This article is the second of a trilogy on privacy, a series by Irene Silberstein. It discusses the legal and commercial aspects of privacy and the ways to avoid the traps for small businesses.
I wrote this series for businesses with an online presence and websites' owners: small and medium companies, retail, expert, freelancer, creator, publisher, adviser, agencies, artist and many more.
While researching a cosy and friendly way to manage our users for our topical websites' portal, I came across a semantic(1) dissonance between the discourses and the reality.
Such dissonance easily lead to a cognitive dissonance(2) that makes us feel uncomfortable.
a- noun - The science of meaning (the sense carried by a word or expression)
b- adj - related to the meaning
In the field of psychology, what's called cognitive dissonance results from perceived contradictory information.
Average reading time: 20 minutes.
No time to read now? No problem.
Get access to our resources and freely download the article
Responsible of your clients' data
You bear the security, privacy, legal and commercial risks.
I distinguish between private and confidential data, and use
--private for personal data
--confidential for business data.
At i.S.k.i.v. Ltd, we care for both.
A word about confidentiality in a BtoB context: For a business, a project is confidential as long as it did not go public. Thus, it is not the project's nature but the circumstances that shall make it confidential. What risks and why?
What risks and why?
The more you request personal data, the more you have to store data in files.
File storage + breaches = a threat for you
Look. More and more breaches occur.
They occur mainly because enterprises store personal data in files: names and address, telephone, card numbers and more; and because they do not properly protect them.
With Facebook owner saying that privacy is a thing of the past, it shouldn't surprise us.
Frequently, breaches occur because companies subcontract tasks to unethical or incompetent providers or both.
From August 2020, an increased risk of fine
On July 16, 2020, at the initiative of Max Schrems, the Court of Justice of the European Union (CJEU) ruled that any cloud services hosted in the US are incapable to comply with the GDPR and EU privacy laws.
Indeed, after the CJEU ruling, this EU-US Privacy Shield framework became invalidated due to significant divergences between EU and US privacy laws.
For any business that operates a website in the EU, EEA or one of the country, state or region having adopted a privacy regulation, or if you have traffic coming from visitors of these countries, states or regions, you are at risk of fine.
For instance, if you use Google analytics, Google owns the data, not you. So, you don't have the data to comply with the privacy regulations. To various extents, the same can apply to social networks.
From August 2020 an increased risk of compensation
As Max Schrems highlighted, "It’s clear Google and Facebook fall under US surveillance laws such as FISA 702"... Anyone still relying on Google Analytics or Facebook is now at risk of facing fines and damage compensations.
Another example, As of September 2021, EU privacy chief investigates the use of US cloud services. The bloc’s privacy watchdog scrutinizes Amazon and Microsoft cloud services' use by EU public sector bodies.
Warning: Apart from the risk of fine, a client can sue you for not respecting the privacy regulations. Privacy regulations are now mandatory for any business operating a website in the EU, EEA and now many other countries, states or regions or receiving traffic from visitors of these countries, states or regions.
Risk to commit a criminal offence
---Risk attached to ID control: In several countries, abiding to new rules for ID control might lead to a criminal offence.
A hidden commercial impact
A huge trend today is to encourage small businesses to adopt deadly practices:
- Defiance from customers and clients
- Using a subcontractor for tasks that must be done internally
- Protect from customers and clients contacts using robots.
Such practices not only expose privacy, but leave the business with an alarming lack of clients' information.
When I say clients' information, I don't talk about identity, date of birth or address.
NO, I am talking about
- How and why a client uses your service or product
- Did any incident occurred that could discourage your client of doing so
- -Is there any specific reason why your client stopped ordering
- Is there any specific reason why your client stopped ordering
- Why are long term clients staying with your business.
So what you need for business relates to USAGE, not to private data.
The deadly trend today is to scrutinize your potential or existing clients while recruiting providers confidently relying on their market brilliance.
This is a main dissonance and semantic shift that progressively induced wrong practices.
Audit your real business needs
Compensate the commercial impact
To fulfil your business needs and stick with your interests
You need to
- Scrutinize your potential or existing providers
- but recruit clients confidently relying on their choice and questioning the reason they choose you.
To safely onboard clients, you shall better have a human controlled onboarding procedure(3) than a robot's controlled one.
