Irrigate the safety culture throughout the company. This is what the authors of “#RGPD and Marketing: from constraint to opportunity” advocate. Consumers, more and more worried about the exploitation of their personal data, will reward brands that will make good use of it.
How to run effective marketing programs if your customers or prospects are worried about the security of their data? “No economic sector would be immune” from a cyber attack according to the report on the extent of cyber-threat in France, published this month by the Ministry of the Interior. Taking cyber risk into account has become a major challenge for all businesses.
The perception of data security is not shared: 85% of consumers express concerns, while 62% of organizations victim of a cyber attack acknowledge not to confess to their customers that their personal data have been compromised … the gap is strong; confidence is far from established!
Under the combined effect of massive and global attacks that have hit the news and the RGPD, companies must build a new fortress around personal data. Security and privacy of the data come to the table of marketers.
Checklist of compliance “security”
Cooperation in the initial audit
As always the compliance “security” goes through the audit of the existing. Marketers, you will be involved in this security component that will identify risks and define the efforts to provide for compliance. Here is a list of essential questions that you will (probably) be submitted:
– Does your action relate to sensitive personal data?
– Do you know how to trace the personal data on which you intervene internally and externally with your subcontractors?
– Do your data transit outside the EU?
– Do you know the risk management processes for personal data?
– Do you know the processes of detection and monitoring of leaks?
– Do you have secure access keys?
– Do contracts with your subcontractors have security clauses?
– Have you tested and implemented an intervention plan, including notifications and external communication?
– Place of marketing in the corporate action plan: the implementation of a process of “management of security vulnerabilities & risk anticipation” in line with the RGPD will be conducted by the Data Protection Officer, in collaboration with the IT and RSSI teams. Depending on the level of progress on the subject, it is possible that RGPD compliance is only one part of the “cybersecurity” action plan defined by our company. To appreciate your role, here are the generally recommended action plans.
Formalize a security flaw management procedure outlining the milestones
– Identification procedure and “technical” correction of the fault,
– Constitution of a file of technical and legal evidence,
– Procedure for filing a complaint,
– Procedure for declaration of loss with the insurance,
– Procedure for notification to the CNIL and procedure for communication to individuals: in case of the personal data breach, it will be necessary to be transparent by declaring it within 3 days to the supervisory authority, or even to the persons concerned.
Write typical models
– Model of notification to the supervisory authority,
– Communication with the people concerned (mail, SMS, green number …),
– Press release, etc.
Develop a documented security registry: collaboration between the ISD, the IHR and the data protection officer
– Ensure that providers with access to data or data management comply with data protection and security requirements,
– Ensure that, by default, only the data necessary for the purpose of each treatment are processed: limit the amount of data collected, anonymize the data, limit the shelf life, etc. (Privacy by Default),
– Perform regular technical intrusion/data access tests with a detailed security incident log,
– Add in subcontracting contracts a clause imposing a security audit,
– Make the teams aware of the issues of confidentiality and data security.
Prepare the frame of the impact studies
The impact studies on privacy (EIVP or PIA in English) make it possible to assess the adequacy of the measures taken by the controller in relation to risks to privacy; it is upstream of:
– Identify the processing object of the PIA both legally and technically,
– Identify the measures chosen (current or planned) to meet the legal requirements,
– Decision-making: assessing residual risks and measures; if the measures envisaged are considered acceptable and the residual risks are low, the IAP is validated.
From constraint to opportunity
Marketers will have to review their practices in light of the obligations of the RGPD, but also new consumer concerns about cybersecurity. On the one hand, the Regulation provides an opportunity for organizations to build a culture of safety and increase customer confidence.
The report will emerge from this initial audit: security is not only a question of technical means, because the flaws are, in part, related to the daily practices of direct or indirect collaborators who authorize “small sprains”. Security is a collective business in which, ultimately, the responsibility is not just that of the IT teams. This is undoubtedly one of the most complicated consequences to take into account: to make any employee in contact with personal data understand his / her own responsibility, like the cashiers who handle cash. It is an essential training step that must radiate all layers of the company, from the IT or CRM teams to the vendor who collects in-store contact information. The awareness process must also take into account the risks associated with the porosities between the professional and personal tools that expose the company to multiple risks of data loss.
At the level of trust, consumer expectations are high on the subject: 85% are worried. By strongly protecting their personal data, by increasing the upstream and downstream security obligations, the RGPD obliges organizations to re-evaluate their rules of treatment, security, and confidentiality. Trust and transparency are at the center of the imposed system.
Signs and brands must, therefore, make it a point of honor to reassure customers and prospects about the use of their personal data, to better understand how they are secure. It is true that we leave information more easily and more serenely when we know exactly how it is used.
Trust is based on evidence: how to go from declarative to proof? Standards (ISO 27001), labels, certifications should contribute to this clarification. Companies will be able to communicate that they comply with the GDPR while explaining to their customers what it means. Proactive companies on cybersecurity issues will be able to value their efforts and make them a competitive advantage.