The value of collecting and analysing customer data has been understood by most of the business world for decades. But it is only relatively recently, on the back of numerous notable data breaches in recent years – Facebook, Capital One, Quora, and Aadhaar in India to name a few of the biggest – that the responsibility of private businesses to protect the public has been brought into question.
But it is not just the risk of private data being obtained illicitly. Customers could be at risk from being identified from data that has been handled perfectly legally. For example, once data has undergone de-identification – that is, the process of removing any sorts of personally indefinable information – then data sets can be shared or sold.
The trouble then is that data can also undergo re-identification, especially when compared with other sets, the combination of which could be unique. Studies, highlighted in our recent white paper, have shown that even just 15 demographic attributes can be used to help re-identify individuals. From there, criminals could start to steal the identities of customers without any wrongdoing by a company. However, though not illegal, this is clearly a PR disaster waiting to happen.
With broad legislation, such as the General Data Protection Regulation in the European Union, shaping countries around the world, it is more important than ever that businesses take customer data protection into their own hands and be active rather than reactive. Here are three ways they can do it:
Understand the broad range of personally indefinable information
While what is considered personally indefinable information is obvious in some cases, the vast majority of types sit in a grey area. Personally indefinable information covers any information that is either ‘linked’ or ‘linkable’ to an individual. Linked information is a piece of data that can directly identify an individual, such as someone’s full name, email address or passport number. Linkable information, however, is information that can’t identify someone on their own but could if given alongside other pieces. These include first or last name, country of birth, gender, race, etc.
For European Union citizens, the General Data Protection Regulation refers to ‘personal data’, which covers an extremely broad range of types. Anything that can be used to identify an individual is covered – IP addresses, video footage, social media posts, biometric identifiers, and geographic location data.
Whether or not a business is governed by the General Data Protection Regulation, treating this broad range of customer personally indefinable information with the utmost security seems like best practice.
Look after customers’ rights
The General Data Protection Regulation is the most thorough data legislation currently in force and gives the general public the most rights to their data. It marks a shift in understanding data ownership. No longer does it consider that companies ‘own’ customers’ data, rather they are simply hosting it. Under the regulation, people can request companies to delete the data they have on them or provide it to them.
Customers are also required to opt-in when a business requests to collect their data, meaning companies can no longer add them to services like mailing lists without their consent. The legislation goes some way to demonstrate the value of a person’s own data to the individual, and with this comes an increased understanding of how it should be treated.
Layers upon layers of security are needed to protect a business, its staff and its customers. Spam filters are the front line in fighting malware and phishing scams, while firewalls can be used to protect sensitive data. Companies must ensure that software, such as internet browsers are regularly updated, and any new devices, such as USB sticks, should be scanned before being attached to a network.
Organisations also need to create a culture where protecting data is considered everyone’s job. Employees need to understand what suspect emails look like, as well as how to keep their accounts safe with strong passwords.
Company smartphones, tablets and laptops can help increase productivity but – if stolen – can mean that sensitive information can wind up in the wrong hands. Employees need to understand what to do in the event of devices being lost or stolen, and sensitive information should not be stored on hard drives that leave the office.
Data protection is not just a legal issue, it is a moral one. It also makes good business sense. Secure businesses will be more trusted, which means customers will share more data with them and, in turn, spend more. Companies that are seen as responsible when it comes to data will be the winners of consumers’ hearts and minds in the future. When a company cuts corners and ultimately fail on security, customers will vote with their wallets, especially over the next 10 years as the understanding of data security increases.
Tom Jenkins, Chief Marketing Officer, ContactEngine