In our data-driven world, customer data has become increasingly vital to businesses looking to keep up with rapidly-evolving customer expectations. However, many businesses have failed to appropriately safeguard customer data, leading to a growing epidemic of data theft. In 2018 there were more than 21 major data breaches by global enterprise companies affecting hundreds of millions of customers.
As such, it’s no surprise there is an increasing focus by governments on the importance of corporate data security. Different countries have different frameworks, in Canada there are PIPEDA and CASL, and GDPR in the EU. The provisions in these regulations vary, but there are some common themes:
- Companies need to obtain clear and informed consent before they are permitted to collect and use personal information
- Companies that collect and use customer information for business purposes must have well-defined policies on how employees are permitted to handle and utilize customer data, and how that must be stored
- Data collection methods must adhere to pertinent regulations
- Most often, companies are required to disclose when there has been a breach of customer data
While these regulations currently exist as an inconsistent patchwork, companies should only expect more consistent data-use regulations, and stronger penalties. But beyond mere compliance with the law, why should businesses care about protecting customer data?
Why you need to care about protecting customer data
- Actions speak louder than words: Taking measures now to protect customer data will ensure that if there is a future data breach, the damage to your brand will be mitigated.
- Even when data breaches are caused by 3rd party vendors, your customers will hold you accountable.
- Data use regulations are only going to be more stringent. It’s much better to take steps to be compliant with data-use regulations now, rather than further down the road when you might face much harsher penalties for failing to safeguard sensitive customer information.
- Data breaches come with a host of unanticipated
costs. Beyond the initial value of the lost data, beyond the cost of lost
business and lost customers, there are a variety of other expenses that
business often fail to consider, including:
- Additional staffing costs incurred by data breach response
- Marketing costs related to rehabilitating the brand
- Promotional costs to improve customer relations
- Hiring outside investigators and data security experts to ensure the breach doesn’t happen again.
So what should your company be doing to protect customer data?
1. Research new vendors thoroughly
Don’t let exciting business propositions tempt you into abandoning caution. Do your due diligence before giving third-party vendors access to your sensitive customer information. If a data breach happens as a result of bad practices by a (smaller) vendor, the onus is still on you because your customers trusted you to keep that information safe. This means doing background checks, getting references, and investigating what data-safety practices a potential vendor has in place.
It’s critical that after a contract is signed with a new vendor, you follow up to ensure they are keeping their promises to appropriately safeguard customer data. If a data breach occurs, your organization will still be on the hook legally if you fail to monitor safeguards to customer data on an ongoing basis.
2. Make a plan and practice different scenarios
Data breaches are like any other disaster: you can’t be appropriately prepared unless you take time to plan how you will respond in the event of a disaster. And just as with other types of disaster planning, your plan should be tested against different types of scenarios, so when unanticipated challenges arise, you can respond accordingly and be better prepared to handle an actual breach. It will also familiarize your team with what will be needed from them in the event of a data breach.
When creating your data breach response plan, remember to include both your Communications and IT departments. It will be important for your IT team to respond quickly, but it is equally important that you are able to communicate quickly, clearly, and transparently about your response to the situation. The exposure of sensitive personal information is stressful and anxiety-provoking, and being able to receive timely updates will help to alleviate customer concerns.
3. Do a data audit
For your plan to be effective, you’ll need to do a complete audit of your data collection practices, data storage, as well as an inventory of the data you have on file. What types of data do you collect? Where is it stored? And what protections do you have around that data?
4. If possible, enlist the help of data security consultants
Adopting a security mindset often involves changing the way we think about common customer interactions, which can reveal some blind spots. To objectively assess your strengths and weaknesses with regards to data security, it can be important to bring in a set of outside eyes. Hiring third-party consultants will help you evaluate and address areas of weakness to avoid issues that may arise in the future. Some consultants will be able to assist you in risk assessment and management, if desired.
5. Protect your data from internal and external threats
While hackers have been behind many of the large customer data breaches in the past few years, hackers aren’t the only threat to customer data that you need to guard against. It may also be possible for employees within your company to expose customer data in ways that make it vulnerable.
6. Create a security culture
One of the challenges of data security is that keeping customer information secure requires cooperation from everyone at all levels of the organization. Ensure that all employees are properly educated about the importance of data security and what appropriate data security measures look like for their positions.
7. Establish a data security officer
One of the paradoxes of data collection is that effective use of customer data can be a tremendous competitive advantage, but actually using customer data makes it more vulnerable to exposure. That’s not to say you shouldn’t collect and use customer data. Companies like Amazon and Netflix have become such market juggernauts because of the effective ways they use customer data to understand the market on a deeper level.
However, it’s important to understand that using collected customer data increases its risk for exposure, especially when data is transmitted from individual to individual, or within different parts of your organization. When making a data security plan, you need to examine every level of your organization as well as how information gets exchanged within your organization. You will also need to establish a role for a dedicated data security officer, whose sole job is to ensure data security and protection of customer data, while keeping up with security trends and technology developments.
Compliance is cheaper than the new fines
Of course, if all of this sounds like a lot of work, that’s because it is – which is probably why only 29% of companies are currently compliant with GDPR. However, as we’ll explore next time, penalties under the new legislation are much harsher than in the past, taking the time now to become GDPR-compliant will save your company massive fines in the future.