Small Talk: putting data privacy at the forefront with your customers

For small businesses, there’s some good news: Customers are more likely to trust you than the larger brands, according to a 2021 study by the Kearny Consumer Institute. But remember that trust needs to be earned. As more data is collected, both inside and outside of tech, privacy efforts are now critical – both ethically and legally. No matter your size, it’s never been more important to treat personal data with the respect it deserves. This includes data from paid customers as well as those who simply visit your website or sign up for your newsletter.

Even the most trusted companies can be careless with customer data. It’s not just internal mishandling; businesses often forget that data becomes vulnerable to outside attack the moment it’s collected. You need to be intentional with personal data, regularly review your processes, and always be aware of the changing legal landscape. This involves the information you collect, how you collect it, and how you keep it secure.

Review the laws and get the right people involved

Consumer privacy laws are being created and updated all the time. It’s on you – and your company’s legal counsel, if you have one – to stay on top of these rules and make necessary adjustments to your tools and workflows.

“A great deal of this is new territory and the rules are still being written,” says Lars Olsson, Senior Security Specialist at 1Password. “There’s a growing realization that privacy is a fundamental right, and how it gets discussed and thought about directly affects what we as individuals can expect out of all the technology we use.”

Your company leadership and designated security specialists should review current laws that might apply to your business, while keeping up to date with new developments. If you’re new to data privacy, GDPR and CCPA are the most well-known pieces of legislation, both of which went into effect in 2018. Laws are still emerging, though, at the country and state level.

You can track current privacy legislation on these websites:

• UNCTAD (by country)
• IAPP (by U.S. state)

Data privacy laws will impact all aspects of your business, from HR documentation to your company website. If you have an IT team, work closely with them to understand how data is collected and used across the organization, so you can adjust and clearly explain your processes. If you need any assistance or advice, you should also consider hiring a data collection specialist or data privacy lawyer.

Once your budget and headcount allows it, you should think about hiring a dedicated, in-house specialist to cover security and consumer privacy issues. If it’s not within your budget, the next best thing is to train an existing employee on the basics. So if questions arise – either from employees or customers/visitors – someone’s ready to answer them.

Steps you can take to be a privacy-first business

Once you’re familiar with privacy laws, you can make informed choices about how your small business should be operating. Here are some steps that 1Password’s Security team recommends:

1. Leverage existing tools that emphasize security, especially if you can’t hire a dedicated security/privacy team. For example, paid email services for employees may have a more vested interest in blocking malware and making sure inboxes are as safe as they can be. It’s worth your time to research the security histories of apps and service vendors you do business with, especially if your sensitive data will be shared with them.

2. Write a privacy policy and post it prominently on your website. Then link to it wherever it makes sense to do so. Most companies link to it in the footer of their site, alongside the terms of service. Visitors won’t often read your policy, but they’ll appreciate that it’s there, just in case they have any questions or concerns. And for those who do read it, it’s even more reassuring if you’re straightforward about what data you do and don’t collect, and what you do with that data.

Don’t write your policy with dry, lawyerly language. Instead, use a friendly tone of voice and explanations that everyone will be able to understand. If you haven’t written one before, check out this guide and collaborate with an attorney or privacy expert to get it just right. You can also use reputable privacy policy templates from the web as a starting point.

3. Always ask for consent when collecting Personally Identifiable Information (PII) from customers or website visitors, such as home addresses or credit cards numbers. And never use it for purposes other than what you explain in your privacy policy.

4. Create an internal culture of privacy within your team. Incorporate data privacy protocols into training and everyday workflows so that employees start to think along the lines of protecting data privacy by default, and the common understanding becomes “this is standard practice.”

5. Minimize data collection and retention. If you don’t strictly need it, don’t collect it. And only keep it as long as you need it – “forever” isn’t a good answer.

6. Protect the data you do collect by properly securing company databases, especially those with customer and visitor data. There are free resources on the internet to help you learn more (for example, OWASP), but if you don’t have the time or inclination, hire a consultant to help.

Get your staff aligned with your privacy policy

New policies are pointless if nobody follows them. Comprehension and accountability across the entire workforce will ensure that consumer privacy is a core value, not just a marketing slogan.

Plan some employee education around privacy laws and your company’s privacy policy. Make it part of your onboarding and reinforce it with regular reminders and training sessions. The latter should be tailored to each employee’s role – how they’ll personally engage with customer data and how to best use their tools with security in mind.

Mistakes are inevitable. An employee might share private data over a Slack channel, for example. These are learning opportunities for your team. Avoid using scare tactics, and thank employees when they come forward and report a mistake they’ve made. Foster a culture of privacy and hire employees who can be active, respectful contributors. The principle of least privilege will also help by minimizing who has access to what.

If an employee does intentionally abuse customer or visitor data (for example, steals it, sells it, or manipulates it), you may need to take stronger disciplinary action. Upon review, determine the intent and severity of the incident and work with HR on the best path forward, while ensuring the data is restored and customers are kept safe.

Transparency goes a long way

As you grow your business, you should have nothing to hide when it comes to your data practices. Nurture a transparent relationship with your customers and visitors so your success is built on a sturdy foundation of trust. Then continue to invest in that trust, just like you would with your product or workforce.

With your privacy policy out in the open, you’ll need to routinely ensure that it’s accurate and honest. Review and update policies at least annually to keep them current with regulations and any company or process changes.

“When changes are made to business practices that affect privacy, that should remind someone to change the policy as needed,” says Olsson. “The thing to avoid is having what you do be at odds with what you say you do, when it comes to privacy and customer data.”

Don’t forget to prepare your customer support team for any privacy-related conversations with customers. This can involve a direct line to security specialists or a comprehensive reference guide on compliance and your company’s processes. This way, they can confidently answer questions or concerns so trust never takes a backseat to your company’s growth. You could even put together a data privacy FAQ or other resource on your website.

“Be the company that, even as a small business, has obviously thought about – and cares about – not just their customers’ business, but also their privacy,” says Olsson. “These different steps add up to a feeling of trust among your website visitors and potential customers. And visitors who feel you’re trustworthy are more likely to become customers.”

Protect your business, protect your customers

For today’s small businesses, collecting data is just part of the job. And any you collect, you’ll need to keep safe. Even customer information you collect and use ethically can be at risk if your company is breached. It’s crucial that employees know their role in protecting company information and, by extension, your customers.

Mindful online habits are the first line of defense, since most data breaches involve a human element like weak or reused passwords. A password manager like 1Password helps employees create strong, unique passwords for every account they use while keeping these passwords safe from unwanted access. Closing this security gap will minimize the chance of a cyber attack and, by extension, any leak of customer data.

It’s a scary time for customers, with data as a new currency of sorts and everyone out to get it. Be respectful. Be honest. Stay alert. Earn the trust of your customers, and it will only grow stronger over time.

Andrew Zangre

Content Marketing Manager