I will soon launch a series on commercial and sales practices for the SMBs
Do you see now why I point out a main dissonance?
Small businesses that will survive the current crisis are those who know or will learn quickly how to communicate with their environment and exchange with their clients, partners and providers.
The most well-known consultant firms acknowledge that the quality of your customer service will make the difference.
Cocoon the user
Put the user-friendliness first, design, optimize and test for the visitors and clients. Act for your visitors and clients. They are the ones that make your business. Do not rely on search engines. Take control yourself.
Vital website's criteria
If you communicate through a website, make it simple, easy, cosy, speedy both for you and for your client. Put the user-friendliness first, design, optimize and test for the visitors and clients. This is why website performance is of primary importance.
Take into account the practical easiness on your side to decrease time-consumption on each order. This accounts similarly for a one man team, ten people or a larger team. Have a detailed look at the data needed.
When delivering a service
For every piece of information collected by your company, ask yourself and your team
---Do we need this information to deliver our service?
---When you reply yes, the question is how and where do we store and protect the data collected?
---What do we do with it?
Do we need personal data?
Indeed, with some exceptions, those who deliver services, expertise, software or saas do not need any personal data from their clients to onboard them and deliver the service.
Sure they would need to learn about the use and interest of the service. On the contrary, personal data are useless.
Moreover, the more data we collect, the more complex and expensive their processing becomes. The more time it requires.
This did not appear to me when I began my research.
But considering cases and researching simple solutions for our company,
I came to question our need for 'personal data' and associated files.
Certainly, no need to maintain a file to store data that the business does not need.
We will see in the next part that this finding is crucial: Because it ends up on a wealth of possible solutions, dead simple to implement.
Of course, we at i.S.k.i.v. Ltd always cared for private and confidential data and continue to do so. With many others I consider privacy and confidentiality protection as vital practices.
The best solutions?
When I began researching the best login solution for our clients, as others I began thinking, and experimenting with SSO (for single sign on) and of course, I ended up researching identity providers.
It was only when I began setting up the forms that the truth exploded : we are not concerned with "identity" and have never been.
This is how it started by a quick audit of our own situation,
Questioning the needs when selling services.
If Selling Services
What are the needs really?
Do we need any personal data at all? NO, not at all, not even a full name, an username is OK.
Just an email address to share a two-way communication.
And when we collaborate to anything that will go public one day, maybe the client wants to keep a backup of the preliminary versions but we no longer work with the project, so we have no reason to keep the files.
Our situation has nothing special, we collaborate to websites, catalogues, virtual events, creative marketing campaigns, promotion strategies, information research, traffic triggers and more. Our situation is common to many consultants.
We ended up with a distinct solution. Nevertheless, for the convenience of the customer, we keep the single sign on process. What I point out however is that SSO does not imply ID control.
This means that we can use SSO for user-friendliness - a single access to multiple websites for instance; but at least in our case identity is out of scope.
Is a physical product that different?
Do the seller really need personal data for its own use?
Certainly no. Only the carrier or the post office needs the name and address and perhaps a telephone to render the delivery service.
If the seller does not know these personal data, and only the buyer passes the data to the carrier, and the seller doesn't log them, then only the carrier or the post office would keep them as a proof of their own service.
In case of a law enforcement investigation, this would suffice and the seller would be discharged of any responsibility.
Questioning the real need for data helps reduce unnecessary data and unnecessary storage: the less data you manage, the lower the risks.
Let's now investigate other ways to eliminate the risks.
How to avoid the traps?
Do not skip the due diligence When selecting tools or contractors for your business
1. Understand the functions and the data you require
Audit your case. Minimize the data, both your data and your client's data.
2. Identify your legal obligations
In the EU and the UK there is a unique distinction:
---With less than 250 employees there is no recording obligation by the GDPR
Privacy regulations only target "personal data"
The definition of "personal information" can reduce to:
---Any data that permits alone, or with other data, to identify an individual.
An email address can possibly escape that definition. However, if the email address contains the first and last name of the person, it becomes a personal data. you can However encourage your users to use an email addresses anonymizer.
If you employ less than 250 people and store only email addresses, in the EU and UK, you don't need a data protection officer. But you can designate one, if you like.
In the UK, you can find out if you need to pay a protection fee via the quick assessment the ICO website offers:
In France the CNIL no longer manages any privacy register and leaves the task to... the European Union !
