Privacy Self-Audit: Managing and Protecting Data

As a small or medium-sized business, it's easy to overlook data privacy or see it as a burden. Doing so could be a big mistake thanks to a range of privacy laws that could lead to substantial fines for non-compliance.

As well as some specific measures for individual laws, you should follow some wider principles for good data practice.

We'll break down the laws and the common data privacy principles, then give you a 15-point checklist to make sure you cover all the bases.

Key Privacy Laws

Depending on your location and business, you could come under several different privacy laws, particularly if you do business online. These are the key points of some of the most common ones.

California Online Privacy Protection Act (CalOPPA)

CalOPPA is a California law that covers any business with a website that collects "personally identifiable information" from Californian citizens. It doesn't matter where the business is based.

Under CalOPPA you must publish a Privacy Policy that details:

• What types of personal data you collect
• Who you share data with
• How users can check and correct the personal data you hold on them
• How you will let users know when you change the Privacy Policy
• How you respond to "Do Not Track" requests in web browsers

California Consumer Privacy Act (CCPA)

The CCPA applies if your business meets any of three annual thresholds:

• Revenue of more than $25 million
• Number of Californians whose personal data you handle is 50,000 or more
• The percentage of your revenue that comes from selling the personal data of Californians is 50% or more

Under the rules of the CCPA you must let customers know what types of data you collect about them and whether you disclose or sell this data. You must also have a Privacy Policy that details the types of data you've collected, sold and disclosed about any customer in the past 12 months.

The CCPA also says your Privacy Policy must tell people how they can ask what data you store about them and how to exercise their legal right to tell you not to sell their personal data. The latter point must be covered on a dedicated web page. Your website must link to this dedicated page with the words "Do Not Sell My Personal Information."

Children's Online Privacy Protection Act (COPPA)

COPPA is a federal law that covers any U.S. business that collects personal data about children aged under 13. It applies if you know that you are collecting data about under-13s. It also applies if your website is "directed" (that is, aimed at) under-13s.

The key points are that you must get verified parental consent before collecting data about children under 13, you must tell parents what data you collect and how you use it and you must post a Privacy Policy that details your use of data about under-13s.

General Data Protection Regulation (GDPR)

The GDPR applies to any business that processes personal data if any one of the business, the person or the processing is in a European Union country.

Note: The GDPR will apply directly in the United Kingdom until the end of 2020. At that point the same easures will apply as part of UK domestic law unless and until the law is changed.

The key requirements of the GDPR are to get meaningful consent before processing personal information, which covers collecting, using and passing on. You must give a lawful purpose for processing the data and you cannot use it for any other purpose without getting fresh consent.

You also need to facilitate user rights under the GDPR.

Individuals have the right to know what data you process about them, to correct any mistakes, and to ask for you to delete data that is no longer relevant or necessary. You can present this information in a GDPR-compliant Privacy Policy.

Personal Information Protection and Electronic Document Act (PIPEDA)

PIPEDA is a Canadian law that covers most private sector businesses in Canada. Some activity conducted solely within Alberta or British Columbia is exempt because provincial laws have a similar effect.

Under the rules of PIPEDA you must inform individuals and get consent before collecting, using or disclosing personal information. You must say why you are collecting the data, only use it for this purpose, and retain it only as long as necessary.

You must also keep personal information secure, make sure it is accurate, and let individuals check what data you hold on them and correct it if necessary.

Privacy Law Self-Audit Steps

Organize Your Data

To properly control your data and comply with privacy laws, you need to know exactly what data you store and collect about people. The definition of "personal data" varies from law to law, but generally it is any information that specifically relates to an identifiable person.

This can include:

• Names
• Addresses
• Contact details
• Date of birth
• Identification numbers
• Demographic data
• Internet activity
• Purchase history
• Information about employment, education or health

A good approach is to track and monitor the personal data you collect using the categories referred to by the CCPA. Even if you don't currently come under the CCPA, you may do so in the future. It's also possible the CCPA may serve as a template for other state or federal privacy laws developed later on.

