The phrase “I need to know”, when translated literally into Spanish, means “I need to know.” This phrase and, above all, the principle of need to know, take on enormous relevance when collecting personal data. This is usually done in the context of who will have access to the data that has already been collected, which is extremely important. However, prior to this phase in which the data is already in your possession, I consider it important to apply it when requesting private information from users.
Data plays a very important role in commerce, especially in electronic commerce. This is because when accessing user data, current and / or potential customer data is accessed at the same time, thus generating an economic interest on people’s private information. The more people submit their data, the more people the employer can contact to offer their products and services. All of this is logical, and it is okay to do so, as long as you have the full and express consent of people for their information to be collected and used for these fines. Consent is important since personal data cannot be thought of only as another resource for doing business but must be recognized as a fundamental right. This is why it is also vital to guarantee people that the private information they have decided to share will be protected and that their rights over it will be respected.
This is where the first important application of the “need to know” principle comes in, since one way to protect users’ personal data is by requesting, collecting and storing only what is needed to know. Does this business really need to know the marital status of the user? Does this business really need to know the user’s phone number? Your email? Full name? Residence address? Merchants should stop to think if they will not be able to correctly provide the service and / or product offered to their customers unless they have said information and, if they can correctly carry out their work without having to know where the user lives, definitely not do not ask for it, much less demand it. Of course, if the person wants to share more information in order to subscribe to newsletters, text messages, among others, they can be given the option, but never require unnecessary data. Nor will it be correct to place as an option that they share data that I will never use, as in the case that the company does not send information by postal mail but does place a residence address field. For this reason, it is important that, when creating the form in which users share their data, the “need to know” is applied.
Finally, it will be important to apply this principle when giving people access to personal data that users have shared and that has already been collected. Here you should especially think about employees who manage the website, application, social network, among other platforms through which private information is collected and stored. The more people can access the data, the more risk there is that such data will be hacked, disclosed and disseminated without the consent of its owners. Is it really necessary for someone from the production area to have access to customer phone numbers? Is it really necessary for someone in the human resources area to have access to users’ email addresses? And if there are areas that should have access to personal data, such as the sales area and the marketing area, that access must be strictly to what they need to know. When generating and storing databases, it will be ideal to apply the principle of “need to know” in order to provide the highest possible security to users.
In conclusion
Personal data is extremely valuable for both merchants and customers. If companies want to have access to private information that will allow them to have greater business opportunities, it is important that they provide security to the people who will share such information, guaranteeing a correct use of it. The first step that must be followed is to collect only what is necessary and never demand that the user provide more data than is essential. After this will come the distinction between who needs to have access to the collected data and who does not. If users can be guaranteed that their personal data will be treated responsibly from the moment they are shared, they will build trust in the company; and, above all, it will be complying with international data protection standards, allowing the merchant to carry out their activities legally and professionally.
Applying the 'Need to Know' Principle in Collecting and Accessing User Information. Ensuring data security, consent, and minimal data collection to respect privacy rights and comply with data protection standards.