With businesses facing fines of up to €20m or 4% of worldwide turnover for a serious data breach, it pays to take steps to protect customer data.
Nearly all businesses generate or collect data about their customers. The customer information you process and store is valuable – and not just to you. Hackers and criminals are interested in getting their hands on this sensitive data.
The General Data Protection Regulations (GDPR) has strict rules on how customer data is collected, stored and accessed. A key part of the GDPR requirement is the protection of customer data. Information must be stored and processed securely so it to doesn’t fall into the wrong hands.
A security breach can be expensive. A 2018 report by IBM found that data breaches in the UK cost an average of £2.7m, with an average cost of over £110 for every customer record lost or stolen.
How to protect customer data – steps to take
1. Know what data you hold about customers
You cannot protect what you don’t know. It’s important to audit all the personal information that you hold about customers. Data can range from contact details such as name, address, email and telephone numbers to financial information such as credit card details. Audit what data you hold, how you obtained it and the consents you obtained from customers about its use. Determine where and how it is stored, and who has access to data. Identify problem areas, such as data being stored without encryption, and take steps to fix them.
2. Collect only essential customer data
Collecting unnecessary data is against GDPR rules. Determine what customer information you need and for what purpose. For example, don’t ask customers for their date of birth if you only need their email address. Collecting only essential information puts your business in a less risky position should you face a data breach.
3. Delete data once you’ve finished with it
To ensure you have to protect only essential information, regularly review the customer data you hold. Update data, remove duplicates and delete information that is no longer required. Dispose of paper and electronic waste properly. Shred paper documents and fully delete electronic files. Simply moving emails, documents and other files to the computer’s trash bin does not permanently delete them.
4. Encrypt data and protect customer data in transit
Data should be held securely. This includes encrypting data when not in use and storing it as encrypted files in a password-protected environment. If data is stolen or lost, the fact it is encrypted will prevent it being accessed. Data is at higher risk when shuttled from one system to another, such as when customers pay by credit card on your website. Protect your website by installing a Secure Socket Layer (SSL) certificate and ensuring your website uses Hypertext Transfer Protocol Secure (HTTPS) to encrypt all data.
5. Securely back up customer data
Set up a regular schedule for backing up data to a secure location, with data encrypted during transfer. Put in place a data recovery plan should you lose access to your data system.
6. Limit access to protect customer data
Not everyone in your company will need full access to customers’ personal information. Create guidelines on how data is shared with third parties, such as partners and suppliers, and who can access customer data and in what circumstances. Log access to data so you can see what was accessed and by who.
7. Educate employees
Employees can be the weakest link in protecting customer data. Staff who handle customer information must be kept up-to-date on how to avoid information accidentally landing in the wrong hands. Provide training on how to spot email phishing scams to prevent employees accidentally installing a virus or sharing passwords with a hacker.
Train staff about GDPR requirements, and limit personal technology use such as mobile phones that include cameras near computers with access to sensitive customer data. Make sure your business has installed and maintains up-to-date security software. Get staff to regularly change their passwords.
9. Prepare for the worst
Have a plan in place if the worst happens and you suffer a data breach. Know who you must contact to report a breach and act quickly. Under GDPR you must report any data breach to the ICO within 72 hours of it happening. You must also explain how the breach occurred, what is being done to contain it and the next steps you plan to take. Act quickly and you could reduce any fine or penalty issued.