An OAIC report in 2020, found 70% of Australian adults consider the protection of their personal information to be a major concern in their lives. With consumer happiness and trust impacting bottom lines, customer concerns become business concerns.

‍

In Australia, 539 notifiable data breaches were reported in the six months to December 2020.  This is an increase of 5% from all notifications from January to June of the same year.  This rise can be attributable to the introduction of remote working arrangements in response to the COVID-19 pandemic.

This increase in the number of data breaches and cyberattacks shows the significant value of your customers’ personal data in your system.

To protect your data from misuse, your organisation is required to take active measures to ensure the security of the personal information you hold.

What is Personal Information?

The Australian Privacy Act 1988 defines personal information as information or an opinion about an identified individual, or an individual who is reasonably identifiable:

• whether the information or opinion is true or not; and
• whether the information or opinion is recorded in a material form or not.

This means information when used alone or with other data that can reasonably identify an individual.
‍
The Privacy Act separates personal information into two main categories:

Personal Information
This data includes information about a person's private or family life (e.g. name, date of birth, phone number and address), information about a person's work and personal habits (e.g. employment details and work address), photographs and IP address data, and other direct identification documents such as a driver’s license.

Sensitive Information
Sensitive information is personal information which includes information or an opinion about an individuals:

• racial or ethnic origin
• political opinions or associations
• religious or philosophical beliefs
• trade union memberships or associations
• sexual orientation or practices
• criminal record
• health or genetic information

‍

‍

‍

Data protection laws for Personal Information

To protect consumers, Australia has implemented data protection laws to provide guidelines for businesses collecting, storing and sharing customers personal information.  

These guidelines set out the obligations on an organisation for the information they collect, how they use it, storage and the security of the information, how it can be shared and an individual's right to access information held about them.

Privacy Act
The Privacy Act 1988 is Australia’s legislation to protect the handling of personal information about individuals in the public and private sector.

The Notifiable Data Breaches scheme resides under the Privacy Act, and legislates that a business who experiences a data breach of personal information which poses a serious risk, must notify affected individuals and the Office of Australian Information Commissioner (OAIC).

‍

‍

Adopting Personal Information compliance

Are you aware of the location of Personal Information  and how it’s linked in your system to specific individual customers?

An IDG Research Services survey commissioned by Insight Enterprises found that only 57% of organisations conducted a data security risk assessment in 2020.

It’s essential that your organisation has the information it holds under control and secure in order to meet its privacy obligations, and avoid the risk of unnecessary reputational damage and potential fines. You need to have access to a full review of data across your systems, software, and tools, called data mapping.

‍

‍

Why should you take customer privacy seriously?

Customer privacy is a complex issue for your business and your customers as well. It can seem daunting and expensive to set systems up to protect your customers personal information – and keep them up to date. As well as openly and clearly communicating your data processes to your customers.  

It’s no longer enough to simply secure your data as it can affect your business in three ways.

• Impact on your brand
  ‍Brands that handle customer data security properly and communicate this to their consumers, have more satisfied customers and a deeper loyalty from them.
  
  Data breaches can affect your brand immensely and can lose you consumers even before they have become a customer.  An Atomic Research study found that 33% of UK organisations lost customers after a data breach, with 34% of businesses saying they suffered a damaged reputation.  
  
  It's wise for organisations to spend time and money developing best practices on data protection and cybersecurity. If a data breach does occur, you can minimise the impact on your brand, by setting up a series of ‘what if’ scenarios, ready to implement the instant a security crisis occurs. These scenarios would include all C-suite executives who are likely to be involved in the breach.

‍

• Erode customer trust
  The trust that your customers have in your business is built over time. As they interact with you, purchase from you, their trust in your business grows.  
  
  If this trust is broken because of a data breach, this will be difficult but not impossible to repair.
  
  Report breaches to appropriate authorities immediately and open the communication lines with the affected customers as required. Bend over backwards to reassure affected customers. Take corrective action and assist them to further protect their personal data.
  
  How you treat and manage a data breach can perhaps win your customer back.

‍

• The cost of a data breach
  When a data breach has occurred, your organisation may be liable to pay damages. The bigger the data breach, usually the larger the damages.
  
