Unauthorised data access or a data breach can have serious consequences for your business. Not only can it damage your company’s reputation and impact customer trust, but it can also lead to significant financial losses and even lawsuits. It’s essential that you understand your business’s legal obligations when it comes to protecting customer data.
For example, Australian businesses with an annual turnover exceeding $3 million are required by law to notify individuals if a data breach puts them at risk of harm. However, it’s not just large companies that have these obligations; many small businesses are also subject to the Australian Privacy Act and the notifiable data breaches scheme. Doing your research and understanding your business’ responsibilities is the first step to protecting customer information.
How to protect your customer’s data
Understand what data you are collecting
Get an idea of what information you’re collecting, what it’s being used for, where it’s being stored, and whether it’s being passed on to any third parties. Remember that data is accessible on your employees’ and contractors’ phones and laptops and your centralised computer system. Knowing all this will help you to understand what needs protecting and to work out your risk profile.
Understand what your legal obligations are
Find out the laws that apply to your business in the region you’re operating in. If you accept and store cardholder data, you’ll need to make sure you are PCI compliant.
Secure your Wi-Fi network and passwords
If you are operating out of an office or a physical space, make sure you have your own Wi-Fi network, rather than using a public one or sharing with other businesses, with separate options for employees and guests. You should change the password to your Wi-Fi network often, ensuring that any passwords guarding data are long – with symbols, numbers and capital letters – and updated every 90 days. You might also implement multi-factor authentication at critical points.
Encourage use of a VPN if necessary
Firstly – what is a VPN? VPN stands for “virtual private network” – a service that protects your internet connection and privacy online. It creates an encrypted tunnel for your data, protects your online identity by hiding your IP address, and allows you to use public Wi-Fi hotspots safely. If your employees need to access the company server while using any kind of public Wi-Fi, such as in a cafe or co-working space, make sure they use a VPN.
Have the right tool for the job
Install the right tools. Anti-malware and anti-spyware technology sometimes come built into devices like laptops and mobiles. Still, we recommend that you double-check and make sure they are enabled. Put a firewall in place to act as a barrier, stopping hostile parties from getting in and sensitive data from leaking out. Email security tools that flag external links and mark them as phishing are very important – emails are a common avenue for attack. Finally, encryption software ensures your data is encrypted – so that you have a final line of defence if your barriers fail.
Make it someone’s responsibility
Nominate a team member to monitor compliance, training and auditing, and liaise with regulatory bodies. If you’re a small business, you should still ensure that overseeing data protection and security is somebody’s responsibility. Otherwise, it could fall through the cracks. Plus, if and when privacy-savvy customers get in touch, they’ll want to speak to someone who knows what’s going on.
Communicate with your customers
Customers have a right to know why you are collecting their data, who else might see it and how long you’ll retain it. This should be stated in what’s called a processing (or privacy) notice, and you might add this to your website under your terms and conditions or privacy policy.
For this, you’ll need to be clear on what the law requires you to say – there are plenty of examples online. Here’s ours. If you’re planning on using cookies (short explanation here), make sure you have a clear cookie policy and notice that allows customers to opt out.
Educate your team
Inform your team about the importance of customer data, include it in your onboarding process and revisit it whenever appropriate. Everyone working for you should be well-versed in password security, spotting email scams, reporting breaches and taking care of physical devices. If you have a newsletter, the person in charge of sending it must ensure recipients have actively opted in.
Back up your data
Even if your system is as secure as it can be, you could still be at risk. It’s essential that you create backups of your data. This can be automated on some cloud systems, but ideally, you should back it up onto a hard drive. Do this regularly – if you do it daily, the most data you can lose is one day.
Prepare for the worst
Have a plan in place in case an attack happens. If it does happen, you’ll need external expertise, so it’s worth establishing contact with an expert in data security before it does.
Keep updating
This is a fast-moving area. The software you download will need to be updated regularly, as hackers constantly change tactics, and regulation is continuously evolving. Likewise, you’ll need to reanalyse your approach if you start collecting different or more sensitive data.
Want to be sure that your customer data is safe? Book a security audit with us today, and we can help you identify the vulnerabilities and security risks that could expose your customer data to hackers.