s a business, we now have the ability to collect vast amounts of customer data for use in making key business decisions such as ad targeting, product development, and website design. At the same time, clients are becoming more willing to share their data with vendors they trust. This is an ideal situation, however, with this bounty of rewards, there are inherent risks and responsibilities that must be taken into consideration. Every year, we seem to see more reports of cybercriminals breaching data repositories and stealing this valuable information. As marketing professionals, we must do everything in our power to protect it; the future of our businesses depends on it.
A customer’s willingness to share information can be attributed to a combination of brand loyalty and perceived regulatory compliance. According to HG.org, Data Protection Law specifically deals with the security of the electronic transmission of personal data. As of yet, the United States does not have any centralized, formal legislation at the federal level regarding this issue, but does insure the privacy and protection of data through the United States Privacy Act, the Safe Harbor Act and the Health Insurance Portability and Accountability Act.
In Europe, the General Data Protection Regulation (GDPR) insures formal accountability for businesses that fail in their duty to protect consumer data, and allows consumers greater control of how their data is shared and stored. In their July 2019 Asia Pacific Privacy Guide, Deloitte notes that in order to continue to compete in the global market and within the data frontier, the Asia Pacific region has seen rapid development in privacy laws and governance. Key trends include mandatory data breach notification laws, greater recognition of consumer rights and an alignment of regulations within countries throughout the region. With increased global data protections, businesses must make data security a priority, and as the face of the business, the marketing team plays a vital role in not only securing the data but bearing the brunt should a breach occur.
As previously noted, consumers do place trust in reputable companies, but this confidence is soon eroded when word of a data breach reaches them. Aside from the potential lawsuits and fines, the intangible costs such as tarnished reputation and lost customers often are significant and can knock a business back several paces. Headlines will fill the internet, and customers will no longer buy from the company.
Even with simple cyberattacks that slow the loading time of your website, prospective customers will click on your link, only to get frustrated and click away again. Where do they go? Straight into the welcoming arms of your competitors. With this in mind, cybersecurity and data protection are critical for the overall health of business-consumer relationships. For marketing teams to protect client data, it’s first important to understand the type of data they’re collecting.
By definition, PII is any detail that distinguishes an individual from another. It has also expanded to cover information that is linked to an individual. Examples of PII collected by businesses include:
All of this information can either highlight the identity of an individual or link it back to the individual. As you’ll notice, all of these details are unique to the person. We all have our own card numbers, address, phone number, Social Security number, and passport number. On the other hand, a piece of information isn’t considered PII alone when it’s shared by numerous people. For example, this includes their date of birth, race, religion, employment details, and location.
We’ve established that digital integrity is critical so what works and what doesn’t.
After data is gathered from customers, most businesses implement a controlled access policy to restrict who can see the data. While this seems like a positive step, there are some problems with it. Namely, if the data is subsequently shared either between departments or even with a partner company, the restricted access efficacy is less secure. Once you pass this data along, it’s almost impossible to control access.
Secondly, you may have heard of a process called ‘pseudonymization’. this is now required in the EU for GDPR. Here, the aim is to take personal data and replace it in a way so that additional information is required to identify a subject. This sounds secure but, what if two companies start sharing data? While the first business removes all PII data, there’s still a unique population record when combining gender, age range, zip code, and other data for the second company to then apply their own additional information. Even when two companies follow the current laws, the risk to consumers is still present.
Although they are a good start, controlled access policies and pseudonymization aren’t enough alone. While the former never truly allows full access control, the latter can still cause security issues even with PII data removed.
All in all, it seems a multi-faceted approach is required for a more holistic digital policy. All businesses should consider addressing each of the the following areas:
As we collect huge amounts of data every day, we need somewhere safe to store all this information. Normally, it’s the stored data that hackers and cybercriminals target since this is a ready-made database. Before anything else, consider the information you currently hold and whether each data point is necessary. Do you need the purchase history of a customer from five years ago? Do you need an email address of a customer who hasn’t converted in the same period?
When it comes to data, hoarding isn’t the answer. If you haven’t used it recently, storing it will only cause security concerns for the business. Let’s imagine you suffered a breach; in this scenario, you should feel comfortable explaining the importance of each data point to the customer. If you would feel awkward explaining why you held certain data points, it’s time to delete them.
After deciding what to keep, you then need to think about how you store data. With strong systems ensuring only the most relevant data is stored, you keep the business secure and the customers happy.
Of course, the issue of storage becomes even more difficult than necessary if you aren’t considering the collection process itself and the volume of data absorbed. These days, most businesses believe that they need as much information as possible. Even when buying a pair of trousers in a store, we’re asked to provide an email address, our pet’s name, and what we were doing in 2006. Although a slight exaggeration, you get the idea.
When it comes to collecting data, there’s a balance between risk and reward. At all times, we should experience a reasonable ROI on all collected data. If it becomes a burden, you’re collecting too much.
Even with the best digital policy, you need to be ready for a breach and have a system in place to deal with it promptly and efficiently. What happens when a breach occurs? Who is responsible for implementing the plan? How do you pick up on unusual activity? Which authorities need to know about the breach? How (and when) do you notify customers of the breach? These are just a few suggestions; the best advice is to have a plan and revisit it often to incorporate ever-changing potential threats.
Naturally, we all want to follow the regulations, so this makes for another important consideration for marketing teams wanting to protect client data. Keeping current with Data Protection Law can be daunting. If you don’t feel comfortable meeting the regulatory requirements alone, don’t be afraid to contact a professional in this field. Paying a small fee for a professional is better than receiving a hefty fine (and losing reputation in the industry!).
Remember to continually reevaluate your digital security plan, allow it to evolve based on new internal and external risks, scale it as your business grows and data systems expand, and incorporate regulatory requirements so that your business can continue to thrive.