Privacy, when it comes to Big Data, is a two way street. We must first promise to treat data carefully and protect it, but we also must plan to act when privacy is threatened or compromised. Both strategies are important. Here are some thoughts on tactics on each side of the ball.
Part of protecting data privacy is not being reactive. Treating data well in the first place goes a long way toward protecting it. Three ideas on the offense include:
- Investing in systems of control and governance. If data is a concrete part of your business, then there needs to be a “data office” that controls how data is used, what data is collected, what its lifecycle will be, and how requests to share and provide that data will be evaluated, scored, and eventually either acted on or declined. This is particularly important in the case of discovery around lawsuits and any governmental requests. You should have proper internal controls and proper systems in place to make sure all of your activities around data are controlled and documented so that all data is treated by the same standards consistent with your privacy policies.
- Putting business processes in place to control and approve the collection of data and how it is used within your organization. There should be a data team in place that reviews how data is used, collected, and requested throughout your entire business. This data team should not be a “roadblock” or a committee, necessarily, but a business partner that serves to make sure the business receives adequate value and insight from Big Data without compromising its standards on privacy and data sharing. The only way this works efficiently is to have data controlled by a central body that then ensures standards are adhered to; this is the way to play offense. Otherwise, you are stuck being reactive when one of the hundreds of little data projects around a typical midsize organization breaks, leaks, or otherwise goes south.
Of course you can run up the offensive score in a game but if your defense lets you down, your opponent can still win. Data works similarly. Here are some defensive ideas.
- Having a crisis response plan that is well thought out and tested. Unfortunately sometimes playing defense means that an event has happened—a breach, an unfortunate event at a partner company, even perhaps another completely separate event that starts a much larger conversation (think how the Edward Snowden NSA events catalyzed a much bigger movement that was about issues well beyond government snooping and eavesdropping) that requires a response. Develop a plan and test it out beforehand. Have a tabletop exercise based on certain events both internal and external to you. Be sure to include all stakeholders when developing your plan so that in the event something does happen, you have a cue card and you know what is involved.
- Regularly review how your affiliated partners and subsidiary companies use the data you provide to them and pull the plug if they fail to meet your standards at any time. You can only control yourself and your own organization, but that does not mean you do not have the responsibility to ensure the recipients of your data are living up to your own commitments. Do not be afraid to be vigilant here.
When dealing with data, it is important to consider both of these strategies. To learn more about a privacy-first approach, take a look at our data privacy page and learn about our seven principles.