We live in an unprecedented digital age where our data is collected all the time. As automation and electronic systems increase, the amount of data we generate increases along with it. It is estimated that around 79 Zezzabytes of data was generated in 2021 worldwide (one Zezzabyte is equal to a billion Terabytes).

While a legal and regulatory framework govern how organisations and businesses can obtain, store, and use data, there are ethical considerations that need to be embedded into this framework. A failure to take a holistic and considered approach may lead to data breaches, hefty fines, reputational and brand damage, not to mention the scrutiny from the court of public opinion! It seems that consumers, clients, and the public at large expect a higher ethical standard over and above “black letter law”.

What does this mean for businesses and organisations with a Privacy Policy?

Often, clients come to lawyers seeking a Privacy Policy that is simply uploaded on to a website or is neatly tucked away in a drawer. For most businesses, a Privacy Policy is not a ‘living’ document that is operationalised, monitored, audited, and remediated. Rather, it is an after-thought that is tacked on to achieve compliance with the law and regulatory frameworks and is not embedded into the very fabric of the business or organisation itself.

Why does that matter?

Clients and consumers see businesses and organisations as the trusted custodians of their data and need to know that this data is valuable and will be treated as such. Data hygiene is important to end-users as data can easily be manipulated and lead to negative outcomes if it lands in the wrong hands.

Unless businesses and organisations plan for various scenarios and have a playbook for a data breach, they will not know how to handle one. Clients and consumers expect transparency and accountability when it comes to data processes. This includes the procedures that will be followed when things don’t go to plan, how that will be rectified and what risk mitigating steps will be taken to decrease the likelihood of it happening again.

What is the solution?

Most businesses and organisations have a vision and mission statement, as well as values that are set out to be the backbone and ethos of their operations. It may be helpful for businesses and organisations to consider similar mission statements with respect to data. This way, privacy and client expectations are embedded into the design of business systems and are operationalised, rather than be a privacy policy that is tucked away in someone’s drawer.

What should businesses and organisations consider?

Businesses and organisations can consider holding themselves to their values and mission statements by ensuring that their decisions and data handling processes are dictated by their values and vision.

Below are some helpful considerations that businesses and organisations can turn their minds to: –

  1. What do we use client/end-user data for?
  2. Why is that data important to us?
  3. What is the legislative framework for our data collection and use?
  4. What is our baseline for data handling?
  5. Does our baseline data handling meet client/end-user expectations?
  6. How do we lift the baseline to an ethical standard?
  7. How do we internally govern privacy and data handling?
  8. How do we audit, monitor, and remediate our data handling?
  9. How do we operationalise our data handling principles?
  10. How do we ensure our Privacy Policy and the principles around our data handling processes are kept as a ‘living’ document?

The answers to these questions will vary from one business or organisation to the next. Processes and procedures will most likely need to be tailored to meet internal needs and external client expectations.