Identify your potential weaknesses
1. Consider cookies
Due to the abuse of tracking, cookies became a nightmare for the visitor(4) and for the client.
Online activities imply both visitors and clients.
Why discourage them?
At iSkiv, we never used cookies. Not for privacy reasons, but because I found the technology difficult to efficiently manage and not performance-friendly.
No cookie, no tracking, no consent needed.
Simpler, isn't it?
Soon launching a series on cookies
2. Absence of due diligence on providers
How to select a provider and what to consider?
Which criteria and sources to use?
Steps to eliminate the risks
--For customer privacy, data security, confidentiality, and reliability.
- Keep private | confidential data only if you permanently need them for business
- If you store data, wisely choose you storage solution and location
You'll find some insights in the last article of this series, the toolbox.
- Carefully consider in which country are your clients located.
- Be cautious when selecting a subcontractor:
- Only entrust business to subcontractors you know
- Investigate their chart of ethics
- Don't use a subcontractor outside your country or area
- If you sell to clients in other areas, enquire on how to comply locally
- You can make use of some sources' documents and reports to engage in your compliance investigation
- Consider in-house processing where data security and ownership are at stake.
In the next article of this series, you will find a tool that provides you with up-to-date templates to implement privacy, cookie consent, and terms.
A simple private solution: Zero-knowledge
A strict zero-knowledge approach is both an excellent privacy protection for the customer's data and an easy and secure solution at the seller end.
To make it clear: we are NOT talking about zero-knowledge proof or zero-based proof nor zero-based privacy, which are cryptographic methods involving a third party - the verifier.
I must credit a few companies for their zero-knowledge privacy approach: Spiredoak (USA) in the storage area, Ivpn (Gibraltar) for their VPN application and Tutanota (Germany) for their email applications, Securesafe (Switzerland) for their collaboration system.
Zero-knowledge in this understanding means zero-knowledge for the seller and zero-knowledge for the seller's application. Here, we use the words Zero-Knowledge in their common sense.
Indeed, our solution relies on meaning, not on mathematics.
This is because 'identity' and 'character' are of different nature
and correspond to distinct angles.
Another difference is that understanding usage has nothing to do with tracking, but is helps for marketing.
Our protection results from the absence of user's personal data in a file, because user's personal data are useless to understand usages or collaborate.
Secure technologies can help protect privacy, but they aren't the goal.
Security goes hand to hand with privacy and reliability.
Certainly, for security, zero-knowledge is better than hosting in a country with good privacy protection laws. Why?
Law can change. and few countries manage to retain power... The EU considers forbidding encryption...
Contract with privacy-aware contractors
It is the best guarantee for you because they care for your data and your client's data.
Avoid using technical means you don't control
Means brought to you by a subcontractor
who could suddenly stop serving your business because they dislike your behaviour, your clients or what they say;
Or unethical technical means that enable a leak or the transfer of ownership of your customers' data:
- market place, payment, delivery, marketing or communication
- infrastructure, advertising system, chatbots, help desk, etc.
- "free" social networks of which you and your clients are the product
- analytics or other modules
Avoid trackers and their cohort of weaknesses
If you fear that removing trackers will limit your ability to earn money from your content, you are the prey of an improper reasoning.
We will see that new concepts and technologies for content monetization already exist. The technologies only need slightly more testing.
A number of developers and service providers found their way to success with creative applications that demonstrate their unique talent and know-how. They provide excellent examples and test beds for winning use cases.
I am currently testing two new directions for intelligent and ethical monetization and advertising. Besides, I am testing promising creative products and services.
Follow these general rules
If you want privacy and ethics in digital,
if you want to own your data,
if you don't want to be the product,
if you don't want to expose your customers' data,
prepare yourself to pay something, even very few, for the service.
Fointiat V, Girandola F. & Gosling P, La dissonance cognitive : quand les actes changent les idées (Cognitive dissonance: When acts modify ideas), Paris, Armand Colin, 2013, 239 p. (OCLC 862924218)
Gawronski B. & Strack F. (Eds.) (2012) Cognitive consistency: A fundamental principle in social cognition. New York: Guilford Press
About the author
Information specialist and web pioneer, Irene offers an extensive experience in information strategy, research and analysis. She manages iSkiv Ltd, a UK limited company, to learn more, see Irene Silberstein