DMA to Revise Data-Breach Protection GuidelinesJanuary 29, 2014
In February, DMA will be releasing its revised Guidelines for Ethical Business Practice, and we wanted to give you a little advance notice of what to expect.
"Through DMA's Ethics Policy Committee work, our member practitioners advise that having a "data breach preparedness plan" is essential," said Senny Boone, Esq., senior vice president of compliance for DMA. For all data collected, DMA recommends considering an information management program that addresses data minimization, retention, access, use, communication, storage and disposal. As Boone explains, "Collect only what you need, be clear with people how their data will be used, use data only in the way you say you will, regularly clean and purge data to ensure accuracy, communicate how each information type will be used and protected based on its value and importance, store data in tested, secure manner and dispose of paper and information in a secure manner. It sounds logical in concept, but it won't happen unless every marketing organization takes a purposeful approach to privacy and data security," she said.
Article #37 of the DMA Guidelines calls on marketers to accept the role of data steward, particularly around protecting consumer data used by your organization. "The protection of personally identifiable information is the responsibility of all organizations," the Guidelines state. "Therefore, organizations should assume the following responsibilities to provide secure transactions and to protect databases containing personally identifiable information against unauthorized access, alteration, or dissemination of data."
The revised Guidelines are being presented for approval to the DMA Board of Directors at the end of January, and will be promoted to and shared with the full membership quickly thereafter. They ask members to:
Establish written data security policies and procedures reflective of current business practices (including written policies and procedures related to personal devices vs. company-provided devices. These should be a dynamic and active set of guiding principles for the organization—in marketing and across the business. Organizations are asked to monitor and assess data security safeguards periodically.
Provide data security training for relevant staff, including staff who use their own devices to perform their duties to prevent unauthorized access to the organization's data.