Public perception of Privacy and Security in the post-Snowden era has changed, leading to end users caring vastly more about the topic. Last year there were more breaches than ever before, ad tracking technology has grown and will keep growing, collecting more and more data, and awareness of government access to personal data has increased. Although it is still difficult to fully understand the long-term consequences of data collection at this level, the concerns are rising both from a user and a collector point of view. End users, whether they are employees or customers, are requesting a higher level of respect towards their privacy and putting forward more questions as to how and why their personal data is handled.
To manage this situation there is a large amount of choice available to businesses. However, choosing the best option can be overwhelming at times. In 2014, according to a survey made by Truste, 22% of businesses of at least 1,000 employees had budgets of 1 to 5 million to manage privacy and security concerns. Assuming that budgets will be similar or higher this year, what is the most effective use of the funds?
- Internal Training
Most data breaches occur due to employee error caused by lack of appropriate training. The solution here may seem straightforward; improving security training amongst employees within the organization ranging from basic password guidelines to restricted access policies. However, businesses are facing the issue that employees do not always apply what is learned during training, even less so when carried out through an online platform.Our recommendation? Make sure you use a relatable storytelling approach specific to your audience as well as innovative and interactive workshop to involve your employees as an integral part of your privacy solution. This article contains examples of classic storytelling techniques.
- Educating Your End Users
Customers do not always understand the need to collect certain type of data within an app, especially when it doesn’t seem to be related to the app’s main functionality. An example of this is the request of the user’s location within a book review app. The user may be reluctant to divulge this information as the link is unclear, until the user is informed that it will highlight the closest bookshop where they can pick up similar books to a positively reviewed one.There are many ways to educate users on data collection. Our recommendation lies around the clever and targeted use of wizards and notifications.
- Privacy Audits and Assessments of Your Data Usage
It is never too late to assess how your company is handling data, both collected internally and through your apps.At an organizational level
Looking at the big picture may feel overwhelming. Our recommendation would be to start by analyzing the data flow within each department separately.
On the app’s frontend
Is your app privacy-friendly? Are your “privacy” notifications (request of collection of location, access to contacts, etc.) invasive and disrupting the user journey? Did you integrate privacy from the outset of the app build?
Via a strong UX/UI review combined with an audit of data collection, you could improve your users’ experience in a straightforward manner. We recommend being transparent about data usage without being invasive to help increase user engagement and retention.
- Privacy and Security Policies Revision
On the app’s frontend
It is commonly accepted that nobody (besides a few privacy lawyers) read privacy policies. If you would like your user to read it, our recommendation is to make it as visual and interactive as possible.
- Governance and Risk
Establishing whether your privacy and security initiatives are proportionate to the risks that your business is facing can be very tricky. Business-minded people will always be more inclined to take a more risky approach for the sake of business innovation. And this is fine.Our recommendation? There is no need to overdo it. However, limiting your approach to following the legal requirements is perhaps an approach that is too narrow. You should identify the type of information that is to be safeguarded: employee, business customer, users, non-personal business confidential, IP, etc., and identify how sensitive each type of data is. Implement preventive actions that are correlated to the level of sensitivity. Think ahead of how you would you react if there was a breach of your sensitive data and put an emergency strategy in place, empowering one member of your team with ensuring this strategy is carried out if needed.
All of the above may seem straightforward enough. However, innovation lies in how these tasks are implemented. Looking to innovate? Check out DMI’s Privacy offering.
Agathe Caffier, Senior Counsel, International Operations & Privacy Specialist