Main illustration: Eddie Perrote
When building your products, the security and privacy of your customers’ data needs to be a top priority.
And that is also true when selling and marketing your product, particularly with the arrival of GDPR, which has brought the issue of data security and privacy to widespread public awareness. It is at this point that companies need to focus on bringing their privacy ecosystem up to the required standards.
The EU’s General Data Protection Regulation (GDPR) is a major regulatory change that will affect all companies with EU customers or users – and because it applies to companies no matter where they may be, it has a truly global reach. Most sales and support teams are already well versed in conversations about data deletion, risk assessments and security frameworks, but those issues are going to become an even more prominent part of the discussion once GDPR comes into effect.
When the current EU data protection laws were introduced in 1995, they were governing an industry that had just launched Internet Explorer 1 and DVDs. European legislators are now playing catch-up with the major changes in the industry over the past 20 years. The GDPR attempts to standardize the way businesses handle people’s data, making users confident it’s in safe hands. The principle behind GDPR is to make companies more accountable for the data they hold and the way they handle it.
Companies with EU customers will have to legally justify the processing of the personal data they collect, as well as ensuring that users can easily access their own data and remove consent for its use, change privacy settings and permanently delete their data.
We are taking a number of steps to ensure compliance with GDPR, but now is the time to consider the entirety of your security and data privacy strategy, both in terms of how you build it and how you communicate it.
What is a ‘privacy ecosystem’ and why it matters
You are only as strong as the weakest link in your privacy ecosystem.
When businesses collaborate and share information about their customers, they create their own privacy ecosystem. Companies reviewing their security and privacy standards need to look at the whole landscape, taking into account all vendors and integrations, as opposed to just focusing on their own product and database. The rise of SaaS companies integrating with one another has increased a high level of intricate interdependency, raising the question of where any one company’s liability for data security begins and ends.
For platform companies such as Intercom, we plug into other products and platforms as needed. Figuring out where responsibility lies in that network can be a legal and technical minefield, but a data breach is a data breach and will damage customer trust no matter where or why it occurs. You don’t need to be closely following the news to realize you are only as strong as the weakest link in your privacy ecosystem.
What makes a strong privacy ecosystem
Invest in your security program
Your security program is the way you protect you and your customers from external attacks and data breaches. The increased interdependency between your product, your integrations, your vendors and everyone your company shares sensitive data with makes your whole ecosystem more vulnerable to attack. Therefore it is essential to invest in your own security program and ensure that every link in your ecosystem follows a similar approach.
A strong security program should foster a sense of healthy paranoia about potential security risks throughout your organization, and should feature staff training, a responsible vulnerability disclosure programme, and a strong monitoring and alerting program, at the very least.
A high level priority for businesses to focus on is detection. Penetration testing and regular vulnerability assessments are services that help you assess applications and your infrastructure for security vulnerabilities and the overall effectiveness of your security controls. Network scans and assessments, running 24 hours a day, can help to continuously monitor every point of access to your systems, identify any vulnerability and alert you if anything tries to enter it.
Know your own systems
In a rapidly growing company where engineers are building a fast-iterating product, it can be hard to keep track of every database table or stay on top of every algorithm. Compliance managers don’t want to slow engineers down, but rigorously keeping track of how data is handled throughout a product is essential.
Track and reduce access to data that is not needed.
Pertinent to knowing your own systems is also tracking and reducing access to data that is not needed. If you or other teams don’t need access to certain types of data, you shouldn’t have it, and having systems in place to manage that is essential.
Massive auditing jobs to discover every table and bucket of information that people might have forgotten about suddenly becomes an extremely time and labor-intensive clean-up operation. Fortunately, with the new regulations in place, it will become harder to store unnecessary data – engineering teams have had to become a lot more mindful and are in a much better position to carefully catalog what they own and create.
Choose vendors/partners that you trust
GDPR makes organizations accountable for data breaches caused by third-party service providers. Companies are currently assessing all their vendors that have access to sensitive data. We all rely on other products to run certain parts of our system, and we need to share data with those companies, but a weak vendor can bring the whole system down. Therefore, just assuming that third-party vendors and partners take compliance and security as seriously as you is a big mistake.
To hit all the GDPR requirements, companies need to ensure that their partners and vendors have equal responsibilities and a mature security program in place. One way to do so is to set up contractual assurances that compliance will be achieved by all your vendors. Auditing third party service providers on a regular basis will help to meet regulatory requirements.
Establish best practices and share them with your community
If you’re inviting people to build on your platform, set the tone from the top and establish clear rules and best practices within your developer integration communities. People that monitor and support your community need to be privacy minded. Setting up developer guidelines will help current and future collaborations and integrations. As the law around GDPR becomes clearer, mutually recognized auditing systems will become more of a standard and a regular feature of data protection and privacy.
Communicate actively with your customers about privacy
You can have a technically strong privacy ecosystem but what also matters is the degree to which you are communicating that to your customers and levels of trust you build up with them. Active communication and transparency are key to customer trust.
Sales, customer support and marketing teams are often the first contact to prospects, so ensure that all your staff are properly trained and aware of the implications of GDPR. They will be the ones who will have to answer to your clients and explain how your company aligns with GDPR. Proper GDPR knowledge will be a huge differentiator for sales people as it will determine whether the customer trusts to get involved with you or opts out at an early stage. Some customers genuinely don’t know how your back end systems work, so you need to be straightforward and explain what’s happening.
Active communication and transparency are key to customer trust.
Also, the more clearly you signal your dedication to upholding these best practices, the more it will become a marketing differentiator – while the GDPR will apply to everyone, those who most successfully broadcast their commitment to its tenets will have an advantage in the marketplace.
The worst thing that can happen is that your customers are confused about whether their data is safe. Confusion = no trust. Be transparent and explain how data is stored, retained and deleted from your system. Communication is key – without communication there will be no trust, and without trust you will most possibly lose more than your reputation in the event of a breach.
Ultimately, GDPR is ushering in a new era of digital privacy and security. With these changes, there are many burdens and new responsibilities, but also many advantages and opportunities. Those companies that take the chance to reinforce their privacy ecosystem, and communicate that to their customers, will reap many rewards in the years ahead.