Nearly half (44%) of data breaches analyzed by IBM exposed personal customer information, including name, email, password and even healthcare data. According to Pew Research, 81% of Americans say the potential risks of companies collecting data about them outweigh the benefits, and 79% are very or somewhat concerned about how businesses use the data collected.
Data privacy is the branch of data security that focuses on handling personal data in compliance with regulations, laws, and best practices. It focuses on how personal data is collected and processed and how a business protects that data from unauthorized access.
Data privacy should be a top priority for every business. A data privacy strategy protects your business’s interests and helps customers feel at ease when working with you.
How to Protect Customer Data
Most customers understand that their data is being collected, but few understand or feel comfortable with how their data is being used. According to Pew Research, more than 60% of Americans think it’s impossible to go through an entire day without their data being tracked or collected.
However, 59% of the study said they have little to no understanding of how their data is used.
Beyond this, many Americans are concerned that companies are selling sensitive information without their knowledge or consent.
This has led to countries setting down rules that allow individuals to increasingly exercise control over their data and set the terms with how businesses can use it, according to the Harvard Business Review.
To earn customer trust, businesses must open up.
Knowing and communicating how your business collects and uses data and identifying sensitive data types is vital.
To do this, businesses must take stock of all files and devices they use to process data. Companies should determine who has access to the data (including internal personnel and third-party partners), where the data is stored and what kind of information they are gathering (name and phone number only or social security and financial data, for example).
There are two primary ways to protect sensitive information: organizational safeguards and technical safeguards.
- Organizational safeguards include training, password policies, the principle of least privilege (only giving employees access to the information they need to do their jobs), incident reporting and response plans.
- Technical safeguards include multifactor authentication, VPN usage, encryption, Endpoint Detection and Response (EDR) and risk assessments.
To improve your data privacy
Know what data you have, and where.
Storage includes servers, laptops, mobile devices, backups, external drives, home computers and other devices where personal data may be stored.
Understand how your business receives this data.
This data could come through a website, email or even the mail. If you operate retail or restaurant operations, the data could be sent through individual Point of Sale systems.
Only gather the information necessary for business operations.
For instance, a bank may require financial and social security information but should not ask for healthcare information.
Follow the principle of least privilege.
Follow the principle of least privilege to limit the number of team members’ accessing the information. Also consider vendors or contractors who may be able to access your systems.
Follow cybersecurity best practices to protect the data you keep.
This may include regular vulnerability assessments, storing particularly sensitive data on-premises vs. on the cloud, encrypting data and more.
Only hold data as long as you need to.
Once you are finished with it (such as if a customer is no longer with your business), properly dispose of it. If you don’t have it, it can’t be stolen. Disposal practices include wiping old computers and other storage devices and ensuring your at-home workers follow the same rules.
Ensure teams are well-trained and understand how to report an incident.
According to the FTC, your data security plan is “only as strong as the employees who implement it.” Implement ongoing training around meaningful data security practices to ensure protection. Then, create an incident response plan to minimize impact.
In addition, understanding the laws surrounding data privacy is vital. The Federal Trade Commission Act, Fair Credit Reporting Act, and other regulations require companies to provide reasonable security for private information. Knowing these laws will keep your business in compliance and provide you with a solid foundation for data security.
The FTC provides this great resource for protecting personal data.
How your business protects sensitive information tells everyone how your company treats its customers. Partner with Sikich to develop a plan to strengthen your data privacy today.