How to protect customer data

With businesses facing fines of up to €20m or 4% of worldwide turnover for a serious data breach, it pays to take steps to protect customer data.

Nearly all businesses generate or collect data about their customers.

The customer information you process and store is valuable - and not just to you. Hackers and criminals are interested in getting their hands on this sensitive data.

The General Data Protection Regulations (GDPR) has strict rules on how customer data is collected, stored and accessed.

A key part of the GDPR requirement is the protection of customer data. Information must be stored and processed securely so it to doesn't fall into the wrong hands.

A security breach can be expensive. A 2018 report by IBM found that data breaches in the UK cost an average of £2.7mn, with an average cost of over £110 for every customer record lost or stolen.

1. Know what data you hold about customers

You cannot protect what you don't know.

It's important to audit all the personal information that you hold about customers.

Data can range from contact details such as name, address, email and telephone numbers to financial information such as credit card details.

Audit what data you hold, how you obtained it and the consents you obtained from customers about its use.

Determine where and how it is stored, and who has access to data.

Identify problem areas, such as data being stored without encryption, and take steps to fix them.

2. Collect only essential customer data

Collecting unnecessary data is against GDPR rules.

Determine what customer information you need and for what purpose.

For example, don't ask customers for their date of birth if you only need their email address.

Collecting only essential information puts your business in a less risky position should you face a data breach.

3. Delete data once you've finished with it

To ensure you have to protect only essential information, regularly review the customer data you hold.

Update data, remove duplicates and delete information that is no longer required.

Dispose of paper and electronic waste properly.

Shred paper documents and fully delete electronic files.

Simply moving emails, documents and other files to the computer's trash bin does not permanently delete them.

4. Encrypt data and protect customer data in transit

Data should be held securely. This includes encrypting data when not in use and storing it as encrypted files in a password-protected environment.

If data is stolen or lost, the fact it is encrypted will prevent it being accessed.

Data is at higher risk when shuttled from one system to another, such as when customers pay by credit card on your website.

Protect your website by installing a Secure Socket Layer (SSL) certificate and ensuring your website uses Hypertext Transfer Protocol Secure (HTTPS) to encrypt all data.

5. Securely back up customer data

Set up a regular schedule for backing up data to a secure location, with data encrypted during transfer.

Put in place a data recovery plan should you lose access to your data system.

6. Limit access to protect customer data

Not everyone in your company will need full access to customers' personal information.

Create guidelines on how data is shared with third parties, such as partners and suppliers, and who can access customer data and in what circumstances.

Log access to data so you can see what was accessed and by who.

7. Educate employees

Employees can be the weakest link in protecting customer data.

Staff who handle customer information must be kept up-to-date on how to avoid information accidentally landing in the wrong hands.

Provide training on how to spot email phishing scams to prevent employees accidentally installing a virus or sharing passwords with a hacker.

Train staff about GDPR requirements, and limit personal technology use such as mobile phones that include cameras near computers with access to sensitive customer data.

Make sure your business has installed and maintains up-to-date security software.

Get staff to regularly change their passwords.

8. Have a clear privacy policy

Customers need to know that you are protecting their information.

Publish a privacy policy explaining what data you collect, what you do with it and how you protect it.

9. Prepare for the worst

Have a plan in place if the worst happens and you suffer a data breach.

Know who you must contact to report a breach and act quickly.

Under GDPR you must report any data breach to the ICO within 72 hours of it happening.

You must also explain how the breach occurred, what is being done to contain it and the next steps you plan to take.

Act quickly and you could reduce any fine or penalty issued.

Learn more about entrepreneurship with our free online courses in partnership with the Open University.

Our free Learn with Start Up Loans courses include:

Plus free courses on finance and accounting, project management, and leadership.

Disclaimer: The Start -Up Loans Company makes reasonable efforts to keep the content of this article up to date, but we do not guarantee or warrant (implied or otherwise) that it is current, accurate or complete. This article is intended for general information purposes only and does not constitute advice of any kind, including legal, financial, tax or other professional advice. You should always seek professional or specialist advice or support before doing anything on the basis of the content of this article.

The Start-Up Loans Company is not liable for any loss or damage (foreseeable or not) that may come from relying on this article, whether as result of our negligence, breach of contract or otherwise. “Loss” includes (but is not limited to) any direct, indirect or consequential loss,  loss of income, revenue, benefits,  profits, opportunity, anticipated savings, data. We do not exclude liability for any liability which cannot be excluded or limited under English law. Reference to any person, organisation, business or event does not constitute an endorsement or recommendation from The Start-Up Loans Company, its parent company British Business Bank plc, or the UK Government. 

Your previously read articles