How to vaccinate your data from potential exposure

Just as our bodies need a balanced diet, exercise and regular check-ups to stay in optimum condition, data needs routine maintenance, too. Yet, more than 50 percent of companies aren’t taking the health of their data seriously, thereby running the risk of breaching data regulations and disrespecting consumers’ data privacy.

Given the changing data landscape – such as the arrival of the General Data Protection Regulation (GDPR) and the Consumer Privacy Act – it is critical that companies implement strong data governance. Healthy data not only paves the way for technological advancements in fields such as Artificial Intelligence (AI) but will also lead to more robust customer relationships.

To retain the favor of increasingly privacy-conscious audiences, and stay ahead of competitors, businesses should explore how they can vaccinate data stores from a potential threat.

So, what are the key data pitfalls marketers should look out for and — perhaps more importantly — and can they improve security practices to avoid them?

Step into the clinic, the data doctor will see you now.

Symptom 1: Insufficient data knowledge

In an increasingly complex industry where brands habitually use multiple vendors to manage vast volumes of data, it is becoming harder for marketers to maintain a firm grasp of all the information they have access to and that can create unintended issues from a privacy standpoint.

It is imperative that businesses disclose — with full transparency — how what and why they intend to collect and store consumer data, as well as requesting explicit consent to do so. Therefore, it is possible that without a robust understanding of what third-party data vendors are collecting and storing, marketers may inadvertently breach data privacy regulations. Similarly, without appropriate measures in place to close doors to data stores, there is a risk that data may be exposed unwittingly.

Prescription: Develop a comprehensive on-boarding process for new vendors to include the signing of a contractual data protection agreement and creation – or update – of a data flow diagram to include vendors. On-boarding should also cover updating privacy notifications and contracts to include a thorough list of all data collection points. Furthermore, customers must be given the opportunity to explicitly opt-in to data sharing.

Symptom 2: Asymptomatic data leaks

Data leaks that have the potential to go unnoticed could be the most volatile type of breach; as marketing professionals can remain unaware, there is a problem until it’s too late.

Typically, they occur when companies overlook the core aspects of technology housekeeping such as leaving implementations enabled after a campaign or vendor relationship has ended. The consequence of doing so is that, unbeknown to the organization, data remains in a state of free-flow and can mean inadvertent disclosure of Personally Identifiable Information (PII).

Various implementations – such as connectors between applications – can be deployed for a range of purposes – from facilitating interaction between websites to integrating third-party content and enabling third-party data collection. But the simple oversight of leaving implementations enabled may allow third parties to continue collecting data without permission. This would mean vendors are sharing data with other parties that are not named in the brand’s GDPR-compliant privacy notice. Inevitably this equates to not only the original brand contravening data privacy legislation but also puts the third-party in contravention by proxy.

Prescription: Build a strong campaign and vendor off-boarding process in which disabling implementations is a predominant feature, and raise company-wide awareness of the potential repercussions of failing to do so. If possible, marketers should implement a process or platform in which tags and integrations are managed centrally and automatically disabled after a set date. This would act as a sure-fire way to ensure data is not being shared with third parties without the consumer’s consent.

Symptom 3: Unauthorized data access

Individual applications — such as a CRM, email system or marketing automation system — can give employees direct access to PII, including the ability to integrate other systems or download the data to their own devices. While this may be essential for some roles, it might not be for others. And GDPR states that data access should be relevant. Granting staff sight of data that is irrelevant to their role cannot be justified.

There is also the possibility that those in receipt of unlimited access may inadvertently open up channels for third parties to take advantage of consumer data without their consent. Similarly, if data is downloaded to personal devices, brands may be unable to ensure the information is sufficiently protected by network encryption, a secure password or cybersecurity software. If the personal device was to be stolen or misplaced, reams of valuable data might wind up in the wrong hands. Plus, there is the chance unscrupulous employees could leak vital data for personal gain.

Prescription: Access to data should be granted to employees on an as-needed basis, not by default. Businesses should draw up strict internal data policies and staff contracts to notify employees of the data they have permission to access in their specific roles, as well as the consequences of accessing information they are unauthorized to see and use; there is software available to assist with privacy and consent management, and help make this a simple process. Equally, organizations should take steps to ensure that business insurance covers a data breach in the event that the leak happens as a result of the loss or theft of a personal mobile device.  To minimize the risk, companies could implement a policy that prohibits staff from loading data onto personal devices, alongside details of the consequences of contravening the policy.

In the same way, we vaccinate ourselves against infection, brands should take preventative measures to protect their businesses from costly mistakes, as well as ensuring they survive and thrive in a highly competitive industry. The changing legal landscape is sure to cut the wheat from the chaff when it comes to championing data privacy, so it’s best to be prepared. Besides, prevention is always better than cure.