Consumer privacy is gearing up to make a big splash this year as people become increasingly annoyed with the way big data thefts at companies like Yahoo! are handled and regulators in Europe take aim at data sharing practices. The heightened scrutiny means companies around the world will have to shore up their security. They must be more responsible about their customer data use and sharing or they could risk damaging consumer trust, losing business, and even getting fined.
Today, customers are more concerned than ever about what online companies are doing with their personal data, whether it’s sharing it with a third party or improperly securing it. A global November 2016 KPMG survey found that 55% of respondents had at one point decided against buying online due to privacy concerns and fewer than 10 percent feel they have control over the way organizations handle and use their personal data. The top concerns were: unwanted marketing (59%), personally identifiable information (PII) sold to third parties (58%) and lack of secure systems (55%).
Against this backdrop, the European Commission is getting ready to strengthen consumer privacy regulations, and cover international personal data transfers, with the goal of reinforcing trust and security in the digital economy. The impact of these rulings and others including the General Data Protection Regulation (GDPR) extend beyond Europe because non-EU companies who deal with EU consumer data will have to meet these rules going forward, which will mean some serious soul searching for many online companies in the U.S. and elsewhere.
Regardless of the regulatory environment, companies should strive to maintain customer trust as a matter of course. Here are some tips for protecting consumer privacy and ensuring that customers stay customers for the long run.
- Be transparent. Set the tone with customers early and be clear about your privacy policies and practices. Explain how you plan to share their data and provide a way for customers to easily set and change their privacy preferences. Present your privacy information using plain language and make sure it is easy to find on the website and in emails to customers.
- Go beyond the regulations. A lot of companies will have privacy policies that adhere to regulations but don’t have strict data policies that satisfy customer needs. While regulations are evolving and becoming more stringent, there is plenty of room to define and implement policies that protect data across a wider range of potential threats and scenarios.
- Put users in control. Today’s regulations require fine-grain data governance, while progressive policies will help in adapting to tomorrow’s regulations. Collecting customers’ digital identities and affiliated data requires robust and granular data management technologies and practices. It will only work if users can easily view and change their preferences about what types of information they want a company to have and what to keep private. Empowering users with opt in or out choices and administrator visibility into these preferences will help ensure they are being enforced.
- Be careful with third parties. Companies are increasingly sharing data with third parties including advertisers, service providers or partners who provide adjunct services and products. Have data access policies in place that limit what can be shared according to criteria like vendor type, job function, geography and demographics as well as customer choices. For instance, if you’re sharing your database with a marketing firm that’s doing an email campaign, make sure they can’t access customer financial data and block access to the email addresses of customers who have opted out of emails. Some of the largest data breaches have been due to vulnerabilities in the partner ecosystem. Strong policies provide an extra layer of defense in the event of a breach or errors that violate privacy.
- Use security best practices. Privacy and security go hand and hand; employing the strongest possible security methods is crucial. Don’t just encrypt at the endpoints, encrypt data end-to-end, where it’s stored, while it’s in transit and when it reaches its end-use point. LinkedIn learned this the hard way last year after attackers were able to steal and fairly easily decrypt data from 100 million members. Also apply security controls directly to the data so they’re enforced when data travels beyond your firewall in our distributed digital world of apps, channels and connected devices.
Everyone suffers when companies fail consumers by mishandling their data. That’s why the EU is moving even further in that direction. Trust can be difficult to gain but easy to lose. Without it, the very underpinnings of the internet and the future of online activity are threatened. Companies need to make customer privacy a priority, or risk losing those customers.
- EU’s General Data Protection Regulation Is Law: Now What?
- National Security, Regulation, Identity Top Themes At Cloud Security Summit
- Why Identity Has Become A Top Concern For CSOs