by Larry Coker, Data Protection Officer
Privacy is often seen as a compliance function, a box to be ticked to show you are compliant, and no further thought given to it. However, the goal should be to make privacy an intrinsic part of any business.
Indulge me a few minutes to delve into this.
An Esports and iGaming company will capture data to meet its regulatory obligations as well as to help continue delivering a great service to its customers. There would be no point in capturing its customers’ shoe sizes, unless there were a tournament where footwear is being supplied, and even then, it would only require this data for the purpose of providing the correct size shoes. If it were to capture this type of data (without a need) for its millions of customers and store it indefinitely, this would be pointless and costly in terms of IT, and regulatory repercussions.
For any business to succeed, it needs to maximize revenue whilst keeping spending to a minimum. This is where many go wrong as they look on functions such as privacy as an area they can afford to cut back on, doing the bare minimum to meet legal requirements. What they often misunderstand is that Privacy regulations are not set to limit the ways you can use data, but in fact operate as a framework within which businesses can increase output through intentional use of data. Take the following principles of Data Privacy found in a fair number of regulations including the GDPR:
The intent of this is to minimize the amount of personal data you use only to what you need. The benefit of this is includes thinking through exactly what data you need to meet your business objectives, as opposed to gathering as much as you can with a hope of finding a use for it down the line. It also reduces your IT infrastructure spend as you require less storage space and processing power sifting through Teradata after Teradata.
The above also lends to retention of data, as you have defined what you require data for, you have a better understanding of when it no longer holds value, and can safely dispose of it, as opposed to retaining indefinitely “just in case”.
By undertaking minimization, you should also have a better understanding of what type of data you hold, where it is held, and therefore be able to apply appropriate levels of security to the data.
Allow me to use an analogy to break this down even further:
When packing for a holiday, you think about the types of clothes that will work for the type of holiday and the climate of the destination. A winter coat would be pointless on a beach vacation, and likewise, shorts and t shirts may not be useful on a skiing holiday. We put thought into what we pack to maximise luggage and wardrobe functionality, and to enjoy the holiday. The clothes represent the data you collect as a business, so it makes sense to put thought into where your business is going and how to maximise the “journey”.
The bottom line is that Data Privacy needs to be part of the core of business operations, and baked in by DESIGN, as opposed to an afterthought / tick box exercise.