Continue Reading Below
Effective privacy policies are easier than you thinkA good policy isn’t complicated. “Respect for the customer needs to be first and foremost,” advises Marilyn Prosch, professor at Arizona State University’s W.P. Carey School of Business. For an overview, she suggests reviewing the 10 principles covered by the free Privacy Risk Assessment Tool offered by the American Institute of CPAs.But one size won’t fit all. The following steps can help you create a policy appropriate for your business:Categorize your data. Certain types of information are more sensitive than others. For instance, capturing info like buying habits or brand preferences is unlikely to raise many customer hackles. A user’s personal diet plan, on the other hand, needs discreet handling. And personal financial and health data require rigorous legal protection. So the strength of your practices should be dependent on the data you capture and store. Don’t forget archives of e-mail, texts and instant messages when making these assessments.Define the information you really need. Frequently, companies collect way more data than necessary, provoking customer resistance, data storage expenses and security headaches. Also, there’s no need to retain everything. When you no longer need information, dispose of it securely — and let your customers know that you do.Limit access to as-needed information. For example, workers who fulfill orders on the warehouse floor don’t need customer credit records to do their jobs.Establish easy ways to update records. Let customers know how they can change preferences or information easily. Procedures need not be elaborate. Many small businesses can simply ask customers to contact them with changes.Determine what’s legally necessary. Businesses of all sizes and in every industry increasingly must comply with an array of state and federal regulations, many of them industry-specific. While privacy regulations vary, most laws share such elements as identity verification, information access and audit-trail reporting. Major federal laws include the Health Insurance Portability and Accountability Act of 1996, which applies to health care organizations, and the Gramm-Leach-Bliley Act of 1999, which affects financial institutions. State requirements may differ.If regulations seem onerous, consider an online privacy service. For example, Neal Creighton, CEO of RatePoint, a Needham, Massachusetts-based social media service for businesses, says TRUSTe can manage data and compliance for about $500 a year, a move that could even bolster your reputation for privacy compliance.Appoint a serious watchdog. Put a senior manager in charge of monitoring practices. Why? A 2009 survey of nearly a thousand businesses by the Ponemon Institute, a privacy consultancy based in Tucson, Arizona, found that 69 percent of employees copied confidential information onto USB memory sticks, even though most company policies forbade it. More than half downloaded personal software onto company PCs. More than four out of 10 (43 percent) said they’d lost or misplaced portable devices that held sensitive company data. Effective policies need high-level oversight and policy enforcement.Invest in training. Employees and key independent contractors should be knowledgeable about your privacy practices. Don’t forget telecommuters and outside services, such as accounting, advertising and PR agencies. Set up regular training and monitoring checks, or perhaps a quarterly review. Arizona State University’s Prosch suggests affordable outside training seminars, such as those offered by the International Association of Privacy Professionals.In the end, if you set, communicate and enforce rigorous and clear privacy standards and, wherever possible, put customers in control of their personal data, you’ll likely be rewarded with more information and stronger customer relationships.Joanna L. Krotz writes about small-business marketing and management issues. She is the co-author of "Microsoft Small Business Kit" and runs Muse2Muse Productions, a New York City-based custom content provider.