Data Privacy resolutions to keep in 2023

A new year presents an opportunity for new beginnings. The tradition of new year’s resolutions typically revolves around breaking existing bad habits and cultivating good ones.

In the spirit of Data Privacy Week, we consider some privacy resolutions you can consider in your workplace and in your personal life.

Business

Bad habit to break: perpetuating the notion that “data protection is a blocker”

You may have colleagues that view data protection in this way. The chances are they see it as such because they have had an encounter where they have had to make changes to their work to improve the privacy controls. Sometimes, this is down to a lack of planning ahead.

Some of the key aspects of using people’s information in line with data protection legislation is that an organisation decides exactly what data they want, the reason(s) and the defined basis. They must then communicate this, along with other required privacy information, to the individuals it affects. Where privacy risks are not addressed early on in a project, or the data protection team is only involved shortly before launch, any delays are usually linked to them.

Ensure you get all relevant people involved and at the correct stages of project delivery to address privacy issues as early as possible.

Positive change: engage your data subjects

When carrying out a data protection impact assessment (DPIA), many organisations only work together with internal stakeholders and contracted third parties. They often do not seek the views and opinions of those that the processing directly affects, but they should. Not only can doing so strengthen your DPIA and foster trust, but their input could enrich the service or product.

Your organisation’s privacy information (for example, your privacy notice or extra material in a consent form) must be easily accessible for individuals and easy for them to understand. Doing so will comply with your transparency obligations and aligns with individuals’ right to stay informed. If you don’t already, involve your data subjects in user testing to get feedback on its effectiveness.

Personal

Bad habit to break: poor password hygiene

It’s nigh on impossible to remember a unique password for every account you hold. This often leads to many people using the same password (e.g., Password123) or a password with one character difference (e.g., Password123!). If a hacker (or someone you know) gains access to one account, they will often try the same credentials to gain access to your other accounts. This is known as credential stuffing. See our previous blog for best practice on password management.

Positive change: don’t just unsubscribe

Remember when you put those trainers in your basket, signed up to the company’s newsletter for 10% off, and then changed your mind and closed your browser? That shoe shop sending its daily reminders and marketing emails still hasn’t got the hint. If the messages (typically texts or emails) you receive are noise to you, you have rights under the UK GDPR and PECR (Privacy Electronic Communications Regulations) to control how organisations communicate with you and can exercise these rights when contacting the company. You should have control over:

• the topic of content – perhaps you are only interested in trainers, but they are contacting you about their children’s range;
• the frequency of communication – you might want to be told about their seasonal sales but not hear from them daily; and
• the continuation of the relationship – you are no longer interested in their products or services and want to them to remove your information from their systems completely.

Setting and achieving resolutions is a great way of ticking off activities and behaviours you intend to do or introduce to serve a higher purpose. Whether you are working towards bridging a known gap in your existing business practices or would like to explore which areas could be improved, our team of experts can support by conducting a comprehensive or focused Accountability Framework Assessment. Accountability is not about ticking boxes or jumping through bureaucratic hoops to reach compliance; it is an opportunity to show your customers, business partners and regulators that you are serious about minimising privacy risks.