Privacy issues concern your employees, your customers, and your company information. With the internet, social media, and now AI, maintaining privacy can be challenging. What types of information should be kept private? Which policies and actions should companies take to keep information about employees, customers, and the company private?
Consider the following actions:
Overview
Determine what you want or need to keep private (explained next), and then craft policies and procedures to put your wants and needs into effect.
- For employees. Employers are required by law to protect employees’ personal data, including their Social Security numbers, medical records, and financial information. Steps must be taken to protect this sensitive information, including:
- Storage. Paper files should be stored in locked file cabinets. Digital files should be accessible only by specified personnel; encryption is advisable.
- Access. Who on the staff can view employee information? The fewer the better.
- For customers. If you mine for personal information on your customers, be sure you are doing so legally and protecting the information. If you keep customer credit card information, be sure it is secure. Stripe has a quick guide to help businesses stay compliant when storing this information.
- For company information. Your business needs to protect not only information about employees and customers, but also about the company itself. For instance, certain intellectual property, such as trade secrets and price lists, need protection. The way in which you protect employee information applies equally to company information. And consider:
- Videoconferencing practices. Having remote workers or dealing with customers and vendors through this communication method can expose sensitive information. The FTC offers 10 privacy tips for businesses using videoconferencing. Tip #10 says it all: Establish preferred videoconferencing practices at your business.
Employees’ information
You may need employee health information for insurance purposes or OSHA claims, but the information must be kept private. Federal laws regarding privacy include:
- HIPAA’s Privacy Rule controls what a health care provider can share with an employer.
- The Americans with Disabilities Act (ADA) requires an employer to keep medical information about a disabled employee in a file that’s separate from a personnel file.
- The Genetic Information Nondiscrimination Act (GINA) requires any DNA information to be kept separate as well.
Customer information
You may collect personal data of customers for marketing purposes, and you may also store credit card information. There is no federal law on customer privacy for most businesses (there are laws for financial institutions). But following California’s Consumer Privacy Act in 2019, another 20 states have enacted privacy laws to protect customer data (Oklahoma’s law takes effect January 1, 2027). While the particulars vary from state to state, the laws generally provide consumers with the following rights:
- To know that the business is collecting personal data
- To be able to delete most personal data that’s been collected
- To opt out of having personal information shared
- To correct inaccurate personal information
It’s highly advisable for you to have a privacy policy for your site. You can use a free privacy policy generator to create one for your site if you don’t yet have one. Here’s the privacy policy for BigIdeasForSmallBusiness.com.
AI and privacy
Cybersecurity has been an issue for some time, and companies have—or should have—taken steps to guard their data. They’ve used firewalls, multifactor authentication for access, and more. But artificial intelligence (AI) poses another threat because companies are giving data to ChatGPT and other AI sites. For example, you may be uploading employee data with the desire to have AI suggest solutions to problems or you may be uploading price lists to get AI feedback on the impact of changes to pricing you are considering. What happens to this information? AI is collecting, using, storing, and potentially sharing your data. We’re now in the age of AI privacy.
An IBM article entitled “Exploring Privacy Issues in the Age of AI” is a real eye opener. It explains AI privacy risks of which there are many. There are new things to learn about, such as data exfiltration, where bad actors steal sensitive information from AI applications. It’s a lot to absorb, but learning about the impact of AI on privacy is essential.
Final thought
The bottom line to privacy in light of AI is to fully understand your obligations to employees, customers, and your company so you can take necessary actions for protection. With the pace in which AI adoption is accelerating, even in small businesses, this should be a priority. To drill down on data protection requirements for your business, DLP Piper has a comprehensive guide that you can download.
Note: Harvard Online has an entire course on data privacy (cost: $950) from June 10-July 15 and September 9 through October 14 (enrollment by June 4, 2026). The course examines the line between the benefits of gathering information for business growth and personal privacy, and more. While you probably won’t take the course, its existence shows the importance of the topic.
