6 Consumer Data Protection Tips Your Business Should Follow

A McKinsey 2021 survey from 1000 corporate executives revealed the value of consumer data protection. To protect consumers, laws such as the Consumer Data Privacy Law and the Gramm-Leach-Bliley Act give federal agencies the mandate to prosecute cases of consumer rights abuse. 

But that’s not all. Commercial entities are now obligated to implement a “privacy by design” approach to their security practices. The average privacy spending of companies is at $676K in 2020, according to a 2021 International Association of Privacy Professionals report. That’s quite an increase from the $622K reported in 2019.

These third-party organizations aren’t the only ones exerting this type of pressure on businesses. Consumers themselves are demanding more from companies when it comes to data protection. 

According to the same McKinsey 2021 report, 52% of consumers trust companies that only ask for information relevant to their product or service. For businesses, that should be more than enough to comply. After all, consumers are only more likely to buy from a brand if they trust the brand in the first place.

In other words, consumer online privacy protection is something companies can no longer afford to ignore. That said, here are six consumer data protection tips you should follow for your business:


1. Use Password Management Tools

Experts recommend that you choose a long and complex password consisting of numbers, symbols, uppercase, and lowercase letters. That gets a little tricky for you as a single user who has to manage dozens of passwords on multiple websites at once. 

For example, for a SaaS company running appointment booking software, each login point with a password is a point of vulnerability. Thus, if 100 employees need to log onto your platform, these are 100 points of vulnerability. A password manager can help.

Most password management tools perform several functions that may include:

  • Securely encrypting, storing, and retrieving sensitive docs or meta information.
  • Generating random passwords for your accounts – the password manager can autofill the linked account automatically, or you can copy-paste (less secure) the generated password.
  • Providing travel mode and VPN.
  • Providing access control mechanisms (more on this later)
  • Providing Multifactor Authentication, for example, facial recognition.

Lastpass, for example, offers a password manager allowing users to log into various accounts such as Netflix, Twitter, and PayPal, as in the screenshot below.

With a corporate password management solution, you can gain control over login into all the different web applications and have a single access point for all your staff. All logins can be tracked, admin privileges set, and access terminated as needed.


2. Gather Only Relevant Data 

Commercial entities collect consumer data to make data-driven decisions. They may collect data from native and mobile apps, sign-up forms, card payment processes, location tracking services, social media messages, surveys, web cookies, etc.

A company that keeps an expansive collection of personal data on a single user is more vulnerable to attacks by hackers. Compare that with a company that limits itself to only the most relevant data points. 

The image snippet above shows a lead generation form for a Digital Health digest. The critical data collection points are the user names, email addresses, job titles, and organization. It would be unreasonable for the digest to ask for location data, credit card info, or even sexual orientation to simply send a newsletter.

Limiting the amount of data you collect to only the most relevant reduces your risk exposure and paints you as a strong advocate for consumer rights.


3. Check Service Providers’ Security

Your data security is only as good as that of third-party applications or your data infrastructure. Internet Service Providers, for example, can collect vast chunks of customer data. Therefore, these providers need top-notch data security ops. 

But what does that mean? 

If you are a company using a SaaS tool, your provider should provide assurances that it follows security best practices. Essential items to look for in policies for SaaS companies include Data Loss Prevention (DLP), asset-based tokenization, data risk assessment, secure APIs,  and access governance.

You can also ensure your data safety by asking your service providers to provide their audited security records with regard to these standards. They should also be able to fulfill data access requests within the shortest time possible. 

As shown above, you might need your SaaS provider to fulfill minimum data security requirements depending on your levels of risk exposure and business model. An example would be an only identity and access control type of business. For another, it might include offline data loss prevention and encryption. 

There are several privacy laws and international standards that any company handling consumer data should adhere to. Some of these include:

  • The GDPR – For online service providers operating within the EU, one must comply with the GDPR outlining the capture, storage, sharing, and usage of personal consumer data (vital elements of the GDPR are shown in the image above). Companies that don’t adhere to the GDPR may face fines and violations of up to €20 million or 4% of revenues, whichever is higher. 
  • PCI DSS – Payment Card Industry Data Security Standard regulates access and sharing of information by any financial institution that supports payment cards to prevent data breaches and theft of cardholder data.
  • The CCPA – The California Consumer Privacy Act focuses more on consumers’ affirmative consent than on service providers, giving users the option to opt out of data collection and giving the state the responsibility to outline data protection strategies.
  • SOC-2 – Provides SaaS companies in America with standard guidelines for setting up data privacy protection processes.
  • CDPA – The Consumer Data Protection Act is a federal privacy law that requires companies to get consent from consumers before their data is collected. 

Other regulatory controls that companies involved in data handling follow include HIPAA/HITECH and NIST SP 800-171.


4. Safeguard Non-Digital Data

Though much of the data currently collected is digital data, businesses providing a hybrid customer experience may end up collecting non-physical data that can be exposed as well. A great example of this is companies that offer financial services, such as banks. Such data can also be collected through paper surveys, feedback forms, receipts, consent forms, etc.

There are three things you can do to reduce privacy risks concerning non-digital data:

  • Store it in a protected area such as a safe, vault, or lockable drawer
  • Digitize all the physical copies by scanning asap
  • Destroy the physical copies once the relevant holding period has elapsed

You can further safeguard your non-digital data by controlling who has access to it and ensuring that highly sensitive data isn’t stored outside business premises.


5. Restrict Data Access

Just as it is essential to collect only relevant data, it’s equally important to limit data access to only the most relevant persons. For example, you may be an eCommerce agency or a company that helps businesses add citations or listings to online business directories. Since you may be handling large volumes of sensitive customer data, you must have different data access levels.

One way to restrict data access is through Password Access Control mechanisms that allow an admin to assign a password to a user either permanently or temporarily. The admin can also assign or limit certain user rights, for example, viewing specific files and directories. 

Likewise, other password access systems support two-factor or multi-factor authentication where there are limited authentication devices controlled by an admin.


6. Provide A Clear Privacy Policy

A privacy policy is a document that defines the control measures that your company uses to control data from your employees, customers, or partners. 

It’s crucial for privacy policies to be reviewed periodically to ensure they remain compliant with regulations. They should also be publicly available and unambiguous. For example, if you collect location data, you should clearly state that you don’t use that data for tracking customers. You can include your privacy policy in your business agreement template so that it can be readily available to your customers. 

Think for a second about the Facebook – Cambridge Analytica scandal. What was missing in Facebook’s privacy policy was the part where they could share that data with third parties without express consent from Facebook users.

Another example is a digital marketing agency that harnesses customer data and uses it to build buyer personas. Such a company should have a dedicated privacy policy page and provide a link for handling opt-out requests from users. Any consumer request for data should be honored promptly. 


In Closing

Consumer data protection is vital. Customers feel more comfortable and confident in businesses supporting informed consent and transparent data practices. 

So, follow these data protection strategies for your business. Restrict data access, use password management tools, ensure compliance with international standards, and collect only the most relevant data.

Advocating for consumer data protection will ensure that user rights to privacy are not infringed upon. It will help protect you from any legal claims and heavy civil penalties. It will also help you build trust and a direct relationship with your customers. That can, ultimately, benefit your business in many ways.

<strong><strong>Daryl Bush is the Business Development Manager at <a href="https://authority.builders/">Authority Builders</a>.</strong></strong>
Daryl Bush is the Business Development Manager at Authority Builders.

The company helps businesses acquire more customers through improved online search rankings. He has extensive knowledge of SEO and business development.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.