A McKinsey 2021 survey from 1000 corporate executives revealed the value of consumer data protection. To protect consumers, laws such as the Consumer Data Privacy Law and the Gramm-Leach-Bliley Act give federal agencies the mandate to prosecute cases of consumer rights abuse.
But that’s not all. Commercial entities are now obligated to implement a “privacy by design” approach to their security practices. The average privacy spending of companies is at $676K in 2020, according to a 2021 International Association of Privacy Professionals report. That’s quite an increase from the $622K reported in 2019.
These third-party organizations aren’t the only ones exerting this type of pressure on businesses. Consumers themselves are demanding more from companies when it comes to data protection.
According to the same McKinsey 2021 report, 52% of consumers trust companies that only ask for information relevant to their product or service. For businesses, that should be more than enough to comply. After all, consumers are only more likely to buy from a brand if they trust the brand in the first place.
In other words, consumer online privacy protection is something companies can no longer afford to ignore. That said, here are six consumer data protection tips you should follow for your business:
1. Use Password Management Tools
Experts recommend that you choose a long and complex password consisting of numbers, symbols, uppercase, and lowercase letters. That gets a little tricky for you as a single user who has to manage dozens of passwords on multiple websites at once.
For example, for a SaaS company running appointment booking software, each login point with a password is a point of vulnerability. Thus, if 100 employees need to log onto your platform, these are 100 points of vulnerability. A password manager can help.
Most password management tools perform several functions that may include:
- Securely encrypting, storing, and retrieving sensitive docs or meta information.
- Generating random passwords for your accounts – the password manager can autofill the linked account automatically, or you can copy-paste (less secure) the generated password.
- Providing travel mode and VPN.
- Providing access control mechanisms (more on this later)
- Providing Multifactor Authentication, for example, facial recognition.
Lastpass, for example, offers a password manager allowing users to log into various accounts such as Netflix, Twitter, and PayPal, as in the screenshot below.
With a corporate password management solution, you can gain control over login into all the different web applications and have a single access point for all your staff. All logins can be tracked, admin privileges set, and access terminated as needed.
2. Gather Only Relevant Data
Commercial entities collect consumer data to make data-driven decisions. They may collect data from native and mobile apps, sign-up forms, card payment processes, location tracking services, social media messages, surveys, web cookies, etc.
A company that keeps an expansive collection of personal data on a single user is more vulnerable to attacks by hackers. Compare that with a company that limits itself to only the most relevant data points.
The image snippet above shows a lead generation form for a Digital Health digest. The critical data collection points are the user names, email addresses, job titles, and organization. It would be unreasonable for the digest to ask for location data, credit card info, or even sexual orientation to simply send a newsletter.
Limiting the amount of data you collect to only the most relevant reduces your risk exposure and paints you as a strong advocate for consumer rights.
3. Check Service Providers’ Security
Your data security is only as good as that of third-party applications or your data infrastructure. Internet Service Providers, for example, can collect vast chunks of customer data. Therefore, these providers need top-notch data security ops.
But what does that mean?
If you are a company using a SaaS tool, your provider should provide assurances that it follows security best practices. Essential items to look for in policies for SaaS companies include Data Loss Prevention (DLP), asset-based tokenization, data risk assessment, secure APIs, and access governance.
You can also ensure your data safety by asking your service providers to provide their audited security records with regard to these standards. They should also be able to fulfill data access requests within the shortest time possible.
As shown above, you might need your SaaS provider to fulfill minimum data security requirements depending on your levels of risk exposure and business model. An example would be an only identity and access control type of business. For another, it might include offline data loss prevention and encryption.
There are several privacy laws and international standards that any company handling consumer data should adhere to. Some of these include:
- The GDPR – For online service providers operating within the EU, one must comply with the GDPR outlining the capture, storage, sharing, and usage of personal consumer data (vital elements of the GDPR are shown in the image above). Companies that don’t adhere to the GDPR may face fines and violations of up to €20 million or 4% of revenues, whichever is higher.
- PCI DSS – Payment Card Industry Data Security Standard regulates access and sharing of information by any financial institution that supports payment cards to prevent data breaches and theft of cardholder data.
- The CCPA – The California Consumer Privacy Act focuses more on consumers’ affirmative consent than on service providers, giving users the option to opt out of data collection and giving the state the responsibility to outline data protection strategies.
- SOC-2 – Provides SaaS companies in America with standard guidelines for setting up data privacy protection processes.
- CDPA – The Consumer Data Protection Act is a federal privacy law that requires companies to get consent from consumers before their data is collected.
4. Safeguard Non-Digital Data
Though much of the data currently collected is digital data, businesses providing a hybrid customer experience may end up collecting non-physical data that can be exposed as well. A great example of this is companies that offer financial services, such as banks. Such data can also be collected through paper surveys, feedback forms, receipts, consent forms, etc.
There are three things you can do to reduce privacy risks concerning non-digital data:
- Store it in a protected area such as a safe, vault, or lockable drawer
- Digitize all the physical copies by scanning asap
- Destroy the physical copies once the relevant holding period has elapsed
You can further safeguard your non-digital data by controlling who has access to it and ensuring that highly sensitive data isn’t stored outside business premises.
5. Restrict Data Access
Just as it is essential to collect only relevant data, it’s equally important to limit data access to only the most relevant persons. For example, you may be an eCommerce agency or a company that helps businesses add citations or listings to online business directories. Since you may be handling large volumes of sensitive customer data, you must have different data access levels.
One way to restrict data access is through Password Access Control mechanisms that allow an admin to assign a password to a user either permanently or temporarily. The admin can also assign or limit certain user rights, for example, viewing specific files and directories.
Likewise, other password access systems support two-factor or multi-factor authentication where there are limited authentication devices controlled by an admin.
Consumer data protection is vital. Customers feel more comfortable and confident in businesses supporting informed consent and transparent data practices.
So, follow these data protection strategies for your business. Restrict data access, use password management tools, ensure compliance with international standards, and collect only the most relevant data.
Advocating for consumer data protection will ensure that user rights to privacy are not infringed upon. It will help protect you from any legal claims and heavy civil penalties. It will also help you build trust and a direct relationship with your customers. That can, ultimately, benefit your business in many ways.