Perhaps you’ve been hearing about data analytics, which is being promoted as a way for even small businesses to analyze communications with customers, enhance customer experience, save money, and ultimately improve your brand. However, data analytics can have big privacy implications.
You may think of managing privacy risk as protecting sensitive customer information, such as credit cards. As the Venn diagram to the right demonstrates, data security is certainly one aspect of privacy risk, but privacy risks can also arise by means unrelated to cybersecurity incidents. People can experience problems or adverse effects simply from the way organizations use data for business purposes. These “privacy events” can result in a range of problems, from customer embarrassment if the information is revealed that they didn’t anticipate, to more tangible harms, such as discrimination or economic loss.
Do I need to be concerned about privacy as a small business?
Absolutely, if you’re conducting data analytics or relying on a service provider to do it for you. Data analytics may be useful for improving your business, but it relies on your customers’ data. Data analytics are powered by machine learning, which finds patterns within large quantities of data and reapplies them to make decisions on how best to create beneficial business results. With data analytics, customer data may be collected in multiple ways, such as tracking customers’ activity on your website or customer email interactions, directly asking customers for information during the course of doing business or through live chat and phone calls, or through feedback obtained from customer surveys. Data analytics can reveal sensitive information about people or even create issues of bias that lead to discriminatory differences, such as displaying advertisements based on stereotypical ideas about gender, race, or economic status. Whenever you interact with a customer, it is important to protect their privacy so that you do not lose their trust or business.
I rely on outside service providers. Aren’t they managing privacy for me?
It depends. If you are unaware of what your service provider is handling for you, you should review your contract with them to verify that they are meeting your business’s privacy objectives. Communication with your service provider is key to success! Here are some helpful tips when working with your service provider(s):
Verify that the customer information you share with your service provider(s) is being used for your business’s data analytics and not for any other purposes.
Ask about options that reflect your business’s privacy priorities. You might be surprised by what is available.
Does your contract require your service provider(s) to provide notice of any security or privacy incidents that they may experience? Service providers should be able to share this information so that you can better communicate with your customers, if necessary.
Another question to consider is whether your service provider(s) are using Privacy-Enhancing Technologies, or PETs (and we’re not referring to Fido over there), to help manage privacy risks? Certain types of PETs enable a service provider to analyze data without having to access the actual customer data itself. PETs help keep data anonymized, which protects your customers’ identities!
What resources can I use to jump start privacy within my small business?
The NIST Privacy Framework’s Learning Center has several resources that can help you get started. Have you ever felt frustrated reading a manufacturer’s long instructions manual? Think of the Getting Started with the NIST Privacy Framework: A Guide for Small and Medium Businesses Quick Start Guide as a “speed read” version of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management to help you get started on tackling your business’s privacy concerns. The Quick Start Guide addresses some key issues when considering what your business needs are when it comes to identifying privacy risks, such as when doing data analytics. It is laid out in a “Ready, Set, Go” format which makes it easy to approach developing or improving a privacy program.
The Learning Center also has helpful videos, ranging from a fun 4-minute animated video to a more in-depth webinar with a panel of experts using the Privacy Framework for regulatory compliance and risk management. There is a one page summary of a Privacy Framework success story from Arlington County, VA, where you can learn how the Privacy Framework was used to improve Arlington County’s privacy practices. Lastly, the Resource Repository has mappings between the Privacy Framework and different laws and standards.
Privacy doesn’t have to be overwhelming! Using resources to help get you started, being aware of the privacy risks your business faces, and communicating with your service provider(s) are important first steps. Your customers will be grateful in the long run for taking care of their privacy.