How to Build a Customer-focused Data Protection Policy in 2018? [Marketing]

This article was published by MarTech Advisor and curated by Closer Spot. Be sure to check out other Closer Spot news and advice to help you win more business.

As a marketer in the customer-first digital age, a data protection policy is not enough – you need a customer-focused data protection policy that is as user friendly as it is safe.

Sometimes, it is important to think like a customer, even if you are a seasoned marketer.
There is no doubt that customers are sharing increasing volumes of personal data across multiple aps, devices and platforms. They do so willingly, given the convenience the apps offer in terms of quick payments, home delivery and visibility.

The relentless cycle of the data lifecycle of today’s digital customer:
Share data (Knowingly/Unknowingly) to use preferred apps–> Apps use the data to deepen your engagement –> Share more data --> get deeper into the cycle

But what if customers’ were made aware, before they shared their data, in clear and loud terms, that all this very personal data could be easily accessible and hackable. How do you think they would react?

The onus is on businesses to focus on having a strong data protection strategy that prevents sensitive information while also ensuring that customers are not being made to jump through hoops to help marketers comply. A customer-focused data protection policy can offer a real competitive advantage. But it must be approached from the users’ perspective: in other words, you need a customer focused data protection policy that is as rooted in best practices and regulations as it is in the overall customer experience. Safety cannot come at the cost of user experience.

Dave Dague, EVP of Marketing for Consumer Identity Management expert at Infutor feels, "Brand reputation increasingly hinges on direct consumer engagement and the brand's accessibility to high quality data. A data provider's careful consideration of data privacy, security, adherence to regulations and the care and cleansing of consumer data can make or break a business’s marketing success in the digital age.”

Chris Rothstein, CEO at Groove comments, “The sheer volume of customer data between B2Bs and B2Cs is of a different scale. While B2Cs can have data on millions of customers, that isn’t as common with B2Bs. As B2Bs start to obtain more customer data, they will need to find a scalable system such as those of B2Cs. B2Cs are typically ahead in customer choice: B2Cs have always allowed customers to opt out of tracking, for example. With regulations coming in place, B2Bs will need learn how to put the customer choice first and allow them to opt out of things such as data collection or tracking. While this is more B2C relevant, it is becoming increasingly more common for B2Bs."

Some obvious but overlooked tips for a stronger data policy -by Chris Rothstein, CEO at Groove:
“With the EU GDPR going into effect in May 2018, data protection is on the mind of every business leader. The essentials of a strong data protection strategy are outlined in the GDPR, and heavily revolve around personally identifiable information. Ways to help protect this information includes:
  • Allowing only certain people to access specific data
  • Doing back-ups and both intrusion and compliance testing
  • Put the right processes and procedures in place for access controls
  • Hiring controls - background checks when hiring, and shutting down accounts when an employee leaves
According to an estimate from IBM, the average cost of security breaches has now climbed to $4 million per incident—up nearly 30 percent in a few short years.
A report from the TRUSTe/National Cyber Security Alliance (NCSA) Consumer Privacy Index found that more Americans are worried about their data privacy than they are about losing their primary source of income!

MarTech veteran, Founder of the CDP Institute, and MarTech Advisor Category Expert David Raab shares, “Most data protection occurs behind the scenes, where companies need to be careful to patch servers, manage employee access, check for intrusions, and take care of other basic security tasks.  Most customers are probably quite content to comply with the more stringent customer-facing security tasks such as replying to a confirmation message before being allowed to access their account from a new device.

The customer-facing issues have mostly to do with collecting data and permissions.  The details of complying with GDPR are quite complex and it will be a challenge for marketers to come up with customer-friendly ways to implement them.  Of course, this is exactly the intent of the legislation, which should discourage unnecessary collection by making all collection more burdensome.  There is some “throwing the baby out with the bath water” going on here, but presumably marketers will be up to the task of making necessary data collection achievable.  It’s also worth noting that “privacy by design” principles should mean that new systems have more privacy-supporting features built in, which should simplify subsequent use of those systems.  The one thing companies need to be careful about is to not let the lawyers and data security folks take control of the user experience.  They have different priorities that will almost guarantee a poor user experience.

A less-mentioned aspect that’s close to my own interests is that much personal data is now collected but not used because it’s trapped in the system that collected it.   New regulations require companies to be able to tell consumers what data the company has collected about them, which has the benefit of forcing companies to identify that information and assemble it in a single place or, at least, build connectors to gather it from dispersed operational systems on demand.  This will move companies quite closer to creating the long-sought complete view of each customer.  Marketers will benefit greatly from this, especially in the large majority of organizations that haven’t been willing to make the necessary investments.”

Here is how you can ensure your data protection policy is truly aligned to a great user experience: 

1. Define what ‘personal data’ and ‘sensitive personal data’ means to your business

Depending on the size, nature and category of your offering; the kind of data that a particular business considers sensitive (and the quantum of it) would differ. Personal data by and large usually refers to information on an actual living individual. Another layer is the ‘sensitive’ part of this data. For some companies, ‘sensitive’ data could include race, religion, political preferences, and so on.

