Five steps to create a responsible data use policy

Xero responsible data use advisory council member Maribel Lopez outlines how to create a data use policy for your business.

With small- and medium-sized businesses (SMBs) facing increasingly severe cybersecurity challenges today, something they often overlook is the role of data management and responsible data use. Although SMBs are gaining a greater awareness and sense of urgency for security solutions to address these issues, many are still unfamiliar with, or lack a complete understanding of, responsible data use.

Why should SMBs be thinking about responsible data use, and why does it matter? First, let’s start with a definition. The Responsible Data community defines it as a ‘concept outlining our collective duty to prioritize and respond to the ethical, legal, social and privacy-related challenges that come from using data’. Perhaps more simply, I’d say it’s defining criteria and policies for how you collect, retain, use and share data, especially personally identifiable information. It’s making sure you are taking proper care of the data that you gather within your business.

If you are an SMB owner, overlooking responsible data use can result in severe consequences for your brand and financial position. Misuse of personal information leads to customer defection and irreparable damage to your business’s reputation. As a result, your customers want to know if you’re taking steps to protect their data from cyberattacks and misuse, and that you are being honest and transparent about how you use data. A good example of this is cookie settings. Users who accept cookies on a given website may be consenting to have their information sold to 15 or more third parties, so this is something SMBs need to make clear. Another component is regulatory compliance. Not adhering to government and industry regulations can lead to high fines. Case in point: failure to comply with the EU’s General Data Protection Regulation (GDPR) results in penalties of up to €20 million or 4% of a business’s worldwide turnover.

Now that we understand the importance of responsible data use, let’s discuss five steps to help create a responsible data use (RDU) framework for your business.

1. Discovery: discover what kind of data you are collecting

Before creating an RDU policy, you need a firm understanding of what types of data you are collecting and if you are storing this data. For example, do you collect credit card or health data?

2. Classification: classify your data based on categories, including personally identifiable information

Once you have a comprehensive list of data types, you need to classify the data based on categories, such as personal customer and employee information, confidential company information, supplier’s confidential information, and general or non-proprietary information. One key area to define is what personally identifiable information (PII) the company collects. Examples of PII include date of birth, national identity number and email address.

3. Definition: define data use and retention properties

Based on the various data types, SMBs will need to define data use and retention properties, such as the amount of time the data is stored, where it is stored and who can access it. You should design policies that meet local government and industry regulations, such as the GDPR, the Health Insurance Portability and Accountability Act (HIPAA) in the US, and Payment Card Industry (PCI) compliance. Your policies should also define principles that will help you deal with grey areas, such as what circumstances require a firm to share private customer data with the government and legal agencies.

4. Privacy: design privacy policies that benefit you and your customers

Do you plan on sharing and or selling this data? Do you have the user’s permission to share this information? Can you anonymise data and aggregate multiple customers’ data in a way that would be useful to your business or your partners (and protect personal customer data)? Also, review the privacy statements of your cloud infrastructure and software service providers to ensure they meet the same standards. In some cases, you may use a cloud provider’s policies as a reference for designing your business’ policies.

5. Security: institute security measures to protect sensitive data

Data security and data privacy go hand in hand. Without solid data security policies, your business risks losing sensitive data. SMBs should add passcode access, multi-factor authentication and access control permissions to all systems. Additionally, where possible, you should encrypt data on PC and mobile devices, and add encryption to data in transit. These technological measures act as a foundation to protect any data handled throughout the data lifecycle.

The items listed above are just a few of the significant considerations you should be evaluating. Use these items as a starting point for building the team, policies and work practices to embed a responsible approach to data in all aspects of your business.