Many small companies have lost customer trust or even been sued over privacy mishaps in recent years. And they're likely to face more problems as digital data files grow in size and importance to modern business.
You are legally, if not morally, obligated to treat your customers' private personal data respectfully and fairly. But protecting customer privacy need not be a drain on your company. Done wisely, it can create customer goodwill and even lift sales, while reducing business and legal risks.
1. Conduct a data privacy audit.
Step one is to understand what data your business needs, what data it's collecting and how data is being stored and secured. Consider also your legal obligations if you handle medical, financial or minors' data.
Businesses sometimes collect more data than they realize because they've used third-party software code that does so automatically or because a partner, such as an advertising network or analytics company, is pulling data.
Lack of attention to this data collection is what often sparks a crisis, says Jules Polonetsky, director of the Future of Privacy Forum, a Washington, D.C., think tank. But you can avoid trouble by making sure someone in your organization is responsible for data privacy, be it a full-fledged chief privacy officer or simply the marketing director.
"No one ends up knowing what is collected and kept from beginning to end unless someone is in charge of that," Polonetsky says. "Someone needs to be accountable."
2. Minimize data collection and retention.
What you don't have can't hurt you. Privacy advocates recommend that companies collect and store only data they need to deliver their product or service. Sometimes businesses gather extra information because they think they might want it in the future. But doing so increases risk. Data can be lost or stolen by hackers, and customers can mutiny if they feel you're asking unnecessarily intrusive questions.
3. Secure the data you keep.
Even if you don't take credit card numbers, other personal data you keep could be valuable to identity fraudsters. It's embarrassing, not to mention costly and damaging, to tell customers their personal information has been compromised in a hack. And such disclosure is often legally required. So be sure you have secured your network, databases and website.
Related: What to Do If Your Business Gets Hacked
5. Communicate with customers.
Privacy advocates and industry groups such as the Online Trust Alliance recommend direct and upfront communication with customers about data you collect and your plans for using it. That's especially important for small companies without recognized brands that people know and trust. Most consumers will happily supply personal data necessary for a service they want. For instance, Amazon.com keeps purchase data and uses it to deliver product recommendations that millions of customers embrace.
6. Give consumers a choice.
Recent research suggests customers expect settings and features that let them choose whether to share data, not sweet words about your respect for their privacy, Polonetsky says. They want to see signs that businesses are "serving" them, not "selling" them.
7. Provide a forum for complaints.
Give customers an online form or email address for communicating their privacy problems or concerns. And be sure to respond to their messages. Such two-way communication can help build trust and loyalty -- and help avoid potential privacy crises.
"Don't think you're too small to be noticed in this world of savvy critics," Polonetsky says. "One aggrieved customer on Twitter … can send the most minor complaint viral."