EXECUTIVE SUMMARY:

Data is the new gold. Nearly everyone has clicked ‘accept’ on cookie tracking pop-ups without reading the fine print. In fact, it’s almost become second nature. But employees and consumers have many questions. Where does the data go, who controls it, what are the implications, and how will it be secured?

As a business stakeholder, you may know the answers to these questions. However, the average person is in the dark.

According to a 2022 Ipsos poll, fewer than 35% of Americans believe that companies place adequate safeguards around their data. The average consumer cares deeply about their digital footprint, yet remains unsure about information collection and storage practices.

This is why you need a data collection policy that’s easy to understand and readily available. In this article, get step-by-step insights into how to create one. Keep reading for data collection policy insights.

What are data collection policies?

Data collection policies are critical for any organization that collects, processes or stores data. Chances are that your organization already has some data collection policies in place. If your organization aggregates data using websites, apps or other digital means, your organization likely has a well-established privacy policy and a GDPR policy.

However, organizations are often behind when it comes to creating privacy policies around the collection of employee data. You may want to investigate how your organization currently stores employee data, and addresses employee handling of data. Consider including this information in welcome packets and/or employee handbooks – whatever would be most effective for your organization.

Creating a data collection policy

A data collection policy can be useful for internal and external reference purposes. Questions about data collection, use and storage are becoming increasingly frequent, and a data collection policy can help quickly address individual concerns. Ensure that your HR team knows where to find your data collection policy at a moment’s notice.

A central data collection policy is a single set of rules that can be referred to when implementing programs and when individuals inquire. Further, a data collection policy can help your organization better comply with data privacy legislation.

Data collection policy: Key points to cover

A data collection policy needs to include key insights into what data you store and how it is used. Points to cover include:

• How is data collected?
• What data is being collected?
• Why is this data being collected?
• What will the data be used for?
• Who will have access to the data?
• Where will the data be stored and for what length of time?
• Can consumers request removal of data from the database?
• Will the data be confidential or anonymous?
• Will the data be shared with third parties?
• How will people be notified in the event of a security breach?
• How is your organization protecting employee data?
• How is the company ensuring compliance with privacy regulation?

In your data collection policy, use easy-to-read formatting. Explain precisely which data points are collected from job applications, employees, and customers. Be sure to detail why the data needs to be collected. Consider providing contact information in case of further questions, quandaries, or concerns.

Data collection policy creation – Who should be involved?

When developing a data collection policy, ensure that the right people are involved, making the policy more effective in the long-run. Invite the following parties to discussions:

The legal team

A key reason to create a data collection policy is in order to comply with legislation. Thus, it’s critical to consult your legal team for advice. Your general counsel will be able to assist you in creating a data collection policy or policies that fit your industry sector, meet business needs and that comply with relevant legislation.

The HR team

Ordinarily, HR oversees certain data collection processes involving employees and external job candidates. Have HR managers provide input into policy language. Draw on their knowledge about which data is currently collected, when, and why the data needs to be collected.

The C-Suite

Once you’ve drafted a data collection policy, obtain executive sign-off. Leaders across the organization need to understand what’s happening with data collection.

Employees

While most employees may not be involved in drafting the policy, they still need to agree to it. Request for your organization’s HR team to distribute a draft of the policy, and ensure that everyone is on-board. Create a means through which people can give consent. This could be a signature on a physical form, or a digital action that confirms that they’ve read and agreed to certain policies.

5 easy steps: Data collection policy development

1. First, determine the type of data collection policy needed. Gather relevant parties. Brainstorm goals and requirements. Questions to ask include:

• What type of data are we already collecting, if any?
• What types of data collection are we planning for?
• What legal requirements do we need to adhere to?
• Are there further human resources needed in order to create the policy?
• Do we need to provide employees with data culture awareness training?

2. Determine who will be involved in creating the data collection policy. As noted previously, the policy will likely be a joint-effort between the HR and legal teams, with C-Suite buy-in. In the end, the right combination of people to participate in policy development will be determined by your organization’s culture, industry, and needs.

3. Create a draft version of the data collection policy. Assign an individual (or a team) to create a draft of the policy. Attempt to address all contingencies. This includes future data collection needs that your organization might encounter. Attempt to be clear and detailed in your communication here.

You might consider including language noting that the data policy is subject to modification in the future. There may be circumstances in which you need to change it. In the event of changes, ensure that relevant parties receive notification and an opportunity to consent.

4. Review the policy. Send the draft of your policy to leadership for review. Ensure that you incorporate any related input or feedback. Consider sending leadership an updated, finalized draft. Then, read it over one more time to ensure that there are not any unexpected changes, omissions, or glaring errors.

5. Distribute the policy. When ready, distribute the data collection policy as needed. This includes sharing it with whomever may need to consent to it. You may wish to post it on your website, incorporate it into your terms and conditions, distribute it in an internal communication, and include it in an employee handbook. Ensure that you have a mechanism through which to ensure that everyone has read and agreed to the policy.

Further thoughts

A data collection policy is an essential component of creating a more data privacy-centric business culture. For more data privacy and security insights, see CyberTalk.org’s past coverage.

If your organization needs to strengthen its security strategy, be sure to attend Check Point’s upcoming CPX 360 event. Register now.

Lastly, to receive cutting-edge cyber security news, best practices and resources in your inbox each week, please sign up for the CyberTalk.org newsletter. 

The post A step-by-step guide: How to create a data collection policy appeared first on CyberTalk.

Private tech companies gather tremendous amounts of user data. These companies can afford to let you use social media platforms free of charge because it’s paid for by your data, attention, and time.

