A Simple Guideline for Enterprise Data Privacy
Data privacy is a bit like health. We are all pursuing it and we all kind of know it when we see it, but if you were asked to define it you may find yourself stumbling. For me, the best way to make sense of data privacy is to understand it as a right. So here goes: Data Privacy is the individual right to have your personal data, as in the data that can personally identify you, protected from nefarious use.
The central mistake that I see a lot of companies making is that they try to understand data privacy only through the lens of regulatory consequences. As in, they hear about data privacy and they immediately think only of GDPR and CCPA. That is the wrong way to go about this. What we must first understand is that data privacy is a moral problem that is followed downstream by evolving regulations that can only attempt to approximate the right way to protect data.
I know this might sound preachy and a bit obnoxious, but there is a good reason for why companies should build their data privacy foundations primarily around a concern for the ethical protection of data. That is because a narrow focus on the regulations alone will not protect companies from all of the possible consequences of insufficient concern for data privacy. Namely, following the regulations alone cannot prevent companies from the cybersecurity risks, reputational risks, and even national security risks that can come from not taking a strong enough posture with regards to protecting your customer’s personal data.
So, my recommendation for many companies is to think about data privacy first through the lens of doing what is right by the customer while secondarily continuing to follow relevant regulations.
A good analogy for this is a computer science concept called the “principle of least privilege” which says that you should “limit users’ access rights to only what are strictly required to do their jobs.” In the narrow context of data management that seems like a relevant first step towards data privacy, but when thinking about data privacy in an even broader context we should think in terms of the “principle of least consumption”: companies should look to limit the use, storage, and dissemination of personal customer data only to practices that 1) improve customer experience, 2) meet regulatory requirements, and 3) don’t endanger customers if the data was leaked.
*Views expressed in my posts are my own and do not represent those of my employer*
