Respect your data
Now you know where you're going, you need to figure out how to get there. There are no hard and steadfast rules to ensuring privacy compliance, and the complexity of the task will obviously relate to how well you've structured your data environment in the past.
If you're a relatively small dot-com who's always used a single centralised database to store customer information, you may find life a lot easier than larger companies, who have years or decades of legacy information strewn across the country on paper, disks, filing cabinets and in countless departmental databases.
-Businesses still tend to make decisions based on strategy which is going to cover the entire business," says IT Factory sales and marketing manager Frank Cuiuli. -Each department chooses the applications that do what they want to do. Apps just start popping up, and the problem is most of those apps manage the same sort of customer information but there's no real strategy on how they can work forward. Larger and medium-sized companies would have many instances of customer data spread across marketing, sales, customer service, and so on."
Thanks to years neglecting customer data, conforming with the new privacy requirements is going to require you to do a careful audit of the way you collect and store information about your customers.
Online, you're probably aggregating this information through strategies both overt (requesting contact details and preferences in order to customise content) and covert (using cookies to store user information, monitoring session times and URLs visited, and so on).
As data piles up, so too does your understanding of the best way to build your site, the best content to provide, what services customers want access to, and so on. But what happens to this data once it's come in through your company's front door?
Is it aggregated in a single database or is it owned by the department where it arrives? Is it confirmed for accuracy and corrected for consistency, or does it just go straight into the repository in whatever form it happens to be in? Is it distributed to employee desktops or taken with salespeople on the road? Remember that even a simple handheld organiser can contain sensitive customer information.
Even though you might have gone to great lengths to secure your Web site, these potential pressure points mean even the most conscientious company may encounter a few surprises when modelling the flow of information through their business.
Build a privacy SWAT team
To meet the December 21 deadline, you've got to assemble a team of people who know just where data goes within the company. If your company is small, this may only include one or two people. However, if you've got multiple departments and managers, make sure they're all involved in the project. If they're stonewalling, go to their supervisors; this is no time for office politics to obscure the larger imperative.
A multidisciplinary approach not only ensures the company's entire scope is considered, but avoids the ghettoising that might eliminate potentially useful points of view. It also helps spread responsibility across the company and avoids creating a situation where one person is seen to be responsible for a history of questionable data collection practices.
-We've found that this Act has, in a lot of cases, ended up within the legal groups in a business," says Gerard Florian, general manager for multi-service networks with systems integrator Dimension Data. -Effectively managing this means it definitely can't be IT only and it can't be legal only. As simple as this might sound, it's quite amazing how many companies still haven't been able to get together a committee that represents both the legal and technical parts of the business."
Engendering co-operation between business units will also be essential in providing adequate support for any last-minute technical changes that need to be made. At the most extreme, this might be the consolidation of various databases into a single data warehouseâ€"although if you haven't already started something of this scope by now, you'll find it virtually impossible to plan, complete and test by December 21.
Your privacy team should also involve key business partners. Under the terms of the legislation you need to make sure that you're not sharing customer information with any other party that doesn't meet similar criteria. Demanding APSAC privacy certifications may be a good way of ensuring your partners measure up, and will be critical to protecting your own privacy credentials in the long term.
