It isn’t surprising that as the web has made it easier to collect data, but so have data laws proliferated. Data is vulnerable to a plethora of risks, so having strong vulnerability management and compliance controls is crucial. Having detection and analysis controls allows companies to scope impact, isolate suspicious activities, launch remediation campaigns in order to protect the company’s data assests. In this post, we’ll go over 5 privacy best practices that you need to include in your data collection projects in order to deliver high value and successful MVPs without upsetting your partners in the privacy and compliance office in your company.
The following list is not comprehensive or in order, but it should provide a good baseline for your data collection project.
- Consent
- Protocol
- Compliance
- Privacy
- Security
Let’s dive into each practice to learn why you need to keep these in mind before, during, and after your data collection project.
Consent
In short, we cannot collect data about people in secret. We can only do it if we have explicit permissions. Perhaps you have visited your favorite website recently, and you have seen those fairly obstrusive pop-up cookies consent forms asking for your permission to track you activity on the website. That a consent form. Although you should take your time to review what they are asking to track, most people tend to click “Accept” without realizing that they just gave permission to track their activity on the website and advanced cases on other websites, for marketing and research purposes.
Protocol
In healthcare, before a clinical trial takes place, a protocol is designed. The protocol describes the objectives of the trial. The protocol is then reviewed by a specialized group of individuals who range from healthcare professionals, researcher scientists, to legal professionals. Yes, that’s right: legal. The goal of this form of peer-review before a study occurs is to check various factors including but not limited to personal health information (PHI), access, disclosure, sharing, and use of PHI. PHI is governed and enforced at the US national level by HIPAA, but it’s the job of the local organization (e.g. hospital, clinic, university, etc) to set policies (for its employees) that comply with HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA HITECH. Steep monetary fines are given to companies who are found in non-compliance.
Compliance
Generally, compliance has two levels. One is federal level, and the second is local organization level. Both levels will influence your data collection project. The federal level is the last you will face. The local organization level compliance is the first you will encounter. Compliance is governed by the governance program. The governance program, depending on the company size, is steered by the data governance steering committee. Compliance can involve international compliance if the company has direct presence in foreign countries.
Privacy
Data privacy rules, standard operating procedures (SOP), compliance will be present throughout your data collection project. There isn’t a single process that is not touched by data privacy policies and regulations. This will govern how you share, use, and disclose data. It will also affect your collaborations with internal and external colleagues. The industry does not matter, even academic research is governed by strict data privacy policies and regulations.
Security
Security refers to the hardware and software IT infrastructure that protects a company assets. Assets will involve irrevocably data, including the sensitive data from your data collection project. Security is an active factor in data collection projects where the IT is housed by the local company. There are cases where security is transferred to external companies, who may manage part or the entire data collection project on behalf of the local company.