How to Use & Share Customer Data without Damaging Trust

These five tips for protecting consumer privacy will ensure that your customers will stay customers for the long run.

Steve Shoaff, Chief Product Officer, Ping Identity

March 3, 2017

5 Min Read
Dark Reading logo in a gray background | Dark Reading

Consumer privacy is gearing up to make a big splash this year as people become increasingly annoyed with the way big data thefts at companies like Yahoo! are handled and regulators in Europe take aim at data sharing practices. The heightened scrutiny means companies around the world will have to shore up their security. They must be more responsible about their customer data use and sharing or they could risk damaging consumer trust, losing business, and even getting fined.

 More on Security Live at Interop ITX More on Security
Live at Interop ITX

The drumbeat of data breaches and privacy snafus has been growing for years, and along with it the level of public discontent, and even outrage. People weren’t happy after Yahoo! announced last September that 500 million accounts were affected in a breach that happened in 2014. That backlash turned into a flood after the company reported in December that an even earlier breach, from 2013, had compromised one billion accounts — the largest data theft in history. It’s impossible to quantify, but the news about Yahoo! users cancelling accounts reached a fever pitch. We saw something similar when Spotify changed its privacy policy in August 2015 to allow for access to customer contacts, photos and GPS locations and share some data with advertisers.

Today, customers are more concerned than ever about what online companies are doing with their personal data, whether it’s sharing it with a third party or improperly securing it. A global November 2016 KPMG survey found that 55% of respondents had at one point decided against buying online due to privacy concerns and fewer than 10 percent feel they have control over the way organizations handle and use their personal data. The top concerns were: unwanted marketing (59%), personally identifiable information (PII) sold to third parties (58%) and lack of secure systems (55%).

Against this backdrop, the European Commission is getting ready to strengthen consumer privacy regulations, and cover international personal data transfers, with the goal of reinforcing trust and security in the digital economy. The impact of these rulings and others including the General Data Protection Regulation (GDPR) extend beyond Europe because non-EU companies who deal with EU consumer data will have to meet these rules going forward, which will mean some serious soul searching for many online companies in the U.S. and elsewhere.

Regardless of the regulatory environment, companies should strive to maintain customer trust as a matter of course. Here are some tips for protecting consumer privacy and ensuring that customers stay customers for the long run.

  • Be transparent. Set the tone with customers early and be clear about your privacy policies and practices. Explain how you plan to share their data and provide a way for customers to easily set and change their privacy preferences. Present your privacy information using plain language and make sure it is easy to find on the website and in emails to customers.

  • Go beyond the regulations. A lot of companies will have privacy policies that adhere to regulations but don’t have strict data policies that satisfy customer needs. While regulations are evolving and becoming more stringent, there is plenty of room to define and implement policies that protect data across a wider range of potential threats and scenarios.

  • Put users in control. Today’s regulations require fine-grain data governance, while progressive policies will help in adapting to tomorrow’s regulations. Collecting customers’ digital identities and affiliated data requires robust and granular data management technologies and practices. It will only work if users can easily view and change their preferences about what types of information they want a company to have and what to keep private. Empowering users with opt in or out choices and administrator visibility into these preferences will help ensure they are being enforced.

  • Be careful with third parties. Companies are increasingly sharing data with third parties including advertisers, service providers or partners who provide adjunct services and products. Have data access policies in place that limit what can be shared according to criteria like vendor type, job function, geography and demographics as well as customer choices. For instance, if you’re sharing your database with a marketing firm that’s doing an email campaign, make sure they can’t access customer financial data and block access to the email addresses of customers who have opted out of emails. Some of the largest data breaches have been due to vulnerabilities in the partner ecosystem. Strong policies provide an extra layer of defense in the event of a breach or errors that violate privacy.

  • Use security best practices. Privacy and security go hand and hand; employing the strongest possible security methods is crucial. Don’t just encrypt at the endpoints, encrypt data end-to-end, where it’s stored, while it’s in transit and when it reaches its end-use point. LinkedIn learned this the hard way last year after attackers were able to steal and fairly easily decrypt data from 100 million members. Also apply security controls directly to the data so they’re enforced when data travels beyond your firewall in our distributed digital world of apps, channels and connected devices.

Everyone suffers when companies fail consumers by mishandling their data. That’s why the EU is moving even further in that direction. Trust can be difficult to gain but easy to lose. Without it, the very underpinnings of the internet and the future of online activity are threatened. Companies need to make customer privacy a priority, or risk losing those customers.

Related Content:

 

About the Author

Steve Shoaff

Chief Product Officer, Ping Identity

Steve joined Ping by way of the UnboundID acquisition, where he served as CEO and co-founder leading the company's business strategy, vision and execution. At Ping, as chief product officer, he'll continue and broaden that strategic and visionary direction. Steve previously held roles as technical director and chief of staff for the identity management product division at Sun Microsystems, and senior product manager of directory and security for Netscape Communications. He's an internationally recognized adviser on identity and security issues, and he co-founded the OpenDS and SLAMD open source projects for next-generation identity services. Steve has a BS in Computer Science from George Mason University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights