Are you risking your reputation on poor consumer data management?
Every time we book concert tickets, order sushi online, or even sign up for an in-store loyalty card, we share our data. For consumers today, providing businesses with telephone numbers, email addresses, and credit card details is a normal part of daily life. Indeed, we do it so frequently that, until recently, we have rarely thought about what companies are doing with all that information.
Data privacy in the spotlight
The same is true for many businesses. Collecting consumer data is a necessary by-product of operations and, as such, it tends not to pull their focus. However, a recent increase in awareness surrounding data privacy has led to greater regulation.
The 2018 introduction of Europe’s General Data Protection Regulation (GDPR) has played a key role in driving change in data privacy guidelines. The GDPR’s extra-territorial reach gives it impact beyond EU borders and has prompted governments the world over to create or reinforce their own laws.
Companies now have a legal obligation to pay close attention to the data they collect, how they store it, who can access it, and what is done with it.
Despite this, in a 2019 McKinsey survey of senior marketing leaders, 64% said they did not think regulations would limit current practices, and 51% said consumers would not limit access to their data. Such attitudes are misguided and potentially dangerous. Recent studies have shown that more than 90% of consumers are concerned about their online privacy, and nearly 50% have limited their online activity because of privacy concerns.
These studies highlight an important point. When businesses do consider data privacy, they tend to do so from the standpoint of regulatory compliance. Yet the biggest threats may in fact be damage to reputation, and loss of business. Consumers need to trust the companies they do business with. Poor data management can erode that trust and push customers into the arms of a competitor.
Privacy as standard
The most effective solution to limit risk and ensure compliance is the implementation and certification of a management system such as that outlined in ISO 27701, the international standard for data privacy management. It helps organizations create a privacy information management system (PIMS) and so meeting some requirements outlined in regulations such as the GDPR.
ISO 27701 encourages privacy by design and default. This means that privacy is built in across all services, systems, processes and technologies.
Robust data security is, of course, a pre-requisite upon which all data privacy is based. Other examples of best practices include minimal data collection - companies only collect the data they really need, and the inclusion of consent models when data-sharing is required.
The implementation of a comprehensive system encompassing the controls to be put in place, who is responsible for ensuring they are followed, and how compliance and progress are to be monitored and assessed is the best way to ensure that an organization addresses its own specific risks and opportunities. It is also the most effective way of achieving continual improvement.
Support through training and certification
As a world leader in testing, inspection and certification, Bureau Veritas Certification supports companies to manage personal data in line with consumer expectations and in compliance with rapidly tightening regulatory requirements. Bureau Veritas offers training, to introduce the standard and help understand how to implement an ISO 27701 Privacy Information management system, enabling organizations to go on to certify against the standard and demonstrate that they meet the highest standards of accountability and transparency in the processing of personal information.
 Brian Byer, “Internet users worry about online privacy but feel powerless to do much about it,” Entrepreneur, June 20, 2018, entrepreneur.com; and Rafi Goldberg, “Lack of trust in internet privacy and security may deter economic and other online activities,” National Telecommunications and Information Administration, May 13, 2016, ntia.doc.gov.