An Entrust survey found that 79% of adults are at least somewhat concerned about their data privacy and 64% said their concern or awareness about data privacy has increased over the past 12 months.
With consumer happiness and trust impacting bottom lines, customer concerns become business concerns.
From the UK Government’s Cyber Security Breaches Survey, 39% of businesses reported having cyber security breaches or attacks in the last twelve months. Like previous years, this is higher among medium businesses at 65% and large businesses at 64%. This increase can be attributable to the introduction of remote working arrangements in response to the COVID-19 pandemic.
This increase in the number of data breaches and cyberattacks shows the significant value of your customers’ personal data in your system.
To protect your data from misuse, your organisation is required to maintain Personally Identifiable Information (PII) data compliance.
What is Personally Identifiable Information?
Personally identifiable information (PII) is information that, when used alone or with other relevant data, can identify an individual. PII may contain direct identifiers (e.g., passport information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognise an individual.
A non-PII can become PII whenever additional information is made publicly available. For example someone’s date of birth itself is not a PII, but combined with other similar data could be considered as PII.
Data protection laws for Personally Identifiable Information
To protect consumers, many countries and regions have implemented data protection laws to provide guidelines for businesses collecting, storing and sharing customers personal information.
These guidelines set out the obligations an organisation has for the information they collect, ensuring data is stored in a secure manner, used only for the purpose it was collected, and ensuring data is not shared if its protection cannot be guaranteed.
European Union
The General Data Protection Regulation (GDPR) requires businesses in the EU to comply with data governance practices. Any business established in the EU and any business that processes or controls personal data and offers goods and services to individuals in the EU, is regulated by the GDPR.
UK
Before Brexit, UK businesses were responsible under the GDPR. If you operate or deal with UK consumers, you will now need to comply with the UK GDPR under the Data Protection Act 2018 (DPA 2018). There is little change to the core data protection principles, rights and obligations, as provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR.
Adopting Personally Identifiable Information compliance
Are you aware of the location of PII and how it’s linked in your system to specific individual customers?
An IDG Research Services survey commissioned by Insight Enterprises found that only 57% of organisations conducted a data security risk assessment in 2020.
It’s essential that you have your PII under control and secure to avoid the risk of unnecessary reputational damage and potential fines. You need to have access to a full review of data across your systems, software, and tools, called data mapping.
Why should you take customer privacy seriously?
Customer privacy is a complex issue for your business and your customers as well. It can seem daunting and expensive to set systems up to protect your customers PII - and keep them up to date. As well as openly and clearly communicating your data processes to your customers.
It’s no longer enough to simply secure your data as it can affect your business in three ways:
- Impact on your brand
Brands that handle customer data security properly and communicate this to their consumers, have more satisfied customers and a deeper loyalty from them.
Data breaches can affect your brand immensely and can lose you consumers even before they have become a customer. An Atomic Research study found that 33% of UK organisations lost customers after a data breach, with 34% of businesses saying they suffered a damaged reputation.
It’s wise for organisations to spend time and money developing best practices on data protection and cybersecurity. If a data breach does occur, you can minimise the impact on your brand, by setting up a series of ‘what if’ scenarios, ready to implement the instant a security crisis occurs. These scenarios would include all C-suite executives who are likely to be involved in the breach. - Erode customer trust
The trust that your customers have in your business is built over time. As they interact with you, purchase from you, their trust in your business grows.
If this trust is broken because of a data breach, this will be difficult but not impossible to repair.
Report breaches to appropriate authorities immediately and open the communication lines with the affected customers as required. Bend over backwards to reassure affected customers. Take corrective action and assist them to further protect their personal data.
How you treat and manage a data breach can perhaps win your customer back. - The cost of a data breach
When a data breach has occurred, your organisation may be liable to pay damages. The bigger the data breach, usually the larger the damages.
The damages can include the cost to correct the exposure in your data security, compensation of victims as well as suffering wider business disruption such as staff diverting their time away from business.
So, how can you respect the privacy of your customers?
Use the ‘golden rule of data privacy’ – treat your customers and prospects data how you would like your personal data to be treated as a strong foundation for your security and data handling:
- Communicate your principles and procedures on PII
Be proactive in engaging your customers on how you protect the privacy of their data to help them feel safe and secure when buying from you. Educate your customers about the security of their most sensitive data through a clear privacy policy written in plain language. At various times during the sales funnel, remind them of your policy.
PII compliance may require asking permission to use their data. Explain to your customers how you will be using the data and give them options. To keep their trust and remain compliant, only use their data for this stated purpose. Keep a record of their granted permissions including how and what they agreed to. - Make it easy for consumers to remove themselves from your database.
Create a simple and effective withdrawal mechanism. Communicate their right to withdraw consent at any time and how to do this. Ensure that your process removes the records entirely from your system. - Install robust data and security solutions to protect your consumer data and your brand.
Ensure all departments – from technical teams, analysts, marketers, and your external technology partners prioritise and play an active role in data security and governance. Automate as many processes as possible to help time poor employees and prevent errors from manual procedures. Be clear to all employees how sensitive data is handled, classify data and include a backup and recovery plan. - Stay informed of regulation updates and new standards in PII.
Use government regulations as the minimum to set up processes to meet compliance requirements, risk management and data protection. Industry standards are continually changing, and it warrants keeping up with the evolving digital environment.
According to Gartner, Inc. by 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations, up from 10% in 2020.
What about data security with your business partners?
In business where collaboration through partners has become popular, it’s critical to question how your partner treats your customer data. A partner would include any outside organisation that has access to your systems and PII – be they service providers such as brand and marketing strategists, or data and analytics partners, to certified app developers for conversion optimisation or fraud and risk management.
You are looking for partners that have the same level of respect and transparency your organisation has for customer data. It’s important that your partners, especially if located in a different country, follow the required PII compliance when they gather, store and link your data in their systems. More information can be found here in the UK GDPR.
What are some of the security tools to safeguard your customers PII?
Just like you, etika takes PII seriously. We use a range of measures and reasonable steps to protect our client’s personal information from misuse, loss and unauthorised access, modification and disclosure.
Data security practices is changing all the time but can include the following innovative technology.
Data Discovery and Classification – his is where all data is classified, in accordance with its value to the organisation to reduce the risk of improper exposure.
Data Encryption – using a combination of hardware and software-based data encryption to secure data before it is written to the SSD.
Data Loss Prevention (DLP) – preventing data from leaving the corporate network.
Dynamic Data Masking – real-time masking of data so that the data requestor does not get access to the data, but no changes are made to the original data.
User & Entity Behaviour Analytics (UEBA) – a complex technology for baselining normal activity and spotting suspicious variations before a breach occurs.
Our tips to finding an eCommerce data security provider
From the IDG Research Services survey commissioned by Insight Enterprises, only 27% of respondents expanded security staff in 2020. If your technical team is already pushed to its limit, you may be considering an external organisation for data security.
Here are some factors to consider when choosing a data security provider:
- Understands your business
Some industries have unique requirements and regulations, ensure they understand your and have the experience in these areas. - How much data do you have?
Analyse the type and amount of data your business holds. Ensure the data security partner can handle the volume not just now but, in the future, and as your business grows. - Access to your data
eCommerce never sleeps! Ensure your provider gives you 24 hours, 7 days a week support, in case of emergencies. Also, check their geographical locations – where the data will be stored, transferred and its access possibilities, as PII compliance may be required. - Ability to integrate all data
Ensure data integrates with all your business applications and copies of your data are not created during the processes.
There’s no hiding from cybersecurity in the eCommerce world. Protecting your customers’ data should be top priority for your business and the responsibility of everyone in the company.