  The damages can include the cost to correct the exposure in your data security, compensation of victims as well as suffering wider business disruption such as staff diverting their time away from business.

‍

‍

So, how can you respect the privacy of your customers?

Use the ‘golden rule of data privacy’ – treat your customers and prospects data how you would like your personal data to be treated as a strong foundation for your security and data handling.

• Communicate your principles and procedures on data handling
  Be proactive in engaging your customers on how you protect the privacy of their data to help them feel safe and secure when buying from you. Educate your customers about the security of their data through a clear privacy policy written in plain language.  At various times during the sales funnel, remind them of your policy.  
  ‍
  Privacy compliance may require asking permission to use their data. Explain to your customers how you will be using the data and give them options. To keep their trust and remain compliant, only use their data for this stated purpose. Keep a record of their granted permissions including how and what they agreed to.

‍

• Make it easy for consumers to remove themselves from your database.
  Create a simple and effective withdrawal mechanism.  Communicate their right to withdraw consent at any time and how to do this.  Where legally required to do so, ensure that your process removes the records entirely from your system.

‍

• Install robust data and security solutions to protect your consumer data and your brand.
  Ensure all departments – from technical teams, analysts, marketers, and your external technology partners prioritise and play an active role in data security and governance. Automate as many processes as possible to help time poor employees and prevent errors from manual procedures. Be clear to all employees how sensitive data is handled, classify data and include a backup and recovery plan.

‍

• Stay informed of regulation updates and new standards in privacy and data handling.
  Use government regulations as the minimum to set up processes to meet compliance requirements, risk management and data protection.  Industry standards are continually changing, and it warrants keeping up with the evolving digital environment.
   
  According to Gartner, Inc. by 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations, up from 10% in 2020.

‍

What about data security with your business partners?

In business where collaboration through partners has become popular, it's critical to question how your partner treats your customer data.  A partner would include any outside organisation that has access to your systems and personal information you hold – be they service providers such as brand and marketing strategists, or data and analytics partners, to certified app developers for conversion optimisation or fraud and risk management.

You are looking for partners that have the same level of respect and transparency your organisation has for customer data. It’s important that your partners, especially if located in a different country, follow the required privacy and data handling compliance when they gather, store and link your data in their systems. More information can be found here in the Privacy Act 1988.

‍

What are some of the security tools to safeguard your customers' information?

Just like you, etika takes the handling of the information we hold seriously.  We use a range of measures and reasonable steps to protect our client’s personal information from misuse, loss and unauthorised access, modification and disclosure.  Data security practices is changing all the time but can include the following innovative technology:

Data Discovery and Classification
This is where all data is classified, in accordance with its value to the organisation to reduce the risk of improper exposure.
‍
‍Data Encryption
Using a combination of hardware and software-based data encryption to secure data before it is written to the drive.

‍Data Loss Prevention (DLP)
Preventing data from leaving the corporate network.

‍Dynamic Data Masking
Real-time masking of data so that the data requestor does not get access to the data, but no changes are made to the original data.

‍User & Entity Behaviour Analytics (UEBA)
A complex technology for baselining normal activity and spotting suspicious variations before a breach occurs.

‍Our tips to finding an eCommerce data security provider
‍From the IDG Research Services survey commissioned by Insight Enterprises, only 27% of respondents expanded security staff in 2020. If your technical team is already pushed to its limit, you may be considering an external organisation for data security.  

Here are some factors to consider when choosing a data security provider:

• Understands your business
  Some industries have unique requirements and regulations, ensure they understand yours and have the experience in these areas.

‍

• How much data do you have?
  ‍Analyse the type and amount of data your business holds. Ensure the data security partner can handle the volume not just now but, in the future, and as your business grows.

‍

• ‍Ability to integrate all data
  ‍Ensure data integrates with all your business applications and copies of the data are not created during the processes.

‍

• ‍Access to your data
  ‍eCommerce never sleeps! Ensure your provider gives you 24 hours, 7 days a week support, in case of emergencies. Also, check their geographical locations – where the data will be stored, transferred and its access possibilities, as privacy and data handling compliance may be required.

‍

There’s no hiding from cybersecurity in the eCommerce world. Protecting your customers' data should be top priority for your business and the responsibility of everyone in the company.

‍