As marketers, we have an enormous responsibility to our clients, and ultimately to their customers, to protect the information end users have allowed us to use. Yes, I said allowed. That’s because much of the data we use to develop more relevant, personal conversations with customers and prospects was given to us—either directly or indirectly—by end users themselves.
Sometimes things get a little difficult in terms of protecting data privacy based on how data was originally gathered. But following one basic rule can keep things uncomplicated: always act responsibly and with integrity, and you’ll be doing the right thing.
When it comes to protecting data, there are three primary areas of focus for any company: data security, data privacy and an emerging field called data stewardship. Let’s quickly cover the first two, which are typical in most organizations that use consumer data.
Data security—protecting information at the point of collection
Data security is the practice of ensuring the initial receipt, storage and transmission of data is protected, however it’s collected. This means implementing various levels of security at the point of collection, whether it’s an online application for insurance coverage or a customer signing up in-store for a loyalty program.
Sounds simple, yet there were still 1,453 data breaches last year in U.S.-based companies, according to Breach Level Index. Since 2013, 9,727,967,988 data records have been lost or stolen globally. While only 4% in 2017 were breaches where encryption was used, 86% occurred in the U.S. This means even companies that follow industry standards at the point of collection, such as data compression and encryption, are still vulnerable. As technology advances and those who abuse it increases, the need to develop tighter data security methods on the front-end will continue to intensify.
Many organizations have implemented systems to remove human involvement in data collection to increase security. Table-top payment kiosks in restaurants are a great example. Sure, they may feel impersonal at first; however, a lot of data compromising can happen on that short walk from table to register if an unethical employee is on the schedule. Consider retailers who take credit applications in-store for one-year-same-as-cash promotions. At the point at which social security numbers or other private data is required, the salesperson simply swivels or hands the data collection tool to the consumer to complete.
If you can keep data secure at the start, you’re halfway there. But, once that data enters your organization, the responsibility of keeping it private falls directly on your company’s shoulders.
Data privacy—your organization, your responsibility
Data privacy is the practice of ensuring that private or confidential data remains as such and is handled appropriately in your system and by your employees. From the front doors of your building to database servers to the desks of employees, data is at risk of being compromised if your internal systems fail.
Your information technology team is a key player in ensuring data is secure in your database, files system and network. Limiting access through role-based password-protection and requiring periodic password updates is a first step to making sure only those who need data can access it.
However, other departments play key roles as well. The operations department can implement an additional layer of protection by installing limited building access based on an employee’s job function. While the front door might be accessible to all employees, specific floors or rooms where sensitive data is stored may be limited. Human resources and training departments play a role in reminding employees of their responsibility when it comes to protecting data—and taking action when rules have been broken.
One of the most critical but difficult-to-manage layers of data protection comes with employees themselves. Employees must understand and embrace the responsibility their employers have for protecting data. They must not only refrain from discussing customer data, but also take basic precautions in their workspaces as well. Leaving paperwork or an active computer screen with sensitive data in the open when heading out for lunch is an easy way for a data breach to occur.
Every employee at every level has a responsibility to ensure their interactions with data keep it secure. Now, on to one of the newest concepts in data protection…acting as good stewards of data.
Data stewardship—the ethical side of the data protection coin
Data stewardship is the act of defining your position on utilization of data. Fundamentally, it is the practice of using data as the provider intended. CMOs and marketing firms have an obligation to establish best practices reflecting ethical use of information.
Recent General Data Protection Regulation (GDPR) laws in European nations have given consumers a louder voice in how their data is used, and they’ve made data stewardship a topic in many boardrooms. In the U.S., the historic opt-in/opt-out process has been the primary gatekeeper of how data is used. However, because much of the data that marketers use comes from third party sources, lines get blurred when it comes to understanding the original intent of the consumer who provided it. That’s what makes data stewardship more of an ethical issue rather than a technical one.
Here are some examples of how easily data can be misused if companies are not putting the customer’s intentions first.
Let’s say a person wants to opt-out of receiving any communication from a company. Is it enough for the company to remove them from future communications, or is the consumer really asking to have all their information removed from the company’s database?
What about the customer who signed up for a loyalty program? They’re most likely agreeing to provide their contact information and allowing the company to track their purchase behavior in exchange for points, discounts or other incentives to keep them coming back. Whether or not it’s in the fine print, they’re likely not agreeing to allow their data to be given to another company for marketing use.
Retargeting has created even more decisions around data stewardship. When someone visits your website and partially completes an application or survey and then backs out, do you have the right to use the partial data you collected in that brief engagement to begin marketing to them?
Even giants like Facebook don’t always get it right when it comes to scraping data and using it in ways consumers intended. Data stewardship means respecting and controlling information based on the intention of the provider. Admittedly, it’s not the easiest line to draw, especially for marketers.
Seven ways to be good data stewards
Companies have a responsibility to establish data management strategies that reflect not only data security and privacy but also stewardship. Here are seven things to keep in mind as you assess your organization’s data confidentiality program:
- At collection points, whether online or offline, collect only the data you need and will use.
- Be sure your data-use intention is clearly stated, and consumers don’t have to dig to find it.
- At minimum, conduct an annual audit to assess how your organization is doing and be open to changing policies where necessary.
- Remove or limit human interaction with sensitive data based on roles.
- If you purchase data from third parties, be sure to vet them thoroughly and understand what they originally promised in terms of data use. Only partner with industry audited sources.
- Get in front of data breaches. Not all states require you to communicate breaches, but it’s always a best practice to do so. Open communication gives consumers a chance to play an active role in protecting their data by changing passwords, requesting replacement cards, or checking their account balance.
- Implement ongoing education programs with employees on data privacy topics. Create data champions in each department to spot points of breakdown in the process and encourage ideas for new processes.
We as marketers have an ethical obligation to protect our clients and/or their end customers. They place an enormous amount of trust in us when handing over personal data, whether it’s conscious or sub-conscious, and we’re responsible for properly managing it. Think about how often you deliver your own personal data to various websites, stores and restaurants. You hope with each click or swipe that someone is looking out for your best interests—especially when it comes to your most valuable information.