Last year, a Verizon Data Breach Investigation Report showed 61 percent of cyber attacks targeted small businesses. 60 percent of those businesses that experienced a data breach folded within six months. What can your company do to avoid data disaster while also gaining your customers' trust?
The principles of data privacy are straightforward, even if the means of putting them into action are not. Your customers expect, at a minimum:
- transparency in what data you collect and how you will use it.
- the opportunity to opt-in (or out) of certain usage practices.
- notification of breaches.
- a method to permanently remove their information if they later opt out.
The individual has an absolute right to control how the data they share with your business is used--so you should protect user data and your customer's right to transparency around how that data is collected and used.
No national privacy framework exists (yet) in the United States. The European Union enacted the General Data Protection Regulation (GDPR), Canada has a national mandate to regulate data use, and many U.S. states have already proposed frameworks in 2019.
You can get ahead of the curve by adopting a few best practices now to protect your customers' data and maintain their trust in the future. Start implementing these four strategies today:
1. Store your customers' data securely and handle it responsibly.
At my company, Kabbage, we have more than two million live data connections with over 170,000 small business. We start by taking stock of our data inventory.
Identify the types of data you collect and store, and the business tasks attached to each. If the data collected identifies a particular individual, this data is considered personal information and requires special care and proper protections.
Protect personal data such as email addresses, phone numbers, passwords and login credentials (if your business has access to such data), social security numbers and financial information. At a minimum, customer-provided data should be stored in a password-protected environment, accessed only via secure, encrypted networks like a VPN, and limited to authorized company devices and authorized employees.
Your employees should have access only to the data they absolutely need to complete their tasks. They should know what constitutes acceptable uses. Outline this in your company's internal policies and procedures.
2. Be transparent with your customer: What data do you collect and why?
When getting your business up and running, privacy might be an afterthought. I was once asked for my Social Security Number when purchasing a sofa--a clearly unnecessary request!
Now that you know the type of data you are collecting, be sure your customer knows, too. Does your website have a privacy notice? Does it clearly explain the data your customers are giving you permission to access or store, and why it is required for the transaction?
Make sure your data practices align with your privacy notice.
3. Delete customer data upon request.
Some small-business CRMs allow you to delete or anonymize customer data. Consider adding or using this feature.
Include in your privacy notice a way for customers to easily request their data be removed from your systems and respond to verified requests promptly. This can be as simple as an email and a phone number to call with a specific request.
Your customers' right to withdraw data is your responsibility to respect (and it's likely to be included in any future national and state privacy laws). The practice also reduces storage costs and keeps your database neat and current.
4. Borrow existing protections for payment data.
Payment processors and e-commerce sites have pioneered effective and secure management of customer data. Your best bet is to choose a reliable service provider that can extend that protection to both you and your customers.
From my own company's experience building a payments systems for small businesses, I can encourage you to insist on point-to-point encryption to thwart hackers. Use tokens instead of passing cardholder data, and EMV or chip cards to protect your business against the risk of fraud. Unique pay URLs can offer secure transfer on invoices, and remote deposit allows you to shred checks promptly.
Take proactive steps to manage your customers' data responsibly, and offer them full autonomy over their data. Responsible handling of customers' data is the right thing to do--and it can protect your business against costly exposure and reputational risks.
Plus, it cultivates customer relationships built on transparency and trust. Nothing's better than that.