Managing Customer Data
Over the last few years, customers and legislators have really started to take notice of what companies are doing with personal information. Canada led the way nearly twenty years ago with the Personal Information Protection and Electronic Documents Act (PIPEDA) that became the basis for the European Union General Data Protection Regulation (GDPR) introduced last year. With California introducing the Californian Consumer Privacy Act (CCPA) early next year and other States and countries looking at how they handle data, there is more focus than ever.
This blog is by no means a fool proof strategy or legal advice. Its aim is to outline some guiding principles we should all be thinking about in the spirit of a customer first data approach.
What is personal information?
The definition of personal information differs by legislation so you need to be hot on what exactly is covered. Most people think of personal information as customer details that directly identify a person such as name, address, phone number. However, most of the new data laws include identifiers that you may not have thought of such as ID numbers, device IDs, comments and opinions. You might need to think differently about what you class as personal information.
Am I collecting what I need?
It’s a good idea to collect personal information which you only have a use for now. For example, you might be collecting and storing a customer’s age to validate for age-restricted items. That is brilliant because there’s a valid use case now. However collecting a customer’s date of birth because you might want to start a program in the future, to give customers a birthday discount is not a great reason to be collecting personal information. This increases the amount of customer data we are keeping. Which in turn needs to be kept up to date and stored in a way it can easily be deleted. It adds unnecessary complexity to our systems, as well as not being the right thing for our customers, storing information we don’t need or use.
How long are we storing it for?
It makes sense to only store a customers personal information for as long as it is useful. If a customer hasn’t interacted with you for ten years for example, the likelihood is their data is out of date or for whatever reason they are no longer invested in the brand. It’s good to make decision on when a customer’s personal information should be removed. Sure you might need to keep their order information for business reasons but do you need to keep the name of the person that ordered if they ordered twenty years ago and haven’t ordered since?
How easy is it to correct and remove?
It is now common practice that customers should be able to have access to personal information you have stored. They also have the right to request this data is updated or deleted. When building new systems, consider if you need to duplicate information across systems or if you can use identifiers in other systems to make things simpler. If a customer’s personal information is only in one system it easier to extract and keep data up to date.
Would I happy if this was my data?
The underlying question we should always be asking ourselves when we are using personal information is, would I be happy if my data was used in this way?
