DMA Member Alert: Prepare for Data Security Breach Issues NOW Using Our New Compliance Guidelines
Every marketer in the land reads the recent headlines about data breaches with a catch in the throat , a pounding heart – and let’s admit it – an uneasy sense of relief at having escaped this nightmare…. for now.
We know that such situations are a risk of modern business. While they are difficult to prevent, the best defense is a strong offense, and DMA standards will help you ensure your business is protected and ready. In fact, through the DMA’s Ethics Policy Committee work, our member practitioners advise that having a “data breach preparedness plan” is essential across your organization.
Marketers are more important than ever as the heart of the data stream within companies and organizations and must “lean in” and lead on data practices internally and with their partners. DMA Ethical Business Guidelines have always included standards around client notification and preparedness, but with advanced technology now powering so much of our data-driven practices, and with the risk from outside hackers ever higher, we’ve been working these to update and improve the Guidelines this past year.
For all data collected, DMA recommends considering an information management program that addresses Data Minimization, Retention, Access, Use, Communication, Storage and Disposal. Basically, this means, “Collect only what you need, be clear with people how their data will be used, use data only in the way you say you will, regularly clean and purge data to ensure accuracy, communicate how each information type will be used and protected based on its value and importance, store data in tested, secure manner and dispose of paper and information in a secure manner,” says Senny Boone, Esq., SVP of Compliance for DMA.
“It sounds logical in concept, but it won’t happen unless every marketing organization takes a purposeful approach to privacy and data security,” she said.
Article #37 of the DMA Guidelines calls on marketers to accept the role of data steward, particularly around protecting consumer data used by your organization. “The protection of personally identifiable information is the responsibility of all organizations,” the Guidelines state. “Therefore, organizations should assume the following responsibilities to provide secure transactions and to protect databases containing personally identifiable information against unauthorized access, alteration, or dissemination of data.”
The revised Guidelines are being presented for approval to the DMA Board of Directors at the end of January, and will be promoted to and shared with the full membership quickly thereafter. They ask members to:
- Establish written data security policies and procedures reflective of current business practices (including written policies and procedures related to personal devices v. company-provided devices. These should be a dynamic and active set of guiding principles for the organization – in marketing and across the business. Organizations are asked to monitor and assess data security safeguards periodically.
- Provide data security training for relevant staff, including staff who use their own devices to perform their duties to prevent unauthorized access to the organization’s data.
- Include contractual safeguards. Set up a data security breach readiness plan appropriate for the level of data collection. This should include periodic audits of data collection, an assessment of the information collected, a commitment to a data minimization plan and information priority classification scheme, including data destruction and purging, appropriate encryption and password security, and a crisis notification plan and early warning alerts for all stakeholders, including anyone personally affected by data breaches (unless barred due to pending law enforcement investigations).
- Organizations collecting sensitive data must ensure added data security measures are taken to protect such data online and via digital channels like email, mobile and web/display.
Actions for DMA Members:
- Watch for the release of the new DMA Ethical Guidelines in early February 2014.
- Convene an internal conversation with marketing, IT, privacy and legal teams to begin to audit and assess your own practices. Use our Table of Responsible Marketing Permissions guide to help.
- Read our recent free whitepaper on Data Governance (written by Winterberry Group) for ideas on how to discuss this topic internally.
- Train your team with our Data Matters governance and stewardship certification class – a must for every modern marketing team.
- Participate in virtual and in-person roundtables with other DMA members on the challenges, approaches and pitfalls. Let us know if you are interested in a “What is Working Now” session this quarter – details to be announced.