Who’s Guarding your Data and Protecting your Customers Privacy?
If you think it’s your service providers, please think again!
While at first this may seem counter intuitive, please bear with us and you’ll understand why it’s absolutely true, even for the very best providers.
The TL;DR answer to who should be guarding your data is simple : It’s YOU! Your provider may actually handle that data, but in the end it’s up to you to make sure that data is collected, secured, and managed appropriately, including complete deletion upon request. Because at the end of the day, you the business owner are the responsible party should the data be exposed or legal requirements surrounding it not be met.
Before you throw up your hands in despair, please realize that you don’t need a bachelor’s degree in Computer Science to understand the basic concepts and best practices that presented here. Above all, Security, Privacy, and Compliance is a mindset; a way of looking at the world with an eye toward defending your business and your customers from hackers and from legal action alike.
Security
While it’s tempting to lean on your service provider to secure your data, this is, in fact, a dangerous mindset to take. Your provider can handle and protect that data once it’s in their systems, but it’s you who determines how that system is used.
Do you share a password between one or more accounts? Twitter revealed recently that due to a software bug, passwords to user accounts were being saved to an internal log in plain text. Every shared password is an extra opportunity for a hacker to compromise your systems unimpeded and make off with your hard-won data. Worse, it can easily happen without your even knowing about it until it’s too late.
Similarly, who else has access to your various provider accounts? The Agile Monks recommend never sharing account information but we recognize that sometimes it’s not practical or even possible to give everyone their own account with a service provider. If you absolutely must share those credentials, do so with a purpose-built solution such as LastPass or similar that will safely manage your account information while tracking access to it.
Protecting the data itself is another concern. One of the most common issues we Monks see almost daily with businesses’ data collection forms on the web is a missing or incorrectly configured SSL certificate. In real terms this means that the data transferred from a potential customer’s browser is not protected on its way to your provider or could more easily be hijacked at the browser. Modern web browsers, like Firefox, will actually warn their users that the connection is not secure under many circumstances, but that creates two possible circumstances and neither of them are good. Either a) your potential customer blithely enters and sends their information in an insecure manner or b) they recognize the risk and simply go away. It’d be hard to quantify, but would you feel good about turning away potential customers over a simple fix?
Privacy and Compliance
The internet is an interesting place when it comes to our privacy. On the one hand we throw out mountains of personal details on social media and various internet fora and that seems to be perfectly okay. But collecting this publicly available data for marketing purposes (or sharing without our knowledge) is completely unacceptable to most of us. What’s the difference?
In a word: Consent.
The most recent change to privacy regulations comes from the European Union in the form of their General Data Protection Regulation (GDPR). One of the key provisions of GDPR centers around making sure leads and potential customers choose to divulge their information based on informed consent. It is up to you, the business operator, to ensure that that informed consent is present by informing visitors your site of how their data will be used and to whom it will be divulged. Later on you may be required to clearly state exactly what data you have for them, or even to expunge all copies of said data from your or your provider’s systems upon request should the user withdraw their consent.
Not only do your users need to know how you’re handling their personal data, but they also need to know if and how they’re being tracked when visiting your site. What’s more, you need to be able to both monitor and document that tracking information, especially user consents. Finally, all of this information needs to be readily available to visitors at all times.
Getting Help
That all sounds like a lot, right? Fortunately there are a number of good tools out there to help you maintain compliance, should you wish to take it on yourself. Better yet, help is available from any number of compliance providers but remember: not all help is created equal when it comes to compliance in the privacy, security and compliance realm.
Make sure your chosen compliance provider understands both the technical and legal aspects of compliance regulation; both are necessary and each has ramifications to the other in sometimes unexpected ways.
