Collecting customer data can help businesses improve products and services. However, when consumers discover that their data has been leaked in large quantities and used for illicit profit-making activities, they become more cautious and less willing to submit their private data to businesses. Companies can only earn consumers’ trust by formulating, promulgating, and effectively implementing robust and comprehensive data security policies.
Everyone must have had this experience: when using a certain software or app, you have a headache when you see that long and obscure privacy policy, but you can only click the “I have read and agree” button. At the same time, due to the lack of scientific data security structure and permission settings, enterprises have also led to various data leaks, exacerbating the “crisis of trust” with consumers. Bain’s survey of 8,000 consumers in the US, UK, China and India found that more than half were “extremely” or “very” concerned about their data being misused.
Data privacy has become a major concern for regulators and consumers alike. Violations of data privacy and data security have resulted in hundreds of millions of dollars in fines and judgments in the United States and Europe.
In the current market and regulatory environment, companies that disregard the interests of consumers have undoubtedly exposed themselves to high risks. This also reminds companies, especially large-scale emerging companies in the high-tech and Internet fields, that if a company cannot meet the expectations and requirements of consumers and regulators, its brand reputation in the market, and even in some cases, may Its business legality will be affected. Conversely, if a business can process data in a reliable manner and meet expectations, it will benefit greatly in building customer trust.
For example, Apple announced a new set of privacy protection tools at its 2020 developer conference, one of which allowed users to turn off ad tracking per app, a first for a smartphone maker. But the move immediately drew a lot of opposition. Facebook and several other ad groups have complained that the feature will reduce ad revenue for app developers. This conflict shows that companies need to overcome some difficulties in order to solve the problem of conflicting demands within the same ecosystem.
According to the best practices in the field of personal privacy information protection in recent years, this article collects and organizes 12 security measures that can effectively help enterprises protect their user data, which can be used as a reference in the construction of enterprise data protection.
Clarify the confidentiality obligations of outsourced service providers
Outsourcing business (services) increases the risk of financial and reputational losses for enterprises due to security incidents. Enterprises need to clearly agree with service providers in the contract terms to deal with these risks. When negotiating security provisions in a contract, consider the sensitivity of the information, the ability to understand the service provider, and the results of due diligence conducted in accordance with both parties’ internal policies and procedures.
Choose safe and reliable employees.
When an enterprise conducts business involving a large amount of user-sensitive data, it is necessary to consider whether it is trustworthy when selecting business personnel. Given the current shortage of talent, the credibility and transparency of resumes should be taken into account when recruiting employees. For example, background screening is important (especially for industries such as banking and healthcare), and it is only through transparency and trust tests that more suitable candidates can be found and companies can confidently hand over sensitive data to them.
The use of third-party security service
audit and compliance requirements force enterprises to implement feasible security solutions in the technical environment, but there are often security risks in enterprises that cannot be discovered through routine audits. The use of third-party security testing services can discover vulnerabilities that may be missed by the company’s own security team. The practice has proved that launching a bug bounty program will be helpful to the security construction of the company.
Adopt a secure design approach
Adopting a security-by-design approach when developing a company’s business systems can greatly improve the security of corporate private data. A security-by-design approach involves several aspects, including educating employees, minimizing the amount of data collected, encrypting data, designing systems for security, data access control, and focusing on security throughout the software development lifecycle.
Provide value
to customers Businesses that collect customer data should let users know what their purpose for collecting the data is. The use of collected data can provide value to customers, society and the country, not just for commercial value. Businesses need to identify use cases for the data they collect, familiarize themselves with rapidly changing data technology and regulatory requirements, and liaise closely with business teams.
Ensuring full compliance with security and privacy frameworks
Businesses should comply with information security or privacy compliance frameworks for data collection, storage, and transmission in order to ensure the safe use of data. In addition, any suppliers with exposure to consumer data should be vetted to ensure that information security regulations or standards are also complied with at every point in the supply chain.
Obtaining the customer’s authorized consent
Informed consent is the main basis for winning the trust of consumers. “Informed consent” is when a business clearly informs customers of the current and possible future uses of their personal data, and how long it will retain personal data before the business regains the customer’s consent, allowing each consumer to choose when their consent becomes effective Length can make the policy more personal.
Give customers the right to opt-out
Businesses should frequently inform consumers about the storage and use of collected data and ask them if they would like to opt out. Some companies conduct a quarterly privacy and security health check on consumers, which will help win the understanding and trust of users.
Security encryption
Security encryption of user, privacy data Security encryption of important and sensitive data in user data is the most basic protection requirement, but it is ignored by many companies, even some large Internet companies. In order to reassure customers, they need to be told that the personal data they submit will be encrypted, and even corporate employees cannot read them at will.
Hire a third-party agency to collect and manage data
For small and medium-sized business organizations, it is recommended to use a third-party service to collect and maintain customer data, which is available in many software-as-a-service (SaaS) offerings. The survey found that users would prefer to submit their personal data to a SaaS product rather than a small, unknown company for safekeeping.
Retain at least three copies of the data
Enterprises are responsible for ensuring that data is properly stored and fully protected. It is recommended that enterprises back up at least three copies of data and store them on at least two different forms of media, one for offline storage and one for off-site storage. Customers should be notified of any changes so they can confidently hand over their data to the business for safekeeping.
Minimize access to customer data
When a business must collect user data, it should only authorize employees who must have access to the data. The data should also have a suitable retention period, which means that once the data meets the usage requirements and is no longer needed, it should be deleted. Legally collected data should be properly archived. This approach will help demonstrate to consumers that businesses are capable of keeping their data safe.
