Skip to content

How to Protect Customer Data — and Your Company


Most of us have probably seen that commercial where the bank security guard stands idly by during a robbery, explaining that he’s just there for monitoring, not preventing. It’s a good illustration of how important it is for businesses to think about digital integrity holistically rather than one piece at a time.

Your online presence is the face your company shows the world. It’s your identity. And it tells customers as much about your credibility and integrity as any business strategy. Customers want to know that they can trust your content and what is behind it – that it says what it means, that it’s consistent, that it’s accurate, and that you stand by it. And they want to know how you’re going to protect the information they share with you.

Your online presence tells customers as much about your credibility as any business strategy, says @kpodnar. Click To Tweet

While developing a digital policy may not be at the top of your things-to-spend-time-and-money-on list, it really should be because the consequences of not having a policy are scary.

Why is digital integrity important?

Let’s start with data breaches since that’s the issue that captures the most headlines. From forensics and fines to lawsuits and lost time, the expenses associated with a breach pile up quickly. And that’s just the beginning.

A distributed denial of service (DDoS) attack, for example, could prevent you from conducting business for a time. And if the attack slows your site’s load time, your customers may not do business with you. Research shows that nearly half of all customers won’t wait more than three seconds for a page to load. They click over to a competitor – and a lot won’t come back.

Then there’s a general lack of confidence. How are customers supposed to trust you with their business when you aren’t even taking care of your own digital security?

How can your subscribers trust you with their business if you can’t guard their personal data? @kpodnar Click To Tweet

Your online integrity is about a lot more than just protecting the audience’s personal information (although that’s important, too). It requires a multifaceted, holistic digital policy incorporated into your daily business processes.

Let’s look at what that means.

Components of a holistic digital policy

Data collection

Brands slowly but surely have adopted a more-is-more mindset when it comes to data. The more data points, the better, right? Even at brick-and-mortar stores, it’s hard to make a purchase without being asked for name, address, phone number, email, or maybe even birthday. And, sure, your business can do a lot with that information in terms of market segmentation and analytics.

But … the more data you collect from your audience, the more you – and they – stand to lose if you suffer a breach. To put it in business terms, you need to do a risk-benefit analysis. If you’re truly using all the data you’re collecting – and the return on investment is worth the risk – fine. But if you’re collecting data just because you can, the risks quickly outweigh the benefits. Collect data only when it’s critical to your business.

Collect data only when it’s critical to your business, says @kpodnar. Click To Tweet

Questions to ask:

  • What information do we collect from our customers? Where do we keep it? How do we secure it?
  • Who wants the data (marketing, product development, etc.)? What do they do with it? Could others within our company use the same information to increase the benefits, making the risk worthwhile?
  • What information do we really need to collect from our customers, and why do we need it?
  • How does each data point enhance or support our business model?

Data storage

The natural result of collecting a lot of data is the need to store that data. And stored data is a liability. Do you really need to keep email addresses and purchase histories from people you haven’t connected with in years? Customer data collection isn’t a situation for, “Well, it might come in handy someday.” The safest remedy is to store only as much data as is critical to your business.

It might help to think of it this way: Imagine you had a breach, and you’re in a face-to-face meeting with a customer whose personal data was stolen. How comfortable would you be looking that customer in the eye and explaining your need for each data point?

Questions to ask:

  • What data do we store? Is there a business justification for each data point?
  • Where do we store our data? Who has access to it? What security measures are in place?
  • What are the risks of keeping the data? Does the data include enough points to be personally identifiable? If so, what obligation do we have to our customers?
  • If we do need to store multiple data points, how long do we need to keep them? (For example, do we need to keep a customer’s email address and other information after the conclusion of a trial period?) What processes can we use to make that happen? Should data automatically be deleted after a certain time or should there be a human review process?
  • Are the servers that store sensitive data separate from our servers on less-secure networks? Or could someone access sensitive data by hacking into a less-secure device?

Regulatory requirements

One of the toughest challenges of operating in a global economy is sorting through the applicable rules and regulations. The United States, for example, has laws regulating the collection, use, and storage of customer information. Many states also have their own regulations, some of which are stricter than the federal laws. And it becomes even more complex when your business crosses national boundaries.

To gain a perspective on how complex a process this can be, think about cloud-based services, which are, by nature, independent of a geographic location. What does that mean legally? Do regulations regarding data kept in that cloud service apply based on where the company is headquartered, where it has physical locations, where the customers lives, or where the servers with all of the data are stored? Or all of the above?

This is one area where it’s critical to get professional guidance, whether from an attorney or from a digital policy expert. There are just too many moving pieces to carry that much risk yourself.

Questions to ask:

Prepare for your initial meeting with a professional by jotting down as many relevant facts and questions as you can come up with, such as:

  • How do we figure out which regulations we must comply with? For example, what if we have neither offices nor servers in a given country, but we do have users who live there? What if we have a shared server in a country but conduct no other business there?
  • How frequently do these regulations change, and what’s the best way to keep up with these changes and incorporate them into our digital policy?
  • What are the penalties for a first violation in any given jurisdiction?
  • How can we be sure we’re not breaking any country’s data privacy laws?
  • What are some best practices that other companies have identified?

