Conversations about consumer data privacy grow louder each year, with the news headlines to match. Trust in the technology sector is now at an all-time low and customers are increasingly concerned about the privacy of their personal information. It’s become a serious topic that all business owners need to follow, not just security specialists and tech bloggers.
For small businesses, there’s some good news: Customers are more likely to trust you than the larger brands, according to a 2021 study by the Kearny Consumer Institute. But remember that trust needs to be earned. As more data is collected, both inside and outside of tech, privacy efforts are now critical – both ethically and legally. No matter your size, it’s never been more important to treat personal data with the respect it deserves. This includes data from paid customers as well as those who simply visit your website or sign up for your newsletter.
Even the most trusted companies can be careless with customer data. It’s not just internal mishandling; businesses often forget that data becomes vulnerable to outside attack the moment it’s collected. You need to be intentional with personal data, regularly review your processes, and always be aware of the changing legal landscape. This involves the information you collect, how you collect it, and how you keep it secure.
Review the laws and get the right people involved
Consumer privacy laws are being created and updated all the time. It’s on you – and your company’s legal counsel, if you have one – to stay on top of these rules and make necessary adjustments to your tools and workflows.
“A great deal of this is new territory and the rules are still being written,” says Lars Olsson, Senior Security Specialist at 1Password. “There’s a growing realization that privacy is a fundamental right, and how it gets discussed and thought about directly affects what we as individuals can expect out of all the technology we use.”
Your company leadership and designated security specialists should review current laws that might apply to your business, while keeping up to date with new developments. If you’re new to data privacy, GDPR and CCPA are the most well-known pieces of legislation, both of which went into effect in 2018. Laws are still emerging, though, at the country and state level.
You can track current privacy legislation on these websites:
Data privacy laws will impact all aspects of your business, from HR documentation to your company website. If you have an IT team, work closely with them to understand how data is collected and used across the organization, so you can adjust and clearly explain your processes. If you need any assistance or advice, you should also consider hiring a data collection specialist or data privacy lawyer.
Once your budget and headcount allows it, you should think about hiring a dedicated, in-house specialist to cover security and consumer privacy issues. If it’s not within your budget, the next best thing is to train an existing employee on the basics. So if questions arise – either from employees or customers/visitors – someone’s ready to answer them.
Steps you can take to be a privacy-first business
Once you’re familiar with privacy laws, you can make informed choices about how your small business should be operating. Here are some steps that 1Password’s Security team recommends:
1. Leverage existing tools that emphasize security, especially if you can’t hire a dedicated security/privacy team. For example, paid email services for employees may have a more vested interest in blocking malware and making sure inboxes are as safe as they can be. It’s worth your time to research the security histories of apps and service vendors you do business with, especially if your sensitive data will be shared with them.
4. Create an internal culture of privacy within your team. Incorporate data privacy protocols into training and everyday workflows so that employees start to think along the lines of protecting data privacy by default, and the common understanding becomes “this is standard practice.”
5. Minimize data collection and retention. If you don’t strictly need it, don’t collect it. And only keep it as long as you need it – “forever” isn’t a good answer.
6. Protect the data you do collect by properly securing company databases, especially those with customer and visitor data. There are free resources on the internet to help you learn more (for example, OWASP), but if you don’t have the time or inclination, hire a consultant to help.
New policies are pointless if nobody follows them. Comprehension and accountability across the entire workforce will ensure that consumer privacy is a core value, not just a marketing slogan.
Mistakes are inevitable. An employee might share private data over a Slack channel, for example. These are learning opportunities for your team. Avoid using scare tactics, and thank employees when they come forward and report a mistake they’ve made. Foster a culture of privacy and hire employees who can be active, respectful contributors. The principle of least privilege will also help by minimizing who has access to what.
If an employee does intentionally abuse customer or visitor data (for example, steals it, sells it, or manipulates it), you may need to take stronger disciplinary action. Upon review, determine the intent and severity of the incident and work with HR on the best path forward, while ensuring the data is restored and customers are kept safe.
Transparency goes a long way
As you grow your business, you should have nothing to hide when it comes to your data practices. Nurture a transparent relationship with your customers and visitors so your success is built on a sturdy foundation of trust. Then continue to invest in that trust, just like you would with your product or workforce.
“When changes are made to business practices that affect privacy, that should remind someone to change the policy as needed,” says Olsson. “The thing to avoid is having what you do be at odds with what you say you do, when it comes to privacy and customer data.”
Don’t forget to prepare your customer support team for any privacy-related conversations with customers. This can involve a direct line to security specialists or a comprehensive reference guide on compliance and your company’s processes. This way, they can confidently answer questions or concerns so trust never takes a backseat to your company’s growth. You could even put together a data privacy FAQ or other resource on your website.
“Be the company that, even as a small business, has obviously thought about – and cares about – not just their customers’ business, but also their privacy,” says Olsson. “These different steps add up to a feeling of trust among your website visitors and potential customers. And visitors who feel you’re trustworthy are more likely to become customers.”
Protect your business, protect your customers
For today’s small businesses, collecting data is just part of the job. And any you collect, you’ll need to keep safe. Even customer information you collect and use ethically can be at risk if your company is breached. It’s crucial that employees know their role in protecting company information and, by extension, your customers.
Mindful online habits are the first line of defense, since most data breaches involve a human element like weak or reused passwords. A password manager like 1Password helps employees create strong, unique passwords for every account they use while keeping these passwords safe from unwanted access. Closing this security gap will minimize the chance of a cyber attack and, by extension, any leak of customer data.
It’s a scary time for customers, with data as a new currency of sorts and everyone out to get it. Be respectful. Be honest. Stay alert. Earn the trust of your customers, and it will only grow stronger over time.