What is data privacy?
Anyone who visits any website inevitably leaves a footprint of where they are accessing it from, what device they are using, time of access, what pages they have accessed and for how long. Not to mention, information that users often volunteer by participating in online discussions, clicking on like and share buttons etc.
Businesses that collect such data from users have an obligation not only to protect the data from being leaked or misused but also to ensure its use is limited to the ‘original purpose’ for which they received ‘explicit consent' from the users.
In this blog, we argue that setting up and following sound data privacy practices is not only a legal requirement for online businesses but a fundamental ingredient to business growth and long-term survival. We will also talk about how the general principles on data privacy apply in the specific context of an online doctors platform.
But let’s begin with a primer on data security and recent developments in this area. Readers who are well-versed with the general concepts can skip to the next section.
A refresher: Data privacy and data security
It is common to mistake data privacy for data security and they are often used interchangeably in normal discourse. As per Wikipedia, data privacy is the field concerned with the relationship between collection and dissemination of data[1]. It governs how the data is collected, shared, and used. Data security concerns the tools and technologies a company might use to achieve this goal.
Data privacy may appear a purely legal concept but is inextricably linked to the culture and politics of the country that any business operates in. These softer elements define the ‘expectations’ that users have from the business, as there is often a conflict between what is legal vs. what users consider as ‘ethical’. In such a scenario, companies often comply with the law and their actions fall short of meeting users’ expectations. This is classic short-term thinking at the expense of long-term survival and growth.
Let us now move away from the definition and consider how this area has evolved in the last few years.
Right from the early days of the internet, businesses realised that user data was a gold mine and can be monetised - for marketing, advertising and as the Facebook-Cambridge Analytica case [2] showed ominously, it can even be used to sway elections. Among the big social media players [3], a race started to build the most up-to-date data repository of user-profiles which is still going on. However, this amassing of mountains of data in central locations also attracts thieves who wanted to steal and blackmail to make their own quick buck. It has left a string of embarrassing stories of data leaks.
In March 2019, 100 million customer accounts and credit card applications were stolen from Capital One bank. Five hundred million guest details were leaked from the hotel chain Marriott’s reservation system. 150 million users’ fitness information was stolen from Under Armour's app, MyFitnessPal and became available for sale on the dark web in what is the biggest such case to date. [4]
Gradually, users have become aware of what has been going on behind the screens of their favourite social networks and the demand for privacy has increased. The saying, "If you're not paying for the product, you are the product", has finally become common knowledge.
Driven by consumers' demands, governments have also woken up and have started considering laws and regulations controlling how data is collected and used. GDPR [5] of the European Union is the most well-known. Here in India, a similarly powerful PDP Bill 2019 [6] has been put forward. The Government of India has also set up a cybercrime reporting portal for consumers to report crimes. [7]
These laws have defined that personal data of individuals collected and processed by the companies are only borrowed. Personally identifiable information (PII), financial data, location and contact, medical history, political views have been classified as sensitive and private under such laws.
These privacy laws have given some new rights to users. Users whose data lives with the company have the right to take back ownership of their data often called the "right to be forgotten". To comply with the laws and to win the trust of their users back, companies must learn to be transparent about what they collect, who all have access to this data and for what purposes.
What businesses are gradually realising is that all this cannot be an afterthought or a veneer you put on top of your current business practices. It has to be part of the fundamental structure of their business. Companies must rethink what they collect from their users, how their employees and vendors handle the collected data and how their clients use it. On top of the embarrassments faced earlier, data leaks are now becoming a criminal offence with applicable fines and punishments.
Data privacy- What does it mean for an online doctors platform?
Let us now return to the premise of how good data practices are not just a legal necessity, but a fundamental ingredient to building a sound online business. The success of an online business is often defined by the number of users who are its members and the frequency of their interaction. This in turn is driven by the “trust” that the business builds with its users.
Predictability and transparency in the collection and usage of data are key to building and sustaining this trust with users. Businesses that keep data privacy at the core of their values, receive positive feedback and word-of-mouth from users setting up a positive feedback cycle, while others face the risk of users quitting in large numbers once their lax policies are exposed and known to users. With laws still catching up with the pace of technology, we believe that companies face a greater business risk than the legal risk when it comes to managing data responsibly.
A doctors platform involving multiple stakeholders such as doctors, advertisers and its own internal employees must proactively address this matter, more so, because it has only a finite number of users to acquire (India has about 700k doctors), and the long-term value is driven by repeat usage from the same set of users over long periods of time.
At M3 India we consider data privacy a prism with 3 stakeholders- our doctor members, employees, and clients. Through our privacy policy, we make a set of promises to our doctor members that their PII data will not be shared with anyone outside the company without their explicit consent.
On the other side, employees get to access data only on a needed basis and with due training in security protocols, and clients have access to only data that has been consented to. More than being compliant with the laws and regulations, this ultimately builds trust among all parties and allows the platform to work for all stakeholders.
Click here to see references