Incident monitoring and response

Having a good digital policy won’t necessarily stop a breach from happening, but it will go a long way toward mitigating the damages. It’s important to have a crisis response plan that includes everything from the discovery of a breach to communicating the situation to your customers (as well as to any relevant legal agencies). Your policy should identify the person responsible for each step of the response plan and include frequent re-evaluation to make sure each person is still in the same job and knows what to do.

A crisis response plan details how to notify your audience if a data breach occurs, advises @kpodnar. Click To Tweet

Questions to ask:

  • How do we become aware of a breach? Do we have systems that notify us immediately when unusual activity is detected, or do we only find out when we’re in crisis mode?
  • What do we do to stop an attack once it’s detected? Do the people responsible for mitigating an attack have the proper skills, training, and tools?
  • Who within the company needs to be notified, and in what order? If an attack is detected during overnight hours, can it wait until morning, or are there people who need to be alerted immediately?
  • If an attack is severe enough to cause a work stoppage, do we have a backup plan in place? Does everybody know what it is and how to launch it?
  • What regulations apply? Which authorities must be notified, and whose job is it to do that?
  • Whose responsibility is it to talk to the media?
  • What actions do we need to take on behalf of customers (such as notifying them that their data may have been compromised)?

External risks

As interconnected as businesses are these days, risks don’t exist only within your own walls. Any third party with access to any of your networks is a potential source of a breach. It’s important to think up and down your supply chain, and throughout your partner networks to make sure you’re not unintentionally creating a policy that for all practical purposes doesn’t really protect you.

Questions to ask:

  • What parties have access to our system (vendors, outsourcing partners, consultants, outsourced IT support, SaaS products, etc.)? What digital policies and security protocols do they have?
  • Does the external partner’s policy go far enough? Or have important questions been left unanswered?
  • Does the company follow the digital policy or does it just give lip service?
  • In the case of a breach that originates – intentionally or not – through a third-party provider, who’s liable? Whose response plan takes precedence? Who’s responsible for fines and customer compensation, if relevant?
  • Are the answers to the data security questions spelled out in our contracts?

Policy development

Gathering data is the first step. Getting the buy-in to create a digital policy and the authority to implement it is the next step. Usually, this process works best with a cross-functional team so that all interests can be represented.

Questions to ask:

  • Who are our stakeholders? Who will be affected by this policy?
  • What conflicting interests must be managed (such as legal vs. marketing)?
  • Do we have everything we need to know to craft a good policy? Is there anyone we forgot to include?
  • What could go wrong, and what can we do to prevent it?

Change management

Few people like change, and even fewer people like change that seems to be random and unnecessary. That’s even more true when that change makes a process more difficult and time-consuming. Selling the “why” of a digital policy is central to overcoming resistance.

Questions to ask:

  • Can we clearly and consistently articulate the importance of having a digital policy? (Hint: Employees are unlikely to accept “because our lawyers said so” as a compelling reason.)
  • Whose jobs are affected by these changes, and in what ways? What can we do to offset any unintended negative impact?
  • What might employees see as drawbacks of a digital policy, and what benefits can we communicate to counter that perception?

Plan implementation

This is where a lot of digital policies go wrong: Companies stop right before the finish line. But a policy never correctly implemented – or universally ignored – is riskier than not having a policy. That’s because a policy provides documented proof that your company was aware of the risks.

Data security plans go wrong when companies stop before the finish line (correct implementation). @kpodnar Click To Tweet

Questions to ask:

  • Where does the policy live? How do employees know where to find it when they need it? Do they have immediate access, or do they need to ask for authorization to access the files?
  • Is the policy easy to use? Is there a table of contents that an employee can use to go straight to the appropriate section? Is it searchable?
  • Who can make changes to the document, and are people without authorization to change it technically prevented from doing so?
  • How can we make the policy easier to use? Can we provide employees with a checklist or wizard? Can we incorporate it into our business processes so that much of the compliance happens behind the scenes? How can we make it easy for employees to comply with the policy and difficult to violate it?


“Have a digital policy” isn’t something you can scratch off your to-do list. It’s an ongoing process that must be revisited over the years as people, processes, and technologies change.

Questions to ask:

  • How can we make sure our digital policy is being used? How can we track compliance?
  • What corrective action do we take if the policy is being violated (intentionally or not)?
  • How do we make sure our policy keeps up with changing circumstances and new threats?


If I had one wish for companies struggling with their digital policies, it would be to look at the situation holistically. Think of it like parenting: We don’t prepare our kids for kindergarten and then congratulate ourselves on a job well done. Raising a child is an evolving process, one that includes everything from nutrition to exercise to education to character – and sometimes, eventually, to babysitting grandchildren. While you might not feel the same passion for your digital policy as you do for your children, both require supervision, care, and nurturing.

Sign up for our weekly Content Strategy for Marketers e-newsletter, which features exclusive stories and insights from CMI Chief Content Adviser Robert Rose. If you’re like many other marketers we meet, you’ll come to look forward to reading his thoughts every Saturday.

Cover image by Skeeze via