According to several news outlets, Facebook is planning to merge messaging in WhatsApp, Instagram, and Messenger some time in early 2020. This merger is expected to help brands:
- Communicate across these platforms seamlessly
- Extend their reach
- Track customers’ data and protect it
- Understand customer behaviors better
These apps will still appear as standalone platforms, but they’d be merged in the back-end so that it’s easier for brands to talk to customers wherever they spend time online.
But even with all of these benefits, there’s been pushback. Mainly, regulators are worried about how user data will be shared across these three platforms. Plus, with the amount of user data collected every day, end-users are also concerned about how their data’s being utilized. In fact, a recent report by the Travelers Consumer Risk Index found that “consumers are more concerned about the security of their private information and personal data than their physical well-being.”
With growing concern for how user data is used and stored, what are you doing to manage your data security best practices so that they’re in line with user expectations and industry standards? How do your best practices need to change? Facebook is an extreme example, but small-medium businesses (SMBs) like yours need to take these precautions, too.
To help you figure out the answers to these questions, here’s what you need to know about managing your data security best practices.
Understand how GDPR affects your customers
The Data Protection Act (DPA) of 1998 was established to help companies manage data and user privacy. But with the constant changes to technology and new types of data being collected, the DPA didn’t go far enough to protect user data or require brands to explain how that data was used.
The General Data Protection Regulation (GDPR), first introduced in 2016 and in effect since May 2018, gives users more power over how their data is used. Now when they visit EU-based websites, they’re greeted with a notice explaining that their information will be stored and used. Like on the new site, Express:
Before accepting these terms, users have the option to see what types of data are collected:
If they agree with how their data will be used, in some cases, users can accept or reject access to their information:
Not all sites go into as much detail as Express does, but its approach clearly gives users the power to decide what they share with the site.
In order to adhere to GDPR guidelines, you have to understand how it impacts your data security best practices. Let’s say you own an e-commerce store and collect data like customer location and credit card information. According to the new rules of GDPR, here’s what your best practices have to include when users give you permission to collect information as they browse your website:
- Practice quick reporting when data breaches occur. You have 72 hours to inform the Information Commissioner’s Office (ICO) of a breach. Then you have to tell customers what’s happened and explain the extent of the breach. For example, if credit card numbers are stolen, let customers know so they can tell their bank.
- Document the types of data you collect and why. This allows for more transparency for how data’s used, how long it’s kept, and what information is collected.
- Monitor your processes regularly. Have a dedicated person or team responsible for this—this usually falls to the IT team to manage. They should provide regular reports so that inconsistencies can be spotted early on. In some cases, it can take upwards of 191 days before a breach is noticed. Regular monitoring helps avoid this lag.
- Give users access to their information when they request it. Customers have more power and say in what data is collected and how it’s used. For example, if a customer receives an order with another customer’s purchase, they can submit a Subject Access Request (SAR) to you. You need a process in place for when data will be shared—within a month of receiving a request—and what the report you share with customers will look like. For example, create a standardized report.
- Make it easy for users to lodge complaints. Complaints happen when there’s a concern about data security best practices. You have up to three months to settle the complaint. Include information on your website so it’s clear to customers how to submit their complaint.
GDPR has been in effect for almost a year and while the ICO might have been understanding when the regulation first rolled out, make sure your data security practices are up to date—to avoid complaints and fines—and you’re prepared to handle user inquiries.
Ensure mobile messaging platforms are compliant
Estimates show that there’ll be approximately 53.96 million monthly active smartphone users by 2022. This growth is why more companies choose to send information and updates via mobile messages vs. relying heavily on outbound call campaigns and direct mail.
If you’re a company that uses a cloud-based platform to send bulk mobile messages, keep in mind that you’re sharing end-user data with them when you do.
For example, Capita, a business process management and outsourcing company, sends interactive voice messages (IVM) and rich media messages (RMM) with our platform to its clients as a way to improve customer satisfaction. To send messages about service outages and package delivery updates, Capita uses customer phone numbers and other basic information.
Michael Cheng, former Quality Insight & Strategy Manager at Capita, explains that, “Working with VoiceSage’s services enables us to help the client see what’s working for these deliveries and programmes, providing a useful feedback loop that gives them actionable insights.”
To avoid data security issues and secure user data, companies like Capita and others check that the platforms they use have a best-practice information security management system (ISMS) in place. Platforms with certification have gone through a rigorous review process, had an independent assessment of their data security best practices, and have shown that they meet international standards of risk management.
In 2018, we received our ISO/IEC 27001 certification. This has allowed us to give our users peace of mind because they know that we take data security as seriously as they do. There are three ISMS pillars that we adhere to:
- Regular risk assessment: We regularly review our “information security risks, taking into account the impact of security threats and vulnerabilities.”
- Manage security risks: We’ve “designed and implemented a comprehensive suite of information security controls to address security risks.”
- Ongoing audits: We “implement an overarching audit and compliance management process to ensure that the controls meet our needs on an ongoing basis.”
Every aspect of our product is in line with ISO/IEC 27001 to deliver quality service and best in class data security.
To lower your risk of experiencing data security issues, only work with providers that have ISO/IEC 27001 certification or any other applicable certification. This way, all the work you do to secure and manage customer data also applies to the tools you use to deliver your products and services.
Put emphasis on data encryption practices
With the likes of Sony Pictures and Stratfor, a growing number of data breaches are the result of lack of encryption—like end-to-end encryption for texts and emails. This oversight makes it easier for bad actors—cybersecurity threats—that intercept data to access personal user information like financial information, medical records, and more.
A survey by the Ponemon Institute found that “85% of the companies said that they experienced loss of personal information.” Yet, “only 54% subsequently implemented encryption.” What we’re seeing here is that it’s inevitable that businesses, big or small, will at some point be under attack and risk experiencing a data breach. Only a very small number of businesses, 27%, haven’t experienced a data breach but do have encryption in place.
To make sure you’re not making encryption mistakes that will affect how you communicate with customers, ruin your reputation, or cost you millions in fines, use these best practices to create process standards:
- Implement a key management process. Even with encryption, make sure that your encryption key is stored properly, is updated regularly, and is different for different types of data. Encryption and key management are a big part of what we offer our users.
- Regularly review encryption effectiveness. For example, check how long it takes to encrypt data. If it takes longer than expected, change the settings or the tools you use to fix the problem.
- Keep a log and audit reports. These reports make it easier to quickly identify when an issue occurred and what data is affected.
When it comes to encryption, it’s best to have it in place before there’s an issue—because chances are there will be one—instead of waiting until after there’s a breach when you have more to lose. In the case of Sony Pictures, they spent about $35 million to fix their IT system and suffered considerable embarrassment from the leaked emails.
You spend a lot of time making sure the data security best practices in place follow industry standards and the tools you use also follow the same kind of compliance customers expect from you. Make sure this hard work isn’t in vain and data is encrypted.
Shoring up your data security best practices
It seems data security is one of those things brands think about after there’s an issue. Waiting to fix the problem at this point isn’t just time consuming, it’s costly.
By taking the time to understand how GDPR works and how it impacts your customers, how the tools you use comply with industry standards, and how you encrypt data, you’re in a much better position to foster great customer trust and practice transparency.
Giving your end-use customers peace of mind that their data is safe and secure goes a long way to establishing yourself as a brand people want to do business with.
Published on: 19th March 2019