How to Protect Customer Data and Your Company

Most of us have seen commercials where bank guards are vaguely waiting during a robbery. He explains that he is only for surveillance, not for prevention. This is a good example of how important it is for a company to think about digital integrity as a whole, rather than one at a time.

Your online presence is the face your company shows to the world. It’s your identity. And it tells your customers about your credibility and integrity as much as any other business strategy. Customers want to know that they can trust your content and what’s behind it: what it means, whether it’s consistent, accurate, and what you support it. I have. And they want to know how to protect the information you share with you.


Your online presence tells your customers about your credibility as much as any other business strategy, says @kpodnar. Click to tweet

Digital policy development may not be at the top of the list of things that spend time and money, but it really should be because the consequences of not having a policy are scary.


Selected Related Content: Identity Issues: How Content Strategists Build Trust and Loyalty

Why is digital integrity important?

Let’s start with a data leak. Because that’s the problem of catching the most headlines. From forensics and fines to Canada Mobile Number proceedings and lost time, the costs associated with violations quickly accumulate. And that’s just the beginning.

Canada Mobile Number

For example, a distributed denial of service (DDoS) attack can prevent you from doing business for some time. Also, if the attack slows down the load time on your site, your customers may not do business with you. According to a survey, almost half of all customers will not wait more than 3 seconds for the page to load. They click on competitors – and many don’t come back.

Second, there is a general lack of self-confidence. How are customers supposed to trust you in their business when you aren’t taking care of your own digital security?

How can your subscribers trust you in their business if you can’t protect their personal data? @kpodnar Click to tweet

Online integrity doesn’t just protect your audience’s personal information (but it’s also important). It requires a multifaceted and comprehensive digital policy that is embedded in everyday business processes.


Let’s see what that means.

Carefully Selected Related Content: Democratization of Distrust is Our Greatest Opportunity

Overall digital policy component

Brands are slowly but surely adopting more thinking about data. The more data points you have, the better? Even in a physical store, it’s difficult to buy without being asked for your name, address, phone number, email address, and even your birthday. And, indeed, your business can do a lot with that information in terms of market segmentation and analysis.

But … the more data you collect from your audience, the more you and they will lose if you suffer from a breach. In business terms, you need to do a risk and benefit analysis. If you’re really using all the data you’re collecting and your return on investment is commensurate with your risk, then it’s okay. But if you’re collecting data just because you can, the risks quickly outweigh the benefits. Collect data only when it is important to your business.


According to @kpodnar, collect data only when it is important to your business. Click to tweet

Question to ask:

  • What information do you collect from our customers? Where do you store it? How can I protect it?
  • Who needs the data (marketing, product development, etc.)? What do they do with it? Can others in the company use the same information to increase profits and make risks worthwhile?
  • What information do you really need to collect from our customers and why ?
  • How do each data point enhance or support your business model?

Data storage

The natural consequence of collecting large amounts of data is that you need to store that data. And the stored data is the responsibility. Do you really need to keep email addresses and purchase history from people who haven’t been connected for years? Collecting customer data is not a “well, maybe someday useful” situation. The safest remedy is to store only the data that is important to your business.


Thinking this way can be helpful. Imagine having a breach and meeting a customer whose personal data has been stolen. How comfortable is it to see the customer and explain the need for each data point?

Question to ask:

  • What kind of data do you want to save? Is each data point business legitimate?
  • Where do you store your data? Who can access it? What security measures are in place?
  • What are the risks of retaining data? Does the data contain enough points to identify you personally? If so, what are our obligations to our customers?
  • If I need to store multiple data points, how long do I need to keep them? (For example, do I need to retain the customer’s email address and other information after the trial period ends?) What process can I use to achieve that? Should the data be deleted automatically after a certain amount of time, or does it require a human review process?
  • Is the server that stores sensitive data separate from the server on the insecure network? Or could someone hack into an insecure device to access sensitive data?

Regulatory requirements

One of the most difficult challenges in doing business in the global economy is organizing the rules and regulations that apply. For example, the United States has laws that regulate the collection, use, and storage of customer information. Many states also have their own regulations, some of which are stricter than federal law. And when your business crosses national borders, it gets even more complicated.


To get an idea of ​​how complex this can be, think about geographic location-independent cloud-based services. What does that mean legally? Do regulations on the data held in that cloud service apply based on the company’s headquarters, physical location, customer residence, or server storage location that contains all the data? Or all of the above?

This is one of the areas where it is important to get professional guidance, whether from a lawyer or a digital policy expert. There are too many moving parts and you can’t take too much risk yourself.

Question to ask:

Prepare for your first meeting with an expert by writing down as many relevant facts and questions as you can think of, such as:


  • How do you determine which regulations you need to comply with? For example, what if you don’t have an office or server in a particular country, but you have users who live there? What if I have a shared server in one country and I don’t have any other business in that country?
  • How often do these regulations change? And what is the best way to respond to these changes and incorporate them into your digital policy?
  • What are the penalties for the first breach in a particular jurisdiction?
  • How can I be sure that I’m not violating any country’s data privacy laws?
  • What are some best practices identified by other companies?

