There’s an emerging paradox in the corporate world. On the one hand, data improves efficiency, innovation and profits. And yet, the political environment in the U.S. and abroad is increasingly focused on privacy.
The potential uses of data are exploding. But so are regulations that will keep that data in check.
Case in point is Alphabet’s Google, who secretly collected health records, complete with names and dates of birth, of millions of patients of one of the largest health care systems in the country, according to The Wall Street Journal. In a blogpost, Google defended its move by saying the agreement should help improve patient care.
Although Google and its partner, St. Louis-based Ascension, say the agreement complies with state and federal laws and protects patient privacy, a handful of alarmed legislators are demanding answers from the two organizations, Reuters reports. The U.S. Department of Health and Human Services is now investigating how the partnership complies with patient privacy laws, according to the agency’s director.
Corporate executives will need help navigating and balancing the interests and tensions between data and privacy. They need to ask critical questions to better manage data in the privacy age. All signs indicate that “the U.S. is going to move toward more-robust privacy practices,” says Kenneth Citarella, senior managing director for New York-based Guidepost Solutions, which handles security and compliance for companies across the globe.
For example, California businesses must comply with a new law in 2020 that gives consumers the right to see a record of all the data a company has on them and the right to delete it. They also have the right to opt out of the sale of their personal information. The law applies to all businesses that exceed $25 million in annual revenues, as well as to smaller businesses that buy, sell or share information on 50,000 or more consumers, or derive more than half their annual revenues from selling personal information. Other states or the federal government could adopt similar privacy protections.
“I think there will be more states that follow suit,” says Erin Whaley, a partner with Troutman Sanders in Richmond, Virginia. “It’s been more of a public focus.”
Regulations globally, such as the European Union’s General Data Protection Regulation, give individuals ownership of their data and deletion rights, Citarella says.
Citarella advises companies to meet the highest standard in their geographic territory, which is often the European Union’s GDPR. It might be tempting to be lax in a country like India, which has fewer privacy protections than Europe, but it’s a bad practice and could lead to liability problems later.
Whether it’s the EU or California, regulations can make it tough for companies to share their data with third-party vendors who can improve operations. For example, there are a lot of companies helping health care providers become more efficient. “But in order to do that, they have to get data to do that,” Whaley says.
Technology companies may make health care become more efficient, but they don’t necessarily have the experience with the industry’s strict privacy laws. Those third-party technology providers must comply with the Health Insurance Portability and Accountability Act of 1996, or HIPAA, she says. Problems may arise if the technology companies want to use the data for other purposes than providing care.
“Health care companies can’t monetize the data they have, like other unregulated industries can,” Whaley says.
She advises companies to carefully vet vendors and all contracts to ensure they meet legal requirements. She also recommends that companies have a clear philosophy on data protection, so they have a better idea of the standards that must be maintained when reviewing vendors.
Whaley says companies should prepare a data map so they know what data they have and who has access to it. Citarella says a lot of companies have a problem of owning the information, but not knowing exactly what they have or where it is.
A common practice for companies is to collect as much data as possible, whether or not there’s any specific use for it, because it might be useful down the road. “We’re not squirrels hoarding nuts,” Citarella says. “Any unnecessary data is risk without reward.”
He says a good practice for firms is to name a chief privacy officer to keep track of changing data rules. That person should have access to the company’s research and development staff as they develop products and services, he says.
In an age of increasing privacy protections, companies need to tell customers what they do with their personal information.
“When in doubt, disclose what you’re doing with the data and get individual consent,” Whaley says. “If you’ve told people what you’re doing with the data and [have] gotten permission, that’s going to go a long way.”
Here’s some advice from the experts:
- Hire a chief privacy officer if you don’t already have one, and make sure that person has access to conversations about new products and services.
- Create a data map and make sure you know what personal data you have and who has access to it
- Make sure your company has a clear philosophy on data and privacy and use that to vet vendors, too.
- Comply with the highest privacy standard in your geographic territory, whether that’s the European Union’s GDPR or something else.