Whether the issue is intentional or the result of negligence, the response from your customers will be the same: They’ll feel betrayed.
We’re talking about data privacy, and users today are savvier than ever when it comes to understanding — and acting on — issues that reduce their privacy and expose their personal information.
Personally identifiable information (PII) is a unique concept referring to a combination of data points that can be used to verify, or to impersonate, an individual’s identity. For example, on its own, a Social Security or cellphone number is just a string of digits. When paired with your name or date of birth, however, this information can be quite consequential.
Handling PII demands the strongest controls, including secure storage and encryption as well as robust policies for its management and destruction. PII isn’t the only kind of customer data that needs to be protected, though.
Data privacy concerns and priorities vary by industry, with special measures required for financial services companies, biotechnology firms and organizations in other sectors. Across the board, however, businesses should take the security of their data very seriously for two principal reasons:
- Maintaining compliance.
- Preserving their reputation and earning the trust of their customers.
Take the story of Facebook and Cambridge Analytica, for example. When it was revealed that users on the social media platform had their data harvested in association with election-related advertisements, many customers were not pleased. On top of the public relations issue, NPR reported in 2019 that Facebook consented to pay a U.K. agency approximately $643,000 in penalties stemming from the incident. As we’ve learned in situations like these, individuals want to be assured not only that their data is being protected but also that it’s only being leveraged for purposes they agree with.
Oftentimes, regulations can lag behind consumer sentiment. That’s why it’s best to take a customer-centric approach to data privacy.
The writing is on the wall. Undoubtedly, you’ve heard of the recent T-Mobile breach. According to Bloomberg Law, the wireless carrier is being sued, with the plaintiffs alleging a violation of the California Consumer Privacy Act (CCPA).
The reach of such incidents can be long, with subsequent headlines only further impacting an organization’s brand identity. Experian has faced multiple incidents. In one recent example from 2020, the South African Banking Risk Information Centre indicated that as many as 24 million residents of the country had their data exposed.
When businesses are found to be noncompliant, the penalties can be steep. According to Bloomberg, one of the largest fines so far for a violation of the European Union’s General Data Protection Regulation (GDPR) was levied against Amazon in July 2021. The price tag was $888 million.
With your good name and your bottom line at stake, it’s past time to take data privacy seriously.
How data privacy concerns vary by industry
Not all data is subject to the same guidelines.
For example, companies that handle consumer debit or credit card data for payment processing need to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS). This regulation includes granular details relating to how protected payment data is captured, handled and stored. While it’s an essential standard for organizations that handle card payments, business-to-business (B2B) companies that don’t come across such data may not need to worry about the guidelines.
Another key consideration is to determine the geography in which you operate. An international airline with service to Europe, for instance, will certainly have to adhere to GDPR rules. Such regulations, however, largely don’t apply to smaller, local businesses that have no commercial footprint in the EU.
Nevertheless, all companies are beginning to realize that strong data privacy safeguards can be an essential selling point for consumers and corporate partners alike. If you’re involved in a request for proposal (RFP) process, be prepared to compete against other bidders at least partially on the basis of your data policies and your security track record.
The evolving landscape of data privacy regulations
As we’ve mentioned, data privacy is a dynamic concept, and the regulations are always evolving. Direct fines for noncompliance are only part of the expenses you could incur. You might also face costly fallout in the form of reputational damage, operational losses resulting from a breach and legal fees due to an alleged infraction.
Payment Card Industry Data Security Standard (PCI DSS)
One leading regulation that helped to set early benchmarks for data privacy was the PCI DSS. This industry-standard regulation sets fines for noncompliance, and repeat offenders may even be banned from processing specific card types. The rules also become more stringent for companies that process higher volumes of transactions. Principal guidelines of the PCI DSS center on ensuring secure, limited access to data as well as mandating encryption, encouraging archiving best practices and instating regulations pertaining to the removal of outdated customers or members. Compliance is monitored through third-party assessments.
Gramm-Leach-Bliley Act (GLBA)
This is a U.S. federal regulation focused on banks and financial institutions. It includes guidelines related to consumer data privacy, and banks are required to maintain compliance.
General Data Protection Regulation (GDPR)
In the EU, the GDPR was a trailblazing regulation. With the authority and willingness to assess large fines against some of the most powerful companies in the world, Europe’s agencies have shown that data privacy enforcement is possible on the world stage. The guidelines focus on data security and privacy, including rules related to the destruction and deletion of information.
The California Consumer Privacy Act (CCPA) and state-level legislation in the US
While California has led the way for American data privacy laws, it certainly won’t be the last state to take a stand on issues related to the secure capture, storage and destruction of data. As of September 2021, the International Association of Privacy Professionals (IAPP) noted that privacy legislation had also been signed in Colorado and Virginia. Elsewhere, bills were in motion, and some states had created task forces on the subject.
The Health Insurance Portability and Accountability Act (HIPAA)
This federal United States regulation applies specifically to health care as well as to the life sciences, biosciences and related fields. Some of the act’s components pertain specifically to security and privacy concerns for protected health information (PHI).
If you’re interested in finding out how CFGI can help you elevate your data privacy policies, contact us today for a free 30-minute consultation.