Incident monitoring and response

Having a good digital policy does not necessarily prevent the occurrence of violations, but it does greatly help mitigate damage. It’s important to have a crisis response plan that includes everything from finding a breach to communicating the situation to your customers (and relevant legal agencies). The policy should identify who is responsible for each step in the response plan and include frequent reassessments to ensure that each person continues the same work and knows what to do.


 The crisis response plan details how to notify viewers in the event of a data breach, @kpodnar advises. Click to tweet

Question to ask:

  • How can I be aware of a breach? Is there a system that will notify you immediately when anomalous activity is detected, or will it only be detected when in crisis mode?
  • If an attack is detected, how can I stop it? Do the people responsible for mitigating attacks have the right skills, training, and tools?
  • Who in the company should be notified in what order? Can I wait until morning if an attack is detected at night, or does anyone need to be alerted immediately?
  • Do you have a backup plan if the attack is severe and your work stops? Does anyone know what it is and how to launch it?
  • What regulations apply? Which authorities need to be notified and who is responsible for doing so?
  • Who is responsible for talking to the media?
  • What action do you need to take on behalf of your customers (such as notifying them that your data may be at risk)?

External risk

Risks aren’t just in your wall, as they are as interrelated as in modern businesses. Third parties with access to the network can be a source of compromise. It’s important to think up and down your supply chain and make sure that your entire partner network isn’t unintentionally creating policies that aren’t really protected for all practical purposes.


Question to ask:

  • Who can access our system (vendors, outsourcing partners, consultants, outsourced IT support, SaaS products, etc.)? What digital policies and security protocols do you have?
  • Is the policy of the external partner sufficiently advanced? Or are you left unable to answer important questions?
  • Does the company follow digital policies or just offer lip services?
  • Who will be liable for any breach, whether intentional or not, that occurs through a third-party provider? Whose response plan is prioritized? If applicable, who is responsible for fines and customer compensation?
  • Is the answer to your data security question specified in your contract?

Policy making

Collecting data is the first step. The next step is to get a buy-in, create a digital policy, and get permission to implement it. This process usually works best with cross-departmental teams so that they can represent all their interests.


Question to ask:

  • Who are our stakeholders? Who is affected by this policy?
  • What conflicts of interest do you need to manage (legal and marketing, etc.)?
  • Is there everything you need to know to create a good policy? Has anyone forgotten to include it?
  • What can go wrong and what can be done to prevent it?

Change management

Few people like change, and even fewer like random, seemingly unnecessary changes. It’s even more true if the change makes the process more difficult and time consuming. Marketing the “reason” of digital policy is central to overcoming resistance.

Question to ask:

  • Can you clearly and consistently articulate the importance of having a digital policy? (Hint: Employees are unlikely to accept “because the lawyer said so” as a compelling reason.)
  • Who is the job and how are these changes affected? What can be done to offset the unintended adverse effects?
  • What can employees see as a drawback of digital policy and what benefits can they convey to counter that perception?

Plan implementation

This is where many digital policies fail. The company stops shortly before the finish line. However, if the policy is not implemented correctly or is universally ignored, it is at greater risk than without the policy. This is because the policy provides documented evidence that the company was aware of the risk.

If the enterprise stops before the finish line, the data security plan will fail (correct implementation). @kpodnar Click to tweet

Question to ask:

  • Where is the policy? How can employees know where they are when they need it? Do they have immediate access or do they need to seek approval to access the file?
  • Is the policy easy to use? Is there a table of contents that employees can use to go directly to the appropriate section? Is it searchable?
  • Who can make changes to the document? Also, can anyone who does not have the authority to modify the document technically modify it?
  • How can I make the policy easier to use? Can I provide a checklist or wizard to my employees? Is it possible to incorporate it into a business process so that much of compliance takes place behind the scenes? How can you make it easier for your employees to comply with the policy and less likely to violate it?

follow up

“Having a digital policy” doesn’t mean you can wipe out your to-do list. This is a continuous process that needs to be revisited over the years as people, processes and technologies change.

Question to ask:

  • How can I be sure that a digital policy is being used? How can I track compliance?
  • What corrective action do you take if you violate the policy (whether intentional or unintentional)?
  • How can policies be adapted to changing circumstances and emerging threats?


If a company suffering from digital policy has one wish, it will look at the situation as a whole. Think of it like parenting. We do not prepare our children for kindergarten and congratulate them on their well-doed work. Parenting is an evolving process that includes everything from nutrition to exercise, education, personality, and sometimes ultimately babysitter grandchildren. Your passion for digital policy may not be the same as your child, but both require supervision, care, and development.

Sign up for our weekly content strategy electronic newsletter for marketers This newsletter contains exclusive stories and insights from CMI’s Chief Content Advisor, Robert Rose. Like many other marketers we meet, we look forward to reading his thoughts every Saturday.

Leave a comment