Big tech derives most of its profits by selling your attention to advertisers — a well-known business model. Various documentaries (like Netflix’s “The Social Dilemma”) have tried to get to the bottom of the complex algorithms that big tech companies employ to mine and analyze user data for the benefit of third-party advertisers.

What info can companies collect?

Tech companies benefit from personal info by being able to provide personalized ads. When you click “yes” at the end of a terms and conditions agreement found on some web pages, you might be allowing the companies to collect the following data:

• Personal data. This includes identity-related info like your name, gender, Social Security number, and device-related info like IP address, web browser cookies, and device IDs. Personal data is usually collected to classify users into different demographics based on certain parameters. This helps advertisers analyze what sections of the audience interact with their ads and what they can do to cater to their target audience.
• Usage data. Your interactions with a business’s website, text messages, emails, paid ads, and other online activities are recorded to build an accurate consumer profile. This consumer profile is used to determine and predict what kind of content (including ads) you’re more likely to interact with and for how long.
• Behavioral data. Purchase histories, repeated actions, time spent, movement, and navigation on the platform, and other types of qualitative data are covered under behavioral data. This helps platforms determine your “favorite” purchases or interactions so they can suggest other similar content/products.
• Attitudinal data. Companies measure brand and customer experiences using data on consumer satisfaction, product desirability, and purchase decisions. Marketing agencies use this data for direct consumer research and creative analysis.

For someone unfamiliar with privacy issues, it is important to understand the extent of big tech’s tracking and data collection. After these companies collect data, all this info can be supplied to third-party businesses or used to improve user experience.

The problem with this is that big tech has blurred the line between collecting customer data and violating user privacy in some cases. While tracking what content you interact with can be justified under the garb of personalizing the content you see, big tech platforms have been known to go too far. Prominent social networks like Facebook and LinkedIn have faced legal trouble for accessing personal user data like private messages and saved photos.

How do companies use the info you provide?

The info you provide helps build an accurate character profile and turns it into knowledge that gives actionable insights to businesses. Private data usage can be classified into three cases: selling it to data brokers, using it to improve marketing, or enhancing customer experience.

To sell your info to data brokers

Along with big data, another industry has seen rapid growth: data brokers. Data brokers buy, analyze, and package your data. Companies that collect large amounts of data on their users stand to profit from this service. Selling data to brokers is an important revenue stream for big tech companies.

Advertisers and businesses benefit from increased info on their consumers, creating a high demand for your info. The problem here is that companies like Facebook and Alphabet (Google’s parent company) have been known to mine massive amounts of user data for the sake of their advertisers.

To personalize marketing efforts

Marketing can be highly personalized thanks to the availability of large amounts of consumer data. Tracking your response to marketing campaigns can help businesses alter or improve certain aspects of their campaign to drive better results.

The problem is that most AI-based algorithms are incapable of assessing when they should stop collecting or using your info. After a point, users run the risk of being constantly subjected to intrusive ads and other unconsented marketing campaigns that pop up frequently.

To cater to the customer experience

Analyzing consumer behavior through reviews, feedback, and recommendations can help improve customer experience. Businesses have access to various facets of data that can be analyzed to show them how to meet consumer demands. This might help improve any part of a consumer’s interaction with the company, from designing special offers and discounts to improving customer relationships.

For most social media platforms, the goal is to curate a personalized feed that appeals to users and allows them to spend more time on the app. When left unmonitored, the powerful algorithms behind these social media platforms can repeatedly subject you to the same kind of content from different creators.

Which companies track the most info?

Here are the big tech companies that collect and mine the most user data.

• Google is the most avid big tech data miner currently on the internet because the search engine deals almost exclusively with user data. Google tracks and analyzes everything from your Gmail and calling history (for VoLTE calls) to your Chrome browsing preferences through third-party cookies.
• Meta’s Facebook collects phone numbers, personal messages, public comments, and metadata from all your photos and videos. Facebook primarily uses this data to fuel its demographic-based targeted ad mechanisms.
• Amazon has recently admitted to storing many user data points, including phone numbers, credit card info, usernames, passwords, and even Social Security numbers. Amazon also stores info about your search terms and previously bought products.
• X (Twitter).Platforms like X employ a “family of apps” technique to gather sensitive user data. While these platforms openly collect and mine user data themselves, they also collect info from app networks that include several other third-party apps. These apps choose to partner with tech giants for better profits.
• While much better than its competitors, Apple still mines a lot of user data. While Apple’s systems allow users to control their privacy settings, Apple gives all its users’ info to Apple’s iOS-based advertisement channels. The iPhone App Store is another place where user data is exclusively used to create customized user experiences.
• Microsoft primarily collects device-related data like system configurations, system capabilities, IP addresses, and port numbers. It also harvests your regular search and query data to customize your search options and make for a better user experience.

Discover how McAfee can help protect your identity online. 

Users need a comprehensive data privacy solution to tackle the rampant, large-scale data mining carried out by big tech platforms. While targeted advertisements and easily found items are beneficial, many of these companies collect and mine user data through several channels simultaneously, exploiting them in several ways.

It’s important to ensure your personal info is protected. Protection solutions like McAfee’s Personal Data Cleanup feature can help. It scours the web for traces of your personal info and helps remove it for your online privacy.

McAfee+ provides antivirus software for all your digital devices and a secure VPN connection to avoid exposure to malicious third parties while browsing the internet. Our Identity Monitoring and personal data removal solutions further remove gaps in your devices’ security systems.

With our data protection and custom guidance (complete with a protection score for each platform and tips to keep you safer), you can be sure that your internet identity is protected.

The post What Personal Data Do Companies Track? appeared first on McAfee Blog.