The state of data privacy in 2023: how to keep your customers safe
Last updated: April 10, 2023
Data privacy has been a huge concern for decades. But since the onset of COVID-19, the risks have escalated and don’t appear to be subsiding anytime soon.
Cybersecurity incidents have more than doubled in the last five years alone. More than 33 billion records will be stolen by cybercriminals in 2023, up 175% from 2018.
Upgrade your privacy game: Watch the webinar with our VP who shares crucial security insights:
Many of these attacks are leveled against the most vulnerable companies. 43% of attacks target SMBs, but only 14% of these businesses are prepared to defend themselves against cyber threats.
All those costs add up: A single breach — from data breaches and malware to ransomware and DDoS attacks — cost American companies a median of $18,000 in 2022.
International, national and state bodies are combating these threats by releasing progressively stricter data privacy laws. In 2023 alone, the states of California and Virginia passed new privacy regulations and Colorado, Connecticut and Utah have followed suit. (Stay up to date with our privacy law tracker!)
All of these laws give consumers a right of access, deletion, portability and the right to opt out of sales.
Now, you need to be able to provide someone with their full and complete data record upon request — or be able to delete their full record without missing any parts of their profile. Customers need to be able to proactively opt in and out of specific areas of communications, especially promotional emails, from your brand.
We’ve seen this play out in a few high-profile cases involving Meta, Google, and more.
- Meta, Facebook’s parent company, will pay $725 million to settle a privacy suit over the Cambridge Analytica scandal.
- Google recently settled for $391.5 million over its location-based targeting practices.
- Plaid Data paid a $58 million class action settlement for accessing payment data from payment apps without user consent.
It bears noting that Meta and Google’s judgments represent less than a fraction of a percent of each company’s annual revenue. But companies without the market share and public influence of Big Tech can’t weather scandals of this scale. Not to mention that keeping your customer data safe should always be top priority.
With the stakes so high, why do so many companies fall short? Often, companies don’t fall short because of a lack of will, but a lack of resources. If your customer data is scattered across software, your customer profiles might not be complete across channels. So when you try to delete or offer up a customer’s data, you’ll likely miss some pieces. Or if your consent forms don’t offer the right disclosures or opt-out opportunities, you could yourself with lots of complaints or worse.
So it’s worth revisiting your database, consent management processes, and sign-up forms to ensure they’re up to snuff. Follow these steps to ensure that you’re ready to face today’s cybersecurity and regulatory risks.
5 best practices for data privacy in 2023
Perform data discovery and audits
But the landscape has gotten a lot more complex since then. Assessing your privacy means evaluating your whole tech stack, data architecture and even your individual landing pages. Make sure that you address the following questions:
- What channels and forms do you use to collect this data? How does it flow into your system of record? Does data from each touchpoint flow directly to each person’s customer profile — or do you need to transfer it manually?
- How sensitive is your customer data? How mechanisms are in place to protect your data? What procedures are in place to respond to data breaches, phishing attacks, etc.?
- Can you keep track of all your data processing activities, across all of the different software tools you’re using? Can you see all of these activities in one place?
- Do your data processing activities align with your privacy and consent notices?
Vet your third-party vendors
An increasing amount of successful attacks have come via third-party vendors. Successful breaches to the organization through the supply chain have increased from 44% to 61%. So use partners and processing tools that are transparent, with data and privacy practices that can be easily audited.
- Ensure that each of your partners will safeguard your customer questions with the following questions:
- Can I track consent across the customer lifecycle?
- Can I easily comply with Data Subject Right (DSR) requests?
- What options do you have to ensure easy opt-ins and opt-outs?
- Can I easily audit what data is tied to a data subject?
- What tools or features does the vendor have that will protect my business interests and privacy interests?
Govern your data
- Manage access. Who has access to your data? Who is responsible for managing consent across each marketing touchpoint? Minimize internal risk by following the principle of least privilege — allow clearance only to team members who need access, and never give it to those who could go without clearance.
- Shore up data protections and processes. Quickly grant and revoke access to key data sources when onboarding or offboarding team members (you never want to risk that disgruntled employee stealing data right after their last day!). Also confirm that you’re only using data for which you’ve obtained consent from your audience. (On Omeda, you can easily query your audience by their consent status, then add each group to the appropriate email lists.)
- Minimize data: As a rule, only collect and keep the data that you need to conduct marketing and business activities. This reduces your exposure to data breaches and other attacks.
Champion privacy and security across your organization
Especially if you work online every day, it’s easy to overestimate your ability to spot cyber threats — and it’s easy to underestimate the risk involved in carrying out your daily work. Encourage your team members to stay vigilant by making security a priority across your organization. Below are a few great places to start.
- Educate stakeholders on the types of data that you hold. Tell each team how data can and cannot be shared in their particular area of the business. This adds more accountability to the privacy process and ensures that each source of data is accounted for.
- Plan for worst-case scenarios. Create a crisis team so that you can quickly assign responsibilities, devise a game plan, and craft necessary communications in response to breaches.
- Prepare for common threat scenarios. Educate your team members on the most common cybersecurity threat vectors, including phishing, smishing (SMS), vishing (voicemail-based attacks), etc. Encourage team members to confirm the veracity of suspicious messages.
Choose the right tech stack
Invest in a tech stack that makes it easy to manage consent across your organization. Look for technologies that allow:
- Access control and retention management
- Transparency around processing and what data is attached to a data subject
- A single customer view
- Strong consent management and opt-in features that cover both opt-in and opt-out
With Omeda’s end-to-end audience management platform, you can get all of the above while also being able to action your audience data in email, on site, and in advertising and subscriptions. All from one database. Schedule a demo to learn more today!
Subscribe to our newsletter
Sign up to get our latest articles sent directly to your inbox.