Missing protection: Corporate B2B privacy policies

When most IT execs hear the term “corporate privacy policy,” they think about what their company promises its consumer customers in policies such as those from LinkedIn, Uber and Evernote. But what about policies in contracts entered into with businesses that will handle data from or about your company? Those are rare, and that is a massive security hole.

Let’s start with the low-hanging fruit. Think about the various Android and iOS devices your employees use. The devices constantly monitor their users. And I mean constantly. It used to be that users could go private by entering airplane mode and making sure that Wi-Fi was deactivated.

At least on iOS — thanks, Apple! — no more. With a recent OS upgrade, my iPhone now reacts with a “Siri not available” whenever my phone is in airplane mode and off of Wi-Fi and I say the magic “Hey, Siri” phrase. That means that Siri, though unable to access its databases, is still listening, or it wouldn’t know to say that.

If you purchased your employees’ smartphones, did you include in the purchase agreement any privacy rules? Is your company willing to pass on devices that don’t comply? If enterprises across the U.S. started insisting on privacy limits, I’d put serious money on the prospect that we’d see changes quickly.

This issue extends beyond smartphones. There’s also the cloud. Do your contracts with cloud vendors include language limiting what they can do with the highly sensitive data they will be able to access?

Contrast that with the typical employment agreement, which these days is likely to require that all confidential material be protected unto the grave and five years beyond. Meanwhile, most B2B contracts do more to protect the confidentiality of the contract itself than the boatloads of sensitive data the contracting party is about to turn over.

This is critical because, with the FCC rolling back privacy protections under the Trump administration, companies are on their own when it comes to protecting their data confidentiality, to an extent greater than even a year ago. Some municipalities are establishing their own privacy rules, but their focus is squarely on protecting their consumer citizens, not businesses.

Then there are the privacy implications of dealing with companies in other countries. Before we delve into the privacy issues with companies that are based in other countries, don’t forget the basic data sovereignty issues with cloud companies that move their data — by which I mean your data — around from server farm to server farm in lots of different global locations. Every time the data shifts countries, the inherent protections (assuming that local government insists on any) change. That’s why your direct agreement with that cloud (or what have you) company must be explicit and international.

No company can ignore the European Union’s General Data Protection Regulation (GDPR) rules, which are slated to go into full effect next year. (I just did a fairly deep dive into GDPR implications.) Those rules may be focused on consumers, but they will immediately ripple into corporate data concerns as well.

By the way, GDPR will directly impact companies even if they have no customers or employees in EU countries. In short, GDPR will force you to be far more concerned about where your data is housed and the intimate details of how every partner of yours functions. The operations of very few Fortune 1000 companies don’t touch anyone with EU ties, even second-hand ties.

This is how GDPR will impact your B2B data privacy issues. It focuses on protecting data for consumers, but your employees are, in the eyes of the EU, consumers. It doesn’t matter if the data involved comes directly from employers.

GDPR will force you to handle your data in a more stringent and documented way. Your GDPR preparations are the perfect opportunity for you to redo all of supplier/contractor/distributor/cloud agreements. Put bluntly, use the cover of GDPR to better protect your corporate privacy.