This Privacy Policy extract from Yotpo shows an effective way of covering both the types and specifics of personal data:

As well as knowing what data you collect, you should keep records of why you collected it and the purpose you gave for using it. You should also keep records of how long the data is needed for this purpose (or how you will know it is no longer needed).

Review Your Consent Mechanisms

The requirements for consent vary from law to law. As a rough guide, if you operate in the European Union or collect data from people aged under 13, you will need to get explicit consent in advance before collecting personal data. Even when it isn't a legal requirement, consent can be useful to avoid any complaints or loss of trust among customers.

With the GDPR in particular, consent has to be meaningful and active. To be meaningful, consent has to be based on the customer getting clear and complete details of what data you collect and why and how you will use it.

The threshold for active consent has strengthened both with the introduction of GDPR and in its evolution.

At one point consent could work on a "browsewrap" basis that meant you could simply tell the user that they consented to personal data by continuing to use the site after seeing the warning. This was not valid under GDPR as it didn't show clear intent. The user might not have seen the notice.

This example from Credit Suisse, which isn't covered by the GDPR, shows the browsewrap approach:

Many websites switched to a clickwrap approach in which a user must actively click a button to say they'd read a Privacy Policy and given consent.

This example from De Nederlandsche Bank shows clickwrap:

One limitation to this approach was that some sites used a pre-ticked checkbox. A later court ruling said this wasn't sufficient as the user could have clicked through by accident or without reading what the checkbox related to.

Since the court ruling, the best approach is to use an unticked checkbox. This effectively means the user has to actively give consent (by ticking a checkbox) and then confirm the consent (by clicking a button).

This example from The Telegraph's Privacy Manager for cookie settings uses sliders set to off by default, which has the same effect as an unchecked checkbox:

Assess Your Level of Notice Given

A common feature of privacy laws is the need to give clear notice of what data you collect and how you use it. In most situations, a Privacy Policy is the best way to give this notice, though you'll need to use clear links or pop-up windows to make sure the user has a reasonable opportunity to read the policy.

Points about notice to cover in the Privacy Policy include:

• What data you collect
• How you use the data
• Why you use the data

This example from Here explains how it uses the data it collects:

You should also make sure that your Privacy Policy itself is easily accessible, easy to read and understand, and that it's thorough and accurate.

Facilitate User Access and Control of Data

Nearly all privacy laws give the customer the right to ask for a copy of the personal data you hold about them, which is why organization is so important. You'll need to include a notice on your site, for example in your Privacy Policy, telling people how to make this request. Normally the best solution is to have a designated person or department responsible for data handling who can receive and deal with such requests.

You should respond as quickly as possible to such requests. A good approach is to respond immediately to acknowledge the request and then respond in full when you have gathered the relevant information.

Privacy laws also commonly say the customer has the right to correct or update their personal information if it is inaccurate. Make sure your data management system can handle these corrections.

Some laws also allow a user to ask you to delete data, though the acceptable reasons to do so vary from law to law. You'll almost always need to delete the data if you no longer need it for the purpose you originally gave for collecting it. Again, make sure your data management system can handle deleting the data without causing technical problems.

This Privacy Policy extract from Crunch covers these points particularly concisely:

Disclose and Sell Data Legally

The rules for passing on data to third parties are usually tougher than for simply collecting and using it. Check the specific laws that apply to you, but the general principles are as follows:

• You must always tell people if you pass the data on to other people. Your Privacy Policy should say who you pass it on to, why you pass it on, and how the third party will use it.
• You will often have to get advance consent to sell personal data.
• Customers usually have the right to tell you not to pass on the data to other people. You should tell users if exercising such an opt-out has any consequences, for example a reduced service.

