a NIST blog
Perhaps you’ve been hearing about data analytics, which is being promoted as a way for even small businesses to analyze communications with customers, enhance customer experience, save money, and ultimately improve your brand. However, data analytics can have big privacy implications.
You may think of managing privacy risk as protecting sensitive customer information, such as credit cards. As the Venn diagram to the right demonstrates, data security is certainly one aspect of privacy risk, but privacy risks can also arise by means unrelated to cybersecurity incidents. People can experience problems or adverse effects simply from the way organizations use data for business purposes. These “privacy events” can result in a range of problems from customer embarrassment if information is revealed that they didn’t anticipate, to more tangible harms, such as discrimination or economic loss.
Absolutely, if you’re conducting data analytics or relying on a service provider to do it for you. Data analytics may be useful for improving your business, but it relies on your customers’ data. Data analytics are powered by machine learning, which finds patterns within large quantities of data and reapplies them to make decisions on how best to create beneficial business results. With data analytics, customer data may be collected in multiple ways, such as tracking customers’ activity on your website or customer email interactions, directly asking customers for information during the course of doing business or through live chat and phone calls, or through feedback obtained from customer surveys. Data analytics can reveal sensitive information about people or even create issues of bias that lead to discriminatory differences, such as displaying advertisements based on stereotypical ideas about gender, race, or economic status. Whenever you interact with a customer, it is important to protect their privacy so that you do not lose their trust or business.
It depends. If you are unaware of what your service provider is handling for you, you should review your contract with them to verify that they are meeting your business’s privacy objectives. Communication with your service provider is key to success! Here are some helpful tips when working with your service provider(s):
The NIST Privacy Framework’s Learning Center has several resources that can help you get started. Have you ever felt frustrated reading a manufacturer’s long instructions manual? Think of the Getting Started with the NIST Privacy Framework: A Guide for Small and Medium Businesses Quick Start Guide as a “speed read” version of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management to help you get started on tackling your business’s privacy concerns. The Quick Start Guide addresses some key issues when considering what your business needs are when it comes to identifying privacy risks, such as when doing data analytics. It is laid out in a “Ready, Set, Go” format which makes it easy to approach developing or improving a privacy program.
The Learning Center also has helpful videos, ranging from a fun 4-minute animated video to a more in-depth webinar with a panel of experts using the Privacy Framework for regulatory compliance and risk management. There is a one page summary of a Privacy Framework success story from Arlington County, VA, where you can learn how the Privacy Framework was used to improve Arlington County’s privacy practices. Lastly, the Resource Repository has mappings between the Privacy Framework and different laws and standards.
Privacy doesn’t have to be overwhelming! Using resources to help get you started, being aware of the privacy risks your business faces, and communicating with your service provider(s) are important first steps. Your customers will be grateful in the long run for taking care of their privacy.