What we’re talking about
Customer data comes in many forms, but for small businesses with limited resources, the main area to focus on is personally identifiable information (PII). That basically means any information that can identify an individual directly – so think names and addresses for delivery, email addresses, credit card details for monthly billing, or IP addresses.
Whatever you’re doing with it, a comprehensive data protection strategy is essential. Within this, the two key aspects to think about are data privacy and data security. Data privacy is about making sure the information you possess is treated appropriately – that people consent to you obtaining and using it and that you maintain control of who sees it and when. Data security is a bit more spicy. It’s about how you protect that data from the threat of external hackers, scammers or untrustworthy employees. Your strategy will need to cover both.
Why it’s important
Data abuse is a hotter topic than ever before. While you might think that it’s largely a concern for the big players, small business owners handling data are implicated, too. With data privacy legislation varying from country to country, you need to be aware of the laws in the country or region you’re operating from. You also need to realize that if you’re, for instance, handling the data of citizens from the EU, you need to be compliant with their law, too (in this case, that’s GDPR). If you get on the wrong side of the law, it’s your bottom line that’ll get hit – through either fines or class action lawsuits.
Small businesses are always at risk from cyber criminals. A 2019 study by privacy analysis firm Ponemon into cybersecurity for global small and medium-sized businesses found that 72% had experienced at least one cyberattack in the past 12 months. All too often, businesses don’t have the necessary protection in place. Beyond the time and financial impact these incidents can have, security breaches also risk your relationship with your customers. Trust is a huge part of a business-customer relationship – when customers entrust you with their data, they expect you to look after it. That means building in best practice right from the start.
Things to note
Consider your risk profile. It’s important to remember that security breaches for small businesses are neither as common nor as catastrophic as those affecting the major players. The relevant authorities know this – they also know that small business owners are less likely to have the money, time and talent to put impenetrable data protection systems in place. Aim to adopt best practice cybersecurity and privacy controls but don’t bankrupt yourself in the process. This is an act of working out your risk profile by weighing up the sensitivity of the data you’re handling, the negative impacts of any potential breaches and the size of potential fines. One key tip is to manage your data in-house so you know where it is, rather than outsourcing the job to freelancers.
No one will tell you exactly what to do. Data privacy legislation differs from country to country – it’s constantly evolving and is far from black and white. Rather than there being a checklist for business to tick off, it tends to involve a series of rights, values or principles to be protected. Two major pieces of regulation, California’s CCPA and the European Union’s GDPR, hinge on something called ‘the accountability principle’ – whereby companies are trusted to know best how to look after their data, but should be able to showcase measures and prove compliance when necessary.
Think beyond your own four walls. As a small business, you're the ‘controller’ of whatever information your customer hands over to you. However, it’s likely you’ll be working with third parties – eg, a website host, a customer relationship management platform or a newsletter tool. If one of these companies breaches your customer data, you get the blame – so make sure you’re careful and purposeful about whom you share your customer data with.
Don’t forget about the physical stuff. Data doesn’t exist in a totally abstract realm; you need to think about the real-life places it’s stored – from mobiles and laptops to good old-fashioned filing cabinets. Have a physical data security policy. This will include things like office security and surveillance, locking away hardware and paper records, avoiding laptop theft and loss, privacy screens and destroying data before disposing of electronic waste.
How to protect your customers’ data
1. Understand what data you’re dealing with. Get clear on what information you’re collecting, what it’s being used for, where it’s being stored, and whether it’s being passed on to any third parties. Remember that data is accessible on your employees’ and contractors’ phones and laptops, as well as your centralised computer system. Knowing all this will help you to understand what needs protecting and to work out your risk profile as above.
2. Understand the laws you’re subject to. Get clear on the laws that apply to your business in the region you’re operating in. Though the type of data you’re handling will mean there might be some nuance here, a sound rule of thumb is to follow GDPR data processing rules for the data you’re collecting, as they’re generally deemed to be the strictest. Also, if you’re accepting and storing cardholder data, you’ll need to make sure you’re PCI compliant.
3. Secure your wifi network and passwords. If operating out of an office or a physical space, make sure you have your own wifi network, rather than using a public one or sharing with other businesses, with separate options for employees and guests. Opt for WPA2 (wireless protected access 2) security protocols when setting up, as this offers encryption and requires longer passwords. You should change the password to your wifi network often, making sure that any passwords guarding data are long – with symbols, numbers and capital letters – and updated every 90 days or so. You might also implement multi-factor authentication at critical points.
4. Encourage use of a VPN if necessary. If your employees need to access the company server while using any kind of public wifi, such as in a cafe or co-working space, make sure they use a VPN (virtual private network). VPNs – such as this one – create a kind of tunnel that no one can see inside, whatever network you’re on.
5. Install the right tools. Anti-malware and anti-spyware technology sometimes come built into devices like laptops and mobiles, but double check, and make sure they’re enabled. Put a firewall in place to act as a barrier, stopping hostile forces from getting in and sensitive data from leaking out. Email security tools that flag external links and mark them as phishing are very important – emails are a common avenue for attack. Finally, encryption software makes sure your data is encrypted – so that if your barriers fail, you have a final line of defense.
6. Make it someone’s responsibility. A data protection officer monitors compliance, training and auditing, and liaises with regulatory bodies. If you’re a small business this probably won’t be relevant, but you should still make sure that overseeing data protection and security is somebody’s responsibility – otherwise it’ll fall through the cracks. Plus, if and when privacy-savvy customers get in touch, they’ll want to speak to someone who knows what’s going on.
8. Educate your employees. Inform your team about the whys and hows of data, baking it into the onboarding process and revisiting whenever appropriate. Everyone working for you should be well-versed in password security, spotting email scams, reporting breaches and taking care of physical devices. If you have a newsletter, the person in charge of sending must ensure recipients have actively opted in.
9. Back up your data! Even if your system is as secure as can be, you’re still at risk. It’s absolutely essential you create backups of your data. This can be automated on some cloud systems like Amazon Web Services (AWS), but ideally you should back up onto a hard drive, too. Do this regularly – if you do it daily, the most data you can lose is one day.
10. Prepare for the worst. Have a plan in place in case an attack happens – use our crisis management guide as a solid starting point. If it does happen, you’ll need external expertise, so it’s worth establishing contact with an expert in data security before it does.
11. Keep updating. This is a fast-moving area. The software you download will need to be updated regularly, as hackers are constantly changing tactics and regulation is constantly evolving. Likewise, if you start collecting different or more sensitive data, you’ll need to reanalyze your approach.
• Customers are wising up to the perils of data misuse – you’ll lose their trust if you don’t protect their information.
• Specific regulations differ from country to country and data type to data type, but there are core principles – including accountability, transparency and confidentiality.
• Data protection involves its fair share of agility. Revisit your strategy as things change, and be ready to react quickly and calmly in the event of a disaster.
Perspective. Former Canadian information and privacy commissioner Ann Cavoukian pioneered an approach known as Privacy by Design, which has shaped a lot of regulation at company and country level. Here’s her take on why privacy must be embedded by default into everything your business does.
Example. For a quick and easy way to understand and compare the data privacy laws relevant to your business, use this map from DLA Piper.
Tool. To keep on track of what different US states are doing in the area of privacy legislation, check out this tracker from the International Association of Privacy Professionals.
Tool. Here’s a list of 10 free tools around data protection. Although the list is geared towards GDPR, the tools cover basic tenets of data use like cookies, policies and encryption.