Cyber threats are a reality of doing business today. And when a business is the target of a cyberattack, both the business and its customers can be victims.
In addition to protecting your company’s own financial and trade information, it’s crucial to protect any customer data you may keep in your systems. If a data breach exposes customer data, a business can suffer reputation damage, along with responsibility for paying financial damages to customers. You can avoid exposing sensitive customer data by taking the following nine steps.
Identify privacy drivers
If your company stores any customer data, you should have a clear privacy policy in writing that is available for customers to review. In the policy, you should specify what personal information you collect from your customers, how you collect the information, how you use it, and whether you will share it with any third parties. If you do share or sell customer information with third parties, your customers should have an easy, reliable way to opt out.
The first step to developing an effective privacy policy is to identity the drivers that have led to the decision to establish a formal privacy program. These might include the need to meet data protection compliance requirements, to avoid non-compliance sanctions and penalties, to meet requirements of business partners or board members, to establish a competitive differentiator, or to gain or maintain customer and employee trust.
Those responsible for building the privacy program must be able to clearly articulate the privacy drivers to successfully obtain executive buy-in and employee compliance with the privacy actions established within the program
Obtain executive buy-in
Use your privacy strategy to clearly articulate to executive management the need for the privacy program, as well as the need for their strong, visible support. If you do not have clear support from executive management, the chances for a successful privacy program may be much lower.
Privacy programs with no strong executive support get little to no cooperation from all levels of the organization when it comes to complying with established privacy policies and following privacy procedures consistently. A property privacy program is a key part of investing your business’ cybersecurity plan.
Conduct a privacy impact assessment (PIA)
Now that you have fully documented where all the personal data is, how it’s used, stored, etc., you have a huge head start on performing a PIA. This stage provides the opportunity to more clearly determine where privacy vulnerabilities and problems exist throughout the company.
Collect only the data you need
Take a look at the types of data your company stores and think about whether you really need to keep all that information. Maybe you need customer names and contact information, but you probably don’t need birthdates and credit card information. By keeping your customers’ credit card information on file, you are putting your own business at risk: If it was the target of a cyberattack, you would be responsible for breaching all that customer financial data.
Implement robust security controls
Create and maintain an internal security policy and make sure all employees follow the practices included in it. For example, consider a “zero trust” policy, which means access to private data is available only to those who need it for their jobs.
Other security controls to consider include using data encryptions and requiring strong passwords and frequent password changes.
Promote awareness among employees
Regularly train staff members on your company’s security policies and the threats to data privacy. That may include annual (or more frequent) online training on best practices when dealing with sensitive customer information. In addition, require employees to review and sign your internal security procedures document on an annual basis.
Comply with all relevant privacy regulations
A number of data protection laws and regulations have cropped up in recent years. If you handle customer data, make sure you are compliant with any that pertain to your business. For example, the European Union’s General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Its rules apply to businesses that deal with information from people in the EU, regardless of where the business is based. If you have customers in the EU, you’ll have to make sure you’re complying with GDPR requirements.
The California Consumer Privacy Act (CCPA) governs businesses who collect data from California residents. Other states are expected to pass similar laws in the future, so it’s important to stay updated on laws like CCPA and ensure that your privacy policies are in compliance.
Destroy customer data before recycling
If you have customer data on computer hard drives, flash drives, or paper copies, make sure you destroy it before recycling or disposing of it. Throwing out hard copies of files that include customer information exposes you to risk, as thieves may raid the dumpster outside your office. The same risk is possible if you dispose of old computers, external hard drives or flash drives without erasing the data first.
Assess Success
After developing a plan for privacy protection, monitor your organization’s progress to make sure the plan is operating sustainably. On a regular basis, review procedures to determine whether your goals are reached and establish new goals for necessary improvement. Also, make a plan for determining how to sustain your success.
Collecting and using customer data is, for many companies, an essential part of doing business. However, protecting that data and using it appropriately is just as important for avoiding the potential damage of a data breach. By taking these steps, you can make sure your business keeps customer information safe and avoids the financial damage associated with a breach.
