Regarding data security as just a chore is fundamentally wrong - rather a proper, prudent and transparent handling of personal data should always be in the interest of every company.

Just consider that privacy issues can cause problems with regulators and competitors as well as enormous damage by allowing criminal or careless employees or even third parties to access company data - not to mention that online businesses are still very much built on trust.

A provider who deals non-transparently or even illegally with personal data is not trustworthy. Transparency and good data protection, however, are vital selling points and key building blocks for sustainable online success.

For any company that collects and processes online customer data for marketing and CRM purposes it is, however, quite often simply too difficult to orientate themselves in the jungle of laws and the thicket of data protection compliance rules.

Here are, therefore, a few tips on the proper use of online customer data:

Legal duty to provide information

Companies must inform their customers about the collection of personal data and the nature of the data collected, as well as the extent of their use and transmission of such information to third parties. This includes providing details on the storage and processing of IP addresses.

Recommended course of action:

Place information regarding data collection and processing under the heading "Privacy" on your Website - instantly recognizable and transparent for the user. Make sure that it is easy to understand and available at any time. If you use a web analytics system, please point this out to your customers and explain the purpose of the survey as well as the scope and use of the data to be collected.

Be careful with the storage and processing of IP addresses

Most jurisdictions consider IP addresses, in general, as personal data and customers therefore must be made aware of their storage and processing, or you need to seek their permission to use their IP addresses, as it allows companies to locate them, to find out which provider they use, or to know their access bandwidth.

Recommended course of action:

Be careful in the processing of IP addresses even if it is saved for only a short period of time and do make sure when choosing a web analysis system that it is using configuration options in order to prevent queries about visitors’ geo- or provider-information.

Grant right of withdrawal and objection

Customers have, in general, the right to revoke any consent to the use of their data for purposes of advertising and market research and can even withdraw the right of forming user profiles that were created under a pseudonym for market research and analysis. This applies particularly to the deletion of existing personal data, if they are not required for the contractual relationship with the user. From a data protection point of view it is, therefore, not enough to suggest to the customer just a few certain modifications of their browser, such as blocking cookies.

Recommended course of action:

Save personal and non personal data in separate databases, as deletion or anonymization of personal information is then straightforward and easily implemented. In general - the more stringently your data is organized, the quicker and easier you can grant your customers their right of withdrawal and objection.

To make sure that your usage data is not saved, you should first turn off the log file of your Web server, as IP addresses are usually stored there. In that way you block the opportunity to generate personal user profiles of the user’s IP address which would not be listed in the first place. Many Web analytics vendors have far-reaching methods to ensure an active exclusion of a single visitor from data acquisition. When choosing a web analytics provider, you should keep an eye on such a function, as it is very useful.

Answering privacy questions correctly

Users generally have a right to obtain information regarding the recording of their personal data. Therefore, it is crucial to be prepared for any questions and to establish internal processes for handling such requests.

Recommended course of action:

Appoint a specific contact person for answering questions about data security, which is listed in your website. Integrate either a direct email link into your privacy statement or introduce your company's data protection official by name. On request, you should be able to give clear and correct answers and respond to the concerns of your customers - as soon as possible and with the necessary openness. Refer to your privacy policy if it is available and ensure that all questions are answered in it.

Silence or unfriendly/factually incorrect answers or a link to a privacy policy, which does not contribute relevant content, are irresponsible, unprofessional and harmful to the solid relationship of trust companies must build and sustain with their customers.

By Daniela La Marca