Organizations are under growing pressure to protect themselves and their customers’ private data from an ever-growing threat landscape. As news of data breach after data breach continue to roll in, consumers’ trust in organizations to protect their data is at an all-time low. According to a recent survey by Consumer Reports, 70% of Americans lack confidence that their personal information is private and secure.

Compliance – A Means to Restore Consumers’ Trust

To remain competitive and earn their customers’ trust, businesses need to invest in strong security initiatives. Measures such as regular risk assessments, strong privacy policies and raising organizational security awareness need to be implemented in tandem. That said, there is one thing that must take precedence over all, and that’s regulatory compliance.

In today’s data-driven economy, all organizations need to collect critical data to power their businesses. However, consumers are increasingly reluctant to share their personal information with enterprises, especially those that have been associated with a data breach or are in the headlines for below par privacy practices. According to a FireEye survey, 76% of respondents would not do business with companies with negligent data handling practices and 72% said they would share fewer personal details with such companies.

Data security regulations mandate businesses to implement some basic enterprise security protocols and procedures aimed to avoid data breaches and ensure the safety of consumers’ private information. Failure to comply with these can result, not only in costly data breaches and low brand confidence, but hefty fines as well.

What’s Changing?

As these regulations continue to evolve, businesses must regularly review their security practices to stay compliant. Listed below are a few upcoming regulatory changes that may impact your business in the next 12 months.

Payment Card Industry Security Standards Council (PCI SSC) version 3.2

Any organization that processes credit or debit card information must be compliant with Payment Card Industry Data Security Standard (PCI DSS). The standard aims to help enterprises protect sensitive cardholder information.

To keep up with the multitude of threats targeting credit card information of consumers, PCI DSS was recently updated. Under the new requirements, merchants and financial institutions must avoid storing a customer’s credit card data or provide a legitimate business reason for doing so. By February 1, 2018, all businesses must get inline with the new requirements or risk heavy fines.

Enterprises that work with a payment service provider must ensure that the vendor is PCI DSS certified and meets the standards for PCI Compliance Level 1, which has the strictest requirements.

General Data Protection Regulation (GDPR)

Just last year, the long-standing European Safe Harbor agreement which governed data collection of European Union (EU) citizens by U.S.-based firms was replaced by the more stringent EU-US Privacy Shield.

However, with the introduction of GDPR all businesses handling private information of EU residents will have to be complaint by May 25, 2018. GDPR aims to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying regulation within the EU.

Under GDPR, individuals will be able to request the right to be forgotten and even be able to move their data from one organization to another. For businesses that collect and process data of customers in the EU, this would mean, more stringent and measurable compliance requirements with even heavier penalties ranging between two and four percent of worldwide turnover or fines up to €20m (more than USD$23 million).


Adding to ongoing uncertainty among enterprises as they scramble to keep up with regulatory changes, the UK government is seeking to negotiate a deal over data sharing with Europe. Although, the UK will not be bound by EU laws after Brexit in 2019, the UK government will implement and abide by the regulation up until then. Additionally, there is strong support in favor of keeping GDPR effective in the UK even after Brexit. All this means that businesses dealing with data of UK citizens will have to keep a close eye on the impact that Brexit may have on the country’s data privacy laws and be prepared to make necessary adjustments.

Tips For Practicing Better Data Governance

As brands try to find a balance between the dynamic regulatory environment and the need to collect critical data, they can take some simple steps to help reduce the risk of a potential data breach, while maintaining their consumers’ trust.

One of the most commonly used tools for collecting business-critical data is a web form. Web forms are often used by ecommerce sites for checkout, sales organizations for lead capture, and marketing for consumer feedback and surveys. However, when building a form, it is incredibly important to adhere to all applicable laws concerned with collecting and storing electronic data. If you decide to work with a vendor to build your forms, look for companies that demonstrate strong security practices, including third-party audits and certifications such as PCI DSS Level 1 Certification.

Also, it’s critical that you collect only the types of data that you actually need, as a variety of laws may apply, depending on the types of data you’re collecting. It may be tempting to anonymize a survey/form, therefore making the data collected no longer deemed personal and not governed by privacy laws. However, this may be more complex than it seems. For example, for a truly anonymous survey simply leaving out a respondent’s name and personal information is now not enough. Using an IP address, the location of the computer can still be determined, and under GDPR, data is only considered truly anonymous only if re-identification is impossible.

Lastly, ensure that you have a clearly defined and easily accessible privacy policy that informs your customers on how you will use their information. Consider adding a checkbox to confirm that they have read your privacy policy. Informed and explicit consent is good practice, is already becoming the norm, and will soon be mandatory under the GDPR so companies should start phasing it in now. Also, help consumers feel more confident about providing personal information by including security seals and verbiage on your site that talks about your commitment to security. Do this especially where you ask your customers to share their private information.

Cost of Non-Compliance Is Not Worth the Risk

When consumers share their private information, they place their trust in brands to protect that information. As the risk of data breaches continues to grow and evolve, it is incumbent on companies to continuously update their data security practices to protect their customers’ sensitive data. The average total cost of a data breach is USD$4 million, according to the Ponemon Institute; and this doesn’t even account for the incalculable damage that a data breach causes to your brand reputation and loss of customer trust. Don’t let your organization lose consumer trust because of something as common/necessary as your web forms. The risk of data breach is real for all businesses, and protecting yourself and your customers through preparation for the upcoming changes in global data regulations is the only right thing to do.