From the DMA: January 28, 2014—Recent headlines have been full of news about data breaches, and the Direct Marketing Association DMA knows that such situations are a risk of modern business. While they are difficult to prevent, DMA believes that the best defense is a strong offense, and DMA standards help businesses ensure that they are protected and ready.
In February, DMA will be releasing its revised Guidelines for Ethical Business Practice, and we wanted to give you a little advance notice of what to expect.
"Through DMA's Ethics Policy Committee work, our member practitioners advise that having a "data breach preparedness plan" is essential," said Senny Boone, Esq., senior vice president of compliance for DMA. For all data collected, DMA recommends considering an information management program that addresses data minimization, retention, access, use, communication, storage and disposal. As Boone explains, "Collect only what you need, be clear with people how their data will be used, use data only in the way you say you will, regularly clean and purge data to ensure accuracy, communicate how each information type will be used and protected based on its value and importance, store data in tested, secure manner and dispose of paper and information in a secure manner. It sounds logical in concept, but it won't happen unless every marketing organization takes a purposeful approach to privacy and data security," she said.
Article #37 of the DMA Guidelines calls on marketers to accept the role of data steward, particularly around protecting consumer data used by your organization. "The protection of personally identifiable information is the responsibility of all organizations," the Guidelines state. "Therefore, organizations should assume the following responsibilities to provide secure transactions and to protect databases containing personally identifiable information against unauthorized access, alteration, or dissemination of data."
The revised Guidelines are being presented for approval to the DMA Board of Directors at the end of January, and will be promoted to and shared with the full membership quickly thereafter. They ask members to:
Establish written data security policies and procedures reflective of current business practices (including written policies and procedures related to personal devices vs. company-provided devices. These should be a dynamic and active set of guiding principles for the organization—in marketing and across the business. Organizations are asked to monitor and assess data security safeguards periodically.
Provide data security training for relevant staff, including staff who use their own devices to perform their duties to prevent unauthorized access to the organization's data.
Include contractual safeguards. Set up a data security breach readiness plan appropriate for the level of data collection. This should include periodic audits of data collection, an assessment of the information collected, a commitment to a data minimization plan and information priority classification scheme, including data destruction and purging, appropriate encryption and password security, and a crisis notification plan and early warning alerts for all stakeholders, including anyone personally affected by data breaches (unless barred due to pending law enforcement investigations).
Organizations collecting sensitive data must ensure added data security measures are taken to protect such data online and via digital channels like email, mobile and web/display.