2. Audit and Monitor the inflow of data

Data is being collected across devices, apps, touchpoints, functions and geographies. While collecting all this data, some key considerations to ask yourself:
-what data are you collecting and why?
-what are the sources of this data? Is each source safe?
-is every touchpoint along the customer’s journey secure enough for the exchange of personal data?
-is data collection across all touchpoints, geography, vertical and function a consistent experience?
-is the data collection policy consistent for all functions, verticals, LOBs and geographies?
-what else can be done to smooth the data collection experience at every stage while still ensuring there is no chance of even a minimal leak or vulnerability.

3. Monitor how you store data

A customer-centric data protection policy will ensure not only a smooth data collection experience but also a smooth data-access experience anytime, anywhere that the customer demands; while ensuring the access control and safety of the data through all the flows and access points.
Choosing the most relevant storage option would be determined by various factors like:
-the number(s) of access points required;
-how crucial is data access to the running of your day to day business?
-what resources are available for your business to properly manage data in-house
-how much integration is required between multiple technology tools and solutions used by the business

4. Regularly refresh the data

How much data do you need to store and for how long? A customer -focused data policy ascertains the customer preferences before imposing a solution.
Consider what customers prefer doing - reentering sensitive financial details with each transaction or having the details stored with you. While having auto-debit instructions is great for your sales targets, consider the tradeoff with the security measures installed and where a breach could wipe you out of business permanently.
The risks of a data breach could outweigh any convenience customers may get by checking-out with their stored data in certain verticals and industries. Let them know.

5. Restricted access and control

Restricting access of sensitive customer data can in many ways contribute towards a wholesome data protection policy while reducing security risks. Customers need to be educated about how much information they can safely share with various representatives of the company.

6. Educating all stakeholders

Business stakeholders - suppliers and distributors, logistics companies, and of course customers themselves – are all a crucial part of the marketer’s ecosystem.
Very often, customers or other business partners themselves inadvertently give our details to misusers who then find their way into the system and are able to cause havoc based on those ill-gotten access details.
Educate them by making the probability of risks clearer, detailing safety measures, and holding them accountable for their own data protection to a certain extent.
A customer-centric data protection policy entails consistent detailing that can be beneficial across multiple touchpoints.
Have a documented operating plan in place when trouble strikes, so it’s easier to keep customers informed and help them protect themselves if a breach does occur.
Prevention is better than cure. This is why your own banking network will often caution you against common security risks and fraud, to keep you from falling prey to it.

7. Technology and encryption practices

Most ecommerce websites use SSL encryption technology to protect online shoppers and their personal information. This is usually implemented at the checkout stage to make the checkout process more secure. If a website is properly encrypted, no one else will be able to see the information you have shared. If your entire online store (website) is encrypted, it means that no matter what page your customer is on, they’ll be browsing securely. This in turn makes your customers feel more secure browsing through your website and limits the chance of online fraud affecting them or their sensitive data no matter the device they are logging on from, at least while they browse your website.
Those organizations that haven’t reviewed or updated their encryption practices are often vulnerable to attacks. Try establishing a regular schedule to see that your current encryption technology and practices are as up-to-date as possible.

8. Constant and transparent communication with customers

Let customers know their information is safe;instead of burying details in a complicated privacy statement that most customers won’t take the time to read. Look at it as a marketing tool. The greater the effort you put into making sure your customers feel happy, engaged and safe, the greater the overall level of consumer comfort. And that can benefit your bottom line.

9. Internal training and compliance of all employees

It’s not just a policy but a safety mindset that needs to be created: so training, refresher courses, surprise checks and audits, as well as ensuring you work with your CX team to ensure that the overall customer experience is not suffering by all the security checks and measures is a necessity. Customer privacy is everyone’s business after all.

Dave adds, Today's omnichannel marketing relies on the vast linking of platforms, consumer identities, and consumer interest data.  Each of the thousands of websites, mobile apps, and other platforms that delivers user data is in some way a data provider and therefore has certain obligations related to privacy – like providing disclosures and ways to “opt out.” Marketers must make sure that key privacy and disclosure practices are in place and that data is handled responsibly.  Customer data protection strategies should include:
  • Clear privacy policies and opt out instructions
  • Standard policies help reassure the security of the platform and data,
  • Detailed security protocols, including annual audits and penetration testing, incident response plans and data security protocols,
  • Use of data minimization so data that is no longer useful is deleted.  Service providers should delete consumer data once campaigns or services are concluded, or after 30 days.  This mitigates potential damage and embarrassment from data breaches, leakage or misuse."
With an increasing number of data security threats (Remember the Equifax breach and then the more recent Uber fiasco?) – most of these mishaps involved the leak of sensitive customer information. With an ever increasing number of touchpoints and customer data collection practices across devices, it is more important than ever for businesses to first understand the difference between a generic data protection policy and a customer-centric one.

With the help of the tips above, business leaders can ensure that their data protection practices are not only legally compliant but customer-friendly too, thereby adding a significant boost to the overall customer experience. More often than not, data collection and protection matters are overlooked but that’s where marketers can fill a lag and make it a key component of their practices thereby also gaining a competitive edge.