One of my favorite films has an important data-privacy and security message for marketers: “Take only what you need to survive.”
The quote comes from Mel Brooks’ 1987 cult hit Spaceballs. Bill Pullman’s character gives this instruction to Daphne Zuniga’s character as their group prepares to trek across a barren wasteland. In the next scene, Pullman and John Candy are seen struggling in the hot desert sun as they lug around a comically large suitcase. When they set it down and open it, they find that Zuniga’s character has stored in it a similarly large and heavy hair dryer.
“I can’t live without it!” declares Zuniga.
This is the situation in which a lot of privacy officers and CISOs find themselves. They have explicitly directed their companies’ marketers to minimize the amount of data they are burdening the company with. And many happy-go-lucky marketers think they are complying — as they compel their privacy officers and CISOs to shoulder the weight of a lot of stuff they had not considered doing without.
This isn’t to criticize marketers; marketers generally aren’t trained to think like security teams or compliance specialists — just as privacy officers and CISOs generally aren’t trained to think like marketers. Below I’ve outlined three common ways that marketers often wind up carrying around more data burdens than they really should in the interests of privacy, security, and compliance — and how they can lighten the load.
1. Source your data
Stop me if you’ve heard this one. A company purchases a massive and indiscriminately kept collection of contacts — perhaps made up of smaller lists purchased from multiple parties. Wielding that super-list, the company’s top brass tells its sales team to go out and sell because the company has tens of thousands of leads.
But, of course, the company does not have tens of thousands of leads; it has tens of thousands of email addresses. Hardly the mythical sales-enablement power of the Glengarry leads.
The sales and marketing utility of a frigidly cold list of contacts aside, what happens when that company’s contact lists get breached? Or if too many people on such a list file complaints with a regulatory authority? If GDPR and/or similar laws apply, can the company account for having the requisite consent to have that information to begin with? Can it even trace back the source of that information? If not, the company might do best to get rid of the data — or get ready for regulators and politicians to come a-knocking (to say nothing of serious brand damage or any possible private lawsuits).
And speaking of vendors…
2. Clean up access credentials.
From time to time, a company fires (or fail to renew its contract with) a social-media services vendor. But then they forget or neglect to revoke the vendor’s access to all of the company’s social-media channels (Facebook, Instagram, Twitter, etc.) and/or other services.
And the vendor, all the happy to maintain access in the hopes of getting picked up again and/or keep tabs on the former client, likewise “forgets” to bow out or give the former client a heads up. This happens all the time — and it’s a huge data risk. Even setting aside all the unlawful damage a bitter vendor could intentionally do to an ex-client they’re hung up on, the situation presents an enormous data-privacy, security, and compliance exposure for the ex-client firm and the vendor alike.
Companies’ social-networking accounts — in particular, the messaging features thereof — are often storehouses of personally identifiable information (PII) belonging to customers and/or employees, past and present. Consequently, if an unauthorized user compromises either side of the equation (whether the vendor or the former client), that user then may compromise any and all PII (along with any other sensitive information) present on or accessible through the company’s social account(s). And if that happens, either or both sides may be on the hook for enhanced regulatory scrutiny, fines, or other legal liabilities.
Therefore, both in-house social-media teams and social-media vendors alike should promptly sever account-access ties and ensure all applicable passwords are changed once the vendor-client relationship comes to an end — absent a compelling reason otherwise. Best practice also calls for in-house marketers and marketing vendors to routinely conduct “Spring cleanings” to make sure that nobody can access what they’re not supposed to — minimizing all parties’ respective attack surfaces.
3. Assess and throw out the obsolete and unnecessary.
For that matter, marketers would do well to not hoard customer PII and other sensitive data to begin with. That way, if a “leak” exists somewhere — whether it take the form of a former contractor or employee with unrevoked access, or otherwise — the amount of damage that can result from that leak is mitigated.
Indeed, under some data-privacy laws and depending on the circumstances, an organization may be on the hook for a fine or other legal liability from a data leak even if there is no evidence that a human being ever used or further shared the data. Thus, if a prospect or customer had a digital interaction with a company in, say, 2009 (whether via social media or otherwise), and that correspondence still exists somewhere, the company would do well to ask itself three questions about those records:
- Are we required by law or regulation to either keep or destroy this information?
- Assuming we have a choice, how likely is it that we still need this information?
- If we do need it, how problematic would it be to replace or re-obtain this information?
The answers to those questions should guide all data-retention decisions as to third-party correspondences and other personal data. Of course, that requires regularly reviewing and keeping track of such data. It can be hard work, but as GDPR and other data-privacy regulations have increasingly put marketers in the data-compliance game, marketing departments are effectively losing the option to opt out of such responsibilities.
Note: This article is provided for informational, educational, and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication, or affirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.