Here’s a 10-point checklist that your small business can use to see whether your privacy practices are up to scratch.
1. Do a review of all the types of personal data you collect.
Your business may have gone through some significant changes since you first created your website or app policy.
Perhaps your app’s Terms of Service have been tweaked, or you’ve added email marketing into your promotional channel mix. Whatever has changed, start your audit by taking stock of all the different types of personal data your business collects.
When conducting your review, you should make sure data is categorised correctly as they may need to be treated differently. For example, the General Data Protection Regulation (GDPR) treats sensitive personal data very differently to ‘regular’ personal data, with the latter being under less restrictions for processing.
2. Check how data is currently being used and why.
Now that you’ve got a clear picture of all the data you collect, you should review how it’s being the used and for what purposes.
Under the General Data Protection Regulation (GDPR), you must have a lawful basis for processing data such as people’s email addresses, phone numbers, location, credit card information, and more.
Again, if you find that you’re processing sensitive personal data such as information about people’s health, religious beliefs, or ethnic background, you’ll need to check that you’re in compliance with the GDPR’s conditions for processing.
3. Check how data is being collected.
Next, you should review whether you are collecting data through lawful means, as privacy laws may have changed since you last checked.
Under the GDPR, people have a ‘right to object’ to their data being tracked, so the onus is on businesses to disclose if and how their data is being collected and give them the choice to opt-in or opt-out. For example, your website may have cookies which collect information about a user’s browsing session.
Depending on where your business is based, you may need to have a cookie banner on your website so that users can consent to you using cookies to track them.
4. Check where this data is stored and who has access to it.
While users may have entrusted their data to you, this doesn’t mean their consent extends to others in your business having access to it.
To avoid violating any privacy laws or user agreements, you should maintain strict access permissions to data collected by your business.
5. Check how this data is being kept safe.
Depending on the size of your business, the types of data you collect, and laws that apply to you, there are certain security standards and procedures you should comply with.
Whether it’s implementing two-factor authentication, good password practices, updating your cybersecurity software to protect business computers and databases, you should review and test your data security measures every now and then to ensure data is adequately protected at all times.
6. Have you adopted a “privacy by design” approach?
To make compliance simpler for your business, you could also use this audit as an opportunity to implement or augment your current business practices to take a privacy by design approach.
This could include measures such as data minimisation, where you seek to minimise the collection and usage of people’s personal data wherever possible, and data anonymisation. Let’s use a local takeaway restaurant business as an example of both of these principles.
Instead of requesting a customer’s full name when they order a meal online, their online ordering system could instead be set up to assign random numbers to an online order so that the customer can be uniquely identified.
Taking the time to plan out and apply a privacy by design approach to your business won’t just save you time trying to navigate compliance, it can also make your customers’ experience smoother and more trustworthy.
7. Check how long data is retained (and if you’d deleted data as agreed).
While the GDPR doesn’t impose a limit on how long you can keep people’s data, it does say that you need to have a lawful basis for retaining data – that is, data shouldn’t be kept for longer than is necessary.
So, if you have data hanging around from customers that haven’t done business with you in years, you might want to review whether it’s still necessary for you to keep in your business database, or if it should be deleted for good.
8. Review data sharing and processing contracts with third parties
As customers entrust you with their data, you are accountable for any third parties who you share or process their data with.
Whether your website uses Google Analytics, ticketing software, or targeted advertising, you should regularly review your agreements with each third-party software to see whether anything has changed from a privacy perspective, and assess whether that impacts on existing privacy agreements with your users.
Following on from the previous point, you should notify your customers well ahead of time of anything that could impact their privacy.
From the outset, you should also be notifying users of your website or app about their rights around their data.
Both the GDPR and the California Consumer Privacy Act (CCPA) define a set of “data rights” that users are entitled to, such as the right to know whether they are being tracked online.
In the unfortunate event that your business suffers a data breach, there are also laws that make it mandatory for businesses to notify all those impacted by the breach within a certain period of time (under the GDPR, this can be as soon as 72 hours from the time you became aware of a breach).