In the last ten years, customer privacy has become a hot topic that everyone is talking about and not enough are acting on. Meanwhile, customers are getting more distrustful and are quicker to switch vendors. Organizations can’t limit data protection to credit cards and intellectual property, anymore.
If you aren’t actively protecting your customers’ personally identifiable information (PII), you could lose customers, lose your reputation, and even lose your business. This is a reality that too many organizations are realizing too late.
Customer Privacy Matters More Than Ever
According to recent research of U.S. adults:
- 81% feel they have very little to no control over the data that companies collect about them.
- 81% feel that the risks of companies collecting personal data outweigh the benefits.
- 79% are very concerned about how companies use the personal information they collect.
- 59% feel they have very little to no understanding about what companies do with personal information.
- 79% don’t believe that companies will admit mistakes and take responsibility when they misuse or compromise personal data.
- 75% don’t believe that companies will be held accountable by the government if they misuse data.
Suspicion and fear are high, along with an increasing feeling that we’re losing control over our own personal information.
At the same time, research by Gartner shows when companies put users in control of how their data is collected and used, customer churn drops by 40% and customer lifetime value increases by 25%.
Companies need to take this stuff seriously. Yet, I’ve had some interesting conversations over the years with various organizations that were aghast: “Well, it’s just their name and phone number. Why is this such a big deal?”
It’s one thing to know someone’s name and phone number. It’s an entirely different matter to know that Samantha Johnson of 123 Elm Street (555-555-1234) has an account at Target. Because that information says something about who she is and what she does. It’s no longer raw data, but it tells a story about Samantha’s life. And it can be used against her.
Besides that, it’s simply not your place to share someone’s information. People have the right to protect their privacy, and they have the right to decide how and when their information will be used.
Many states are realizing the need to protect personally identifiable information. There’s been a fairly large escalating trend over the last several years. It started with GDPR in Europe, and shortly afterward California adopted a similar law called the California Consumer Privacy Act (CCPA). Other states are making similar moves, and a Federal privacy act may be coming before long.
No Business Is Safe
If you think that your organization is safe because you’re just a small business, think twice. Forty-threepercent of data breach victims are small businesses. Not only that, but smaller organizations have higher costs relative to their size than larger organizations.
I had one client several years ago, who became a client because they had a security issue. They were storing first names, last names, phone numbers, and emails. That was it. They were running a program for a large client organization, and it turned out that you could very easily get the information of the people participating in that program. The large company wasn’t happy, their clients (those with data breached) were very unhappy, and the customer ended up spending a ton of time and money working their way out of that hole.
Will cyber liability insurance cover you in the event of a breach?
It took a lot of time and effort to get your company where it is today. Do you really want to put it all at risk, simply because you dragged your feet about protecting customer privacy?
How to Protect Your Customers’ Privacy
Fortunately, more and more companies are realizing the need to be protecting personally identifiable information — with or without state regulations.
Protecting customers’ PII can seem like a daunting task, but there are mechanisms you can take advantage of to help protect personal data from getting into the hands of the wrong people.
If you’re new to security and compliance, it’s common to walk into this space for the first time and feel like you’re drowning. You don’t even know what direction to start in. If that sounds like you, don’t worry — you’re in good company. Take a deep breath, grab a cup of coffee, and keep reading.
GDPR and CCPA are very directional types of privacy law. They provide a very basic set of requirements, but it’s up to you to decide how to apply them. There isn’t much detail, and the practical application of these standards can vary widely from organization to organization. If you’re new to compliance standards, it can be quite intimidating to figure out all that stuff yourself.
You can make things easier to tackle if you take a two-round approach. There’s the technical side of data protection and a procedural or operational side. First, figure out how to protect the data from a technical perspective. PCI is an ideal standard to use, because it’s very prescriptive — it spells out precisely what you need to do, how to do it, and how frequently.
While PCI is specifically designed for credit card data protection, it’s easy to substitute references to credit card information for sensitive data — which can include personally identifiable information.
Case Study: Discover how Phoenix Financial Services navigated through compliance chaos
PCI will create good bones to hang your program on, which will cover and protect the data itself. The technical requirements are covered. However, that doesn’t mean you’re also GDPR- or CCPA-compliant.
Once PCI is in place, take the very defined structure you now have and compare it to the rules and regulations of the privacy framework you’re going to implement (e.g., GDPR or CCPA). Determine which technical elements are already in place from PCI, and which elements are still outstanding that are specific to privacy. Those are operational or procedural elements. For example:
- How do you respond to someone who is inquiring about their personal data?
- How do you make it easy for users to remove themselves from the system?
Working your way through GDPR is now much less complicated, because you have fewer requirements to deal with. And in the end, your customer data is much better protected, from a technical and an operational perspective.
Yes, But…
That sounds like a lot to do to protect customers’ personal information. Isn’t that a bit overkill?
TCT is in the same boat. We don’t store credit card data. Most of the information we protect is PII and intellectual property information. We faced the same choice. But not only do we have an obligation to protect our customers’ information, protecting that data is also a measure for protecting the company itself. When you get breached, that event is monstrously costly. A single incident can put an organization out of business. And it can happen faster than you would ever expect.
Make Data Protection Easier
TCT Portal can make the enormity of protecting customer privacy easier to manage. The nice part about leveraging compliance management through TCT Portal is that it allows you to dial in and focus in on one thing at a time. Get it done, capture all your evidence and explanations for how you met this particular requirement, call it complete, and move to the next one. The journey of a thousand miles is all about taking it one step at a time. You’ll get there, just keep your feet moving!
TCT Portal gives you a structure to track and manage all the elements of compliance, but you can do it at a pace that works for you and your organization. And it gives your customers some measure of assurance that somebody put purposeful thought into each individual requirement and how it’s being met.
I’ll often hear from people that starting their compliance engagement is monstrously overwhelming. But by the time they get through it and they look back, they say that it wasn’t as bad as they feared. The structure of TCT Portal substantially helps you to not lose your mind or get drowned by details.
You don’t need any tool other than TCT Portal. Every single activity you need to keep tabs on for compliance is handled within TCT Portal. It’s truly a one-stop, end-to-end solution. That means your compliance efforts are streamlined, simplified, organized, and centralized.
Get more insider insights about achieving and maintaining compliance. Subscribe to the blog at the bottom of this page.