Meeting privacy regulations can be a daunting task. Especially when your organization manages disparate applications with different data sources, external partner apps and has other technical complexities.
Adding to this challenge, privacy regulations are diverse and dynamic. You may be required to adhere to a number of different and varying regulations, ranging from regional ones, like the EU's General Data Protection Regulation (GDPR), to industry regulations, like HIPAA, to those required by your organization.
And as if that isn't enough to tackle, you also have to meet your customers' expectations about their data security by developing user-friendly interfaces that provide them the control and insight they demand. You have a full plate to say the least.
Gaining a Unified View of Your Customers
To say that today's enterprises have a complicated infrastructure is an understatement. Just managing the data you've collected about your customers isn't easy, not to mention keeping track of which sources of data are being shared with whom.
The first step in meeting regulatory compliance is identifying a single location where you can confidently say "here's the information we have on our customers." A unified customer profile is the best way to achieve this. You create this unified profile by setting up a combination of bidirectional data synchronizations and migrations to move all your customer data into a single directory. We've cleaned up some pretty messy infrastructures using PingDirectory in that way.
Meeting Privacy Regulations
Once your have a source of truth about your customers, you can then evaluate how the data is shared to meet privacy regulations. You do this by governing access to your customer identity and profile data. You might think of data access governance as being like reverse access management. If access management manages a person's access to applications, then data access governance manages applications' access to people and their data.
To meet privacy regulations, you must to do these three things:
Collect and Enforce Customer Consent Customer consent is the foundation of meeting privacy regulations. Many regulations, such as GDPR, have numerous directives that require you to collect consent. That means collecting and storing attributes that indicate which applications, particularly external partner applications, customers have agreed to share their data with. And, of course, you must also enforce that consent.
Enforce Fine-grained Data Access Governance Beyond saying either "yes" or "no" to an application when it requests access to a customer profile, you should also be able to control access to specific attributes. Wouldn't it be easier to just prohibit partners from emailing your customers by not sharing their email address attribute? It's certainly more effective than asking them not to send emails if an "opt out" attribute is checked.
Create Centralized Policies Centralized policies should be able to apply the same data access governance rules to all applications. Meeting privacy regulations is nearly impossible when you're trying to enforce those rules on an app-by-app basis, particularly when the regulatory environment is in a constant state of flux. It's also risky in light of forthcoming regulations like GDPR (May of 2018) that carry hefty fines as high as €10m or 2% of global annual revenue.
There's a lot to consider when meeting privacy regulations, but it's critical to maintaining your customers' trust in your brand and avoiding hefty fines.
Meeting Customer Expectations
Not to add salt to the wound, but most of your customers aren't concerned with how hard it is for you to comply with GDPR or any other regulation. They only know whether they have a good or bad feeling about how you're protecting and utilizing their data.
Think about how you handle your personal relationships. There are no governing regulations to help you figure out who you can and can't trust. So you trust the people who demonstrate that they're trustworthy. You do that with customers by developing user-friendly interfaces that give them easy insight into and full control over their data.
There are a few things you can make sure to do to make customers feel comfortable that you're being a good steward of their data:
Ask for Permission to Share Data Customers should be able to decide who is exposed to their data by giving you (or not) their consent to share it. This consent should include allowing them to specify if you can share their entire profile or only specific attributes. Your consent questions should be in plain language and avoid legalese.
Let Customers See How You're Using Their Data Customers also need to see exactly who you're sharing data their data with. Months or years may have gone by since they gave consent, so you need to provide them with transparency into which of their their data you're sharing with partners, as well as what data you've collected about them. Some regulations even require providing access to behavioral data you've collected.
Allow Them to be Forgotten At the end of the day, the data isn't yours. Customers should be able to opt out, not only from sharing data with your partners, but from sharing their data with you. Making it clear that they have this option will help build their trust in your brand.
Allow them to Revoke Consent Just because a customer gave consent once, doesn't mean they'll feel that way forever. For any number of reasons, a customer may want to revoke consent they've given in the past, and you should allow them to do so.
Meeting both regulations and customer expectations are not only important aspects of privacy, but critical to your organization's future. Implementing these best practices will ensure that you avoid potentially hefty fines and remain a trustworthy partner to your customers.