Data security and privacy regulations – What does it mean for you?

The Xfactor Collective research specialist Brenda Mainland provides a valuable set of questions that all organisations should be asking themselves, to ensure they are protected and protecting their stakeholders in a changing environment around privacy regulation.

Years ago, our mantra in research was “if in doubt, collect the data”. That meant not only an individual’s name, email address, phone number, organisation, but also things like age, gender, location, profession, and a whole heap of other things sometimes. Why did we do that? Our answer was always “just in case”. In case we needed it later, in case we wanted to use it for segmentation, in case… well… just in case. Not today however.

With increasing scrutiny on personal information, privacy and data security, and changes and strengthening of privacy regulations on the rise across the world, organisations are quite rightly becoming increasingly concerned about the burden of compliance. This is largely because Europe’s General Data Protection Regulation (GDPR) is now in effect. But it is also exacerbated by other new global privacy regulations that are modelled around GDPR, such as changes to laws in Australia and Japan, and the new California Consumers Privacy Act (CCPA).

“You should be considering the reputational damage and the associated risks should your organisation breach an individuals’ privacy.”

So to go back to our mantra, we now champion “data minimisation”. If you’re not going to use it for the specific objective or project you are contemplating, don’t collect it. The more information about a person you collect and hold, the more easily identifiable they are, and the greater the risk of exposure in the event of a data breach.

You may be thinking “so what?”. A lot of not-for-profit organisations are not required to comply with the Australian Privacy Act (1988), because most businesses with an annual turnover of less than $3 million are exempt. However, regardless of whether you have to comply, you should be considering the reputational damage and the associated risks should your organisation breach an individuals’ privacy. 

My business had to confront changing and strengthening privacy regulations recently when we acquired a European customer. We needed a complete rewrite of our privacy policy and terms of use and all the associated processes and procedures to comply with Europe’s GDPR.

And that got me thinking about what all the new and changing privacy regulations mean for the not-for-profit sector.

So to help you start to think about data and privacy, and based on my experience, here are some questions to ask yourself about data and your compliance with privacy regulations. I preface however, that I am not a lawyer, so your organisation needs to seek your own legal advice about collection, use and storage of information or data you collect from customers, subscribers, supporters, members, donors and other stakeholders.

Data storage

• Do you know where the data you collect is stored? This means which country the data is housed and/or backed up. For example, many free survey instruments that are in popular use store the data in the USA.
• Does your privacy policy specifically outline what you do with any personal information you collect and hold? Are you always collecting and storing the information you collect in accordance with your policy?
• What do the privacy policies of the third party organisations you use to collect information say about the use and storage of personal information? This extends to third party survey software, database and CRM vendors.

Personal information includes all of the usual things like name, address, phone number, email address etc, but can also extend to IP addresses. Having researched many survey software applications, I know that IP addresses are automatically and routinely collected in all survey instruments unless you specifically turn that function off.

Disclosure and de-identification

• When collecting data, particularly through survey instruments, do you provide sufficient information to participants about how you intend to use and store the information they provide?
• How long will you keep the data you collect?
• How do you de-identify any personal information you hold? At what point do you de-identify the data?
• Do you have processes in place for individuals to access and/or correct any personal information you hold about them?

The answers to all of these questions should be part of your operational procedures and policies, and data security and privacy should always be a standing item on your risk register and the board and executive meeting agendas.

About the author: Brenda Mainland is a specialist business member of The Xfactor Collective, who specialises in market research services that help to create the evidence that for-purpose and member organisations need to craft their strategies, services and advocacy efforts. 

Each week Pro Bono News and The Xfactor Collective present a Collective Insights column, answering common questions and challenges experienced by social changemakers. You are welcome to lodge questions for the column by emailing news@probonoaustralia.com.au

The Xfactor Collective is an Australian-first community where changemakers go for expert support and advice, including pre-vetted specialists across 100-plus areas of specialisation, specialist triage support services and a free video library.