This example from Experian covers these points well:

If you are covered by the GDPR, you can only transfer data to third parties in non-European Union countries in two circumstances:

• The country has "data adequacy status" from the European Union, or
• You put adequate safeguards in place

Secure Data

Some privacy laws have additional clauses requiring you to properly secure data. This can entail many measures, but the key ones include:

• Physical security, such as locking rooms with files or computers
• Computer security, such as password protection and encryption
• Organizational security, such as only letting authorized staff access files, or having differing levels of access depending on role
• Monitoring security, meaning safeguards so you know immediately when a breach happens
• Data integrity measures to reduce the risk of data being damaged, destroyed or lost, for example adequate backups

You can give reassurance to customers by outlining or detailing your data security in a Privacy Policy. If you do so, for legal reasons it's vital that the details you give are accurate. If a customer is misled by the security you offer, it may bring their meaningful consent into question.

This example from Privacy International covers the measures it takes to protect personal data without creating unrealistic expectations:

It's often an effective technique to balance convenience and security by having differing levels of protection and restriction depending on the sensitivity of different types of personal data. This is another example of why understanding exactly what data you hold is so important.

Self-Audit Summary Checklist

There's a lot to remember when it comes to complying with data privacy laws. Here's a checklist that will help make sure you've covered everything:

1. Check which data privacy laws apply to you, taking into account your location and that of your customers.
2. Make sure you know all the data you collect and hold about people, including data you collect directly and from other sources.
3. List the types of personal data you hold. This will make it easier to write Privacy Policies.
4. List the different ways you use personal data. This will make it easier to give correct and useful notice to customers. Check that it's legal to use data for each purpose.
5. Make sure you have a process for identifying when you will no longer need data for the stated purpose.
6. Keep track of the personal data you disclose to third parties, including the reasons for disclosure. This includes selling data.
7. Get active consent before collecting data in the EU or from children under 13. Consider doing so for all data collection as this is good practice. Make sure the consent is informed and active. Don't rely on "browsewrap" or pre-ticked checkboxes.
8. Get fresh consent if you want to use data for a different purpose to the one you gave when you collected it.
9. Figure out the consequences of a customer refusing to provide, or consent to collection of, personal data. This will help you give customers a better chance to make an informed decision about consent.
10. Have a Privacy Policy that covers the data you collect, how you use it, whether you disclose it to third parties, how people can check the data you hold about them, and how they can request you correct or delete it.
11. Make sure the Privacy Policy is written in clear, everyday language. This is a legal requirement under some privacy laws and will reduce the risk of misunderstanding or legal dispute in all cases.
12. Make sure you have procedures for dealing with data access requests promptly.
13. Verify a person's identity before giving them a copy of their personal data.
14. Check your data management system can handle corrections or deletions of data.
15. Audit your data security procedures. Remember that security isn't just about unauthorized access to data. It also covers data integrity, meaning data isn't corrupted or lost without a backup.

Summary

Let's recap what you need to know and do to keep on track of the personal data you handle:

• You may be covered by multiple privacy laws, particularly if you operate online.
• If you collect data from Californians, CalOPPA says you must publish a Privacy Policy.
• If you handle data from a lot of Californians, the CCPA says you must let customers know what types of data you collect, disclose and sell.
• If you collect data about under-13s in the United States, COPPA says you must get parental consent first.
• If you operate in, process data in, or have customers in the European Union, the GDPR says you must give a lawful reason and get meaningful consent before collecting or using personal data.
• If you operate in parts of Canada, PIPEDA says you must get meaningful consent before collecting or using personal data.
• You should keep track of any personal data you collect, use and disclose. Personal data is information that identifies or refers to a specific individual.
• You can use categories to track the types of personal data you handle. The CCPA's designated categories are a good starting point.
• You'll often need to get consent before collecting data. This needs to be informed and meaningful. You must be certain the person understood the consequences of consenting and did so intentionally.
• A Privacy Policy is the best way to inform users what data you collect, how you use it, and other relevant information.
• You should tell users how to ask for details of the personal data you hold about them, how to correct it, and whether they have the right to ask you to delete it.
• Privacy laws often require you to secure personal data.
• Review your data privacy procedures using our 15 point checklist.