes are efficient and reliable, and that our processing of personal data reflects what we have set out in our privacy policy. Imagine that a user asks us to delete their personal data. Can we do that? What about chats they have had with other members? Do we delete all history chats, even though it will impact on another user’s experience (by removing some, or all the chats they have had with that user)? When we are asked to provide a copy of a user’s personal data to them, does that include all chats with other users, and are we able to provide one user’s half of a chat to another user? These are all questions that need to be identified and resolved before a user makes a request.
In order to effectively manage your risk, you must really understand your business’ use of personal data and have a detailed understanding of how you will meet your obligations to customers.
Conclusion
Data protection compliance is not a tick-box exercise. It is also not an afterthought once you are ready to launch your business. It should be looked at front and center and be an integral part of the design and development of your business (particularly if you are a software/technology business). Understanding the data that you will process, why you need it, and what you will do with it, will allow you to optimize the user experience, structure an efficient and simple business in which your compliance obligations are clear, and manage your risk in an effective way.
Sign Up: Receive the StartupNation newsletter!
The post Doing the Data Dance: Why Data Protection is Paramount to Your Business appeared first on StartupNation.
via https://www.AiUpNow.com
October 18, 2021 at 12:07AM by Michael Buckworth, Khareem Sudlow
