Today is an important day. And it’ll keep gaining importance as the years go by. At the moment, data is the most valuable commodity on earth. And the game is afoot. Technological companies keep finding applications for this “new oil”. Governments all around the world are crafting laws to regulate the market. The public is slowly getting a grip on what this means and how their data is being used. Today is “International Data Privacy Day”.
But why is your data so valuable? Why does the General Data Protection Regulation matter? The law itself, says: “Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale to pursue their activities. Natural persons increasingly make personal information available publicly and globally.” That’s scary. And it probably doesn’t answer your questions; this whole article is needed to do so.
Let’s start by defining concepts.
The GDPR is arguably the most advanced and extensive set of rules regarding personal data to date. The European Parliament, the Council, and the Commission reached agreement on December 15th, 2015. It became operative worldwide since May 25th, 2018. It changed the Internet entirely since it’s responsible for those ubiquitous pop-ups that ask you for consent to use cookies on you.
But let’s not get ahead of ourselves, we should start with the basics. How does the European Commission define “personal data”?
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together, can lead to identifying a particular person and constitute personal data.
They also say that if you encrypt it or process it, but it can still be linked to an individual, it remains personal. If you genuinely anonymise it irreversibly, it ceases to be so. Also, the technology used to collect said data is irrelevant, even information collected on paper falls under its jurisdiction:
The General Data Protection Regulation (GDPR) applies to the processing of personal data wholly or partly by automated means and non-automated processing if it is part of a structured filing system.
It’s also important to know that apart from altruistic motives, the GDPR aims to strengthen commerce’s infrastructure to flourish. The law itself says:
Technology has transformed both the economy and social life. It should further facilitate the free flow of personal data within the Union and transfer to third and international organisations while ensuring a high level of personal data protection.
And in the next section:
Those developments require a strong and more coherent data protection framework in the Union, backed by vigorous enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market.
Here are some real-life recent cases to drive the point home. If you need extra motivation to do your part, here it is:
- In the UK, the ICO fined Bupa with £175 thousand, Carphone Warehouse with £400 thousand and Equifax with £500 thousand. All of them allegedly failed to protect their client’s and employee’s information effectively.
- In 2013, hackers had access to credit and debit card numbers of an estimated 40 million Target customers. It was roughly calculated that the company faced $420 million in the loss. They reportedly had cyber insurance to cover a significant portion of that, though.
- In 2013, nearly 3 billion account’s personal information was stolen from Yahoo. None of it was financial. The company ended up paying $50 million for the incident.
- In 2014, eBay urged its users to change their passwords after cyber criminals got hold of personal data from an undisclosed amount of users. They didn’t get to their financial information because it was stored separately, and the incident ended up being just a scare.
- In 2016, the private data of nearly 57 million people was stolen from Uber. The settlement cost the company $148 million, but that was not all they lost. Their reputation took a big hit.
- In 2017, a cyberattack on Equifax revealed the personal information of 148 million Americans. They reached a deal in 2019 to pay a maximum of $700 million for the whole mess.
And of course, by now everyone should know about 2018’s Cambridge Analytica/ Facebook scandal. After that small mishap, Facebook’s stock price fell 19%, the estimated cost: around $120 Billion. And the effects continue to ripple, so it was probably more. For better or worse, that story led to a huge perspective change from tech companies regarding personal data.
Customer data management
So, what constitutes “customer data management”? Collecting information about your clients, storing it safely in a database, and maintaining such database clean and up to date. You should also study it and scrutinise it. Use your findings and insights to enhance your products, mechanisms, and overall enterprise operation.
That’s the beneficial part, though. The dark side is that this data is so valuable that you’ll have to invest in protection. There’s no other way around this. Small Biz Trends interviewed “senior security professional for AT&T”, and she told them that:
“In reality, small businesses can offer a more attractive target for hackers than larger companies because they don’t invest as many resources in cybersecurity, she said. That can be especially true for small businesses that are third-party providers for larger companies.”
With that being said, let’s move on to the best practices to keep your client’s data safe:
1.- Investigate, invest, and use the right software
There are a million variables, and every situation is unique. We wouldn’t dare to suggest what software will work best for your company without thoroughly studying the case. Which is what you’ll have to do at the beginning of the process. The correct data management software will help you protect your data and comply with GDPR and related regulations. Also, hire the right people to operate and handle it. Keep your software and operating system up to date. Updated versions usually neutralise known vulnerabilities, and routine maintenance goes a long way.
2.- Be straightforward about the information you gather
Your client is your partner in this regard, keep him informed about the data you have on them and what you’re doing with it. If there’s one lesson the Cambridge Analytica/ Facebook debacle left us, is that hiding this crucial information will probably translate in a loss of trust that will be hard to recover from. Regarding this point, Small Biz Trends advises: “Customers need to know that you are protecting their information. Make sure you have a policy they can refer to explaining how you are keeping personal information safe.“
3.- As-needed access to information
Not all your employees need to know everything, nor have the power to edit the database. Take a page from how Wikipedia works and create levels of access for different people inside the organisation. Restrict and assign access privileges as needed, without mercy or second thoughts.
4.- Get insurance that covers cyberattacks
Learn from Target, double-check that your business’ insurance covers cyber breaches. One never knows.
5.- Back everything up. Encrypt if possible.
Hopefully, you’ll never need the insurance or this, but disaster might strike. Backing data up is always recommended, and more so this particular kind. It’s more or less a million-dollar database. We would go one step further and encrypt that backed up data, especially if you’re using the cloud to store it. One never knows. About this point, Inc. says: “eCommerce businesses aren’t only encrypting customers’ data while they shop; they’ve also begun to incorporate encryption while backing up data to prevent its theft while in transit.”
6.- Plan of action if disaster strikes
May it never comes to this, but you need to know what you’ll do if there’s even suspicion of a data breach. Or if all your data gets deleted by accident. Or if you somehow lose all access to it. You also need to know what to do if a mobile device with special privileges gets lost or stolen, or if there’s a break-in in your office. Be as prepared as a boy scout and take decisive action if needed. Which hopefully won’t happen.
7.- Regularly educate your employees
This might be the most important on the list. Everything else might be in place, but at the end of the day, your staff is going to be handling the data. If they don’t know what to look for, how to behave, and what they’re dealing with, the risk you face is immense. Keep them up to date on the latest social engineering tactics and phishing scams. Teach them to keep unbreakable passwords and to report any stolen equipment. Have them love that data as much as you do. And repeat the treatment every year. Small Biz Trends advises your employees: “… should be educated about the newest fraud schemes and urged to employ best practices such as not responding to or opening attachments or clicking suspicious links in unsolicited email messages.”
Besides the impossible fines or the loss of trust, the correct handling of your client’s information will reap benefits. Use this data wisely, and you could manage to sell more products, increase customer retention, improve your relationship with them, sharpen up your marketing, and much more.
Most companies should invest in customer data management, especially online retailers. The age of data has just begun, and you might as well start with the right foot. Put everything in place from the beginning, get superpowers, and watch the millennium unfold with a smile on your face.
—
Eduardo Próspero. Content developer and author.