Customer Data Protection: A Marketer’s Guide to Securing Customer Data

Cybercrime is big business. In fact, research shows that cybercriminals bring in yearly revenues around $1.5 trillion — that’s equal to the GDP of Russia. Cybercriminals make their money through data — they hack systems, steal data, resell it, or sometimes hold it for ransom.

With cybercrime showing no signs of slowing down, protecting customer data is more important than ever. As a marketer, you might think that it’s not your job to protect customer data. That couldn’t be further from the truth.

Marketers have more control to protect customer data than they think. Something as simple as an email address is a piece of customer data that needs to be protected. Almost any piece of data that you collect and store from your customers is something that a cybercriminal might find valuable.

That’s why you need to take extra precaution to protect your customer data. It’s too important to leave data protection up to the tools and processes you use because those are vulnerable, too.

Why is protecting customer data important?

Protecting your customer’s data is important for one huge reason: your business depends on it. If your company doesn’t take steps to protect customer data, you’ll be vulnerable to hacks, which could lead to loss of consumer confidence, customers leaving, fines, lawsuits, and more.

Equifax is a cautionary tale. Their data breach is one of the most well known of the twenty-first century. Overnight, the credit monitoring company lost $4 billion in market value. On top of that, they were recently fined $700 million by the FTC. Two years later, the company is still dealing with negative PR from the data breach.

There are also specific laws, like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), that may require you to protect consumer data. GDPR requires that companies who collect data on EU citizens implement a reasonable measure of data protection. Failing to do so can result in fines.

If you're doing business in California, or collecting data from California residents, then you may be subject to the CCPA. Non-compliance may result in large fines if you do not collect and protect data in accordance with the CCPA.

The GDPR and the CCPA are the two most well-known regulations, but at least 25 states have data protection laws that also affect privately and publicly owned companies.


Even if you don’t have physical business locations within any of the states and countries that have data security laws, you could still be subject to penalties if your data came from citizens who live in those areas.

Five steps to airtight customer data protection

With the GDPR, the CCPA, and other legislation threatening fines for not protecting your customer data, we recommend five steps that all marketers follow to keep their customer data more secure.

1. Only collect vital data

If you focus on only collecting data that is actually vital to your marketing efforts, you’ll do two things:

  • You’ll decrease the external value of your data.

  • You’ll increase consumer confidence.

Decreasing the external value of your data helps data security because hackers are less likely to steal low-value data. If all a hacker has to gain from you is a list of email addresses, they might not put forth the effort.

But, if you’re collecting names, phone numbers, location data, household income, etc., then your data becomes more valuable. The greater number of data points that your company collects, the more valuable it likely is to outsiders.

Only collecting vital data can increase consumer confidence, too. When you’re collecting data that doesn’t seem necessary to the consumer, they might place less faith in your company.

Let’s say you go to download an eBook from a SaaS company. The form asks for the usual Name and Email Address, but it also asks for your ten other data points.



When you see a form with that many fields, it’ll probably cause you to question what that company really needs all that sensitive information for. That may lower your confidence in the company. As a result, you might be less likely to fill out that form because those two data points don’t seem relevant for downloading an eBook.

To evaluate what data is vital to your marketing team, periodically audit every piece of data you collect and ask, “If we didn’t collect this data point, would it drastically change the way we operate?” This is something that should be done at least once a year because, over time, you’ll start collecting unnecessary data without realizing it.

Auditing your data collection is a necessary step in ensuring your company is compliant with applicable Data Privacy Laws. Start by finding all the ways your company collects personal data about your customers. There are obvious places like website forms and analytics tools, but don’t forget about mobile apps and in-store data collection (if you have physical locations).

Let’s say your company’s main product is a CRM. Your product also includes a smartphone app that many of your customers use. Your app collects data about your users’ locations, texts, phone calls, calendars, contacts, and photos. When auditing your data, you need to look at each point of data collection and determine if it’s really necessary.

For your smartphone app, are all of the data collection points necessary?

The calendar data is probably useful for syncing the CRM to a calendar. But, what about user locations? Do you really need to collect that information? Would not collecting it affect the way your business operates? Probably not.

2. Limit access to data

Not everyone on your marketing team needs access to all the data you’re collecting. Your employees also likely don’t need the same level of access to the tools they use. Think about it, do your copywriters need access to the same data that your product marketing team uses?

Limiting access to data means there are fewer points of vulnerability for your organization. Each access point — where someone physically logs into a data analytics tool — is a point of weakness.

If you have 25 user accounts for your website analytics tool, that’s 25 points of vulnerability. If one of those twenty-five accounts has a weak password, you’re leaving your entire system open to a brute-force attack.

Having fewer employees with access to your customer data also reduces the risk of internal data abuse. For example, let’s say you have to fire an employee, but they have access to so many SaaS tools, you’re not even sure what tools they have access to. You cut off their use to ten tools, but you forgot one. They go home and access that tool from their home computer because the data is stored in the cloud. Now, they can do whatever they want with that data.

Had you just limited their access to only the tools they needed, you would have had a better understanding of which tools you needed to cut off.

3. Use password management tools

As we mentioned in Step 2, access points — the login point — are always going to be a vulnerability. You can boost your cybersecurity and reduce the risk of hacks happening here by requiring all employees to use a password management tool.

These tools create and store complex passwords for all of the tools and software that your team uses. Typically, people won’t use complex passwords because they’re too hard to remember. Password management tools make that much simpler by encrypting and storing each password. That way, when someone needs to log in to a tool, they’ll be able to easily pull the login information from the password manager.

Good password management tools use complex encryption for the passwords they store. Encryption makes the password unreadable to anyone without the encryption key. That means if a hacker breaks into your password management tool, all of the passwords will be unusable because they'll be unreadable to the hacker.

encrypt password


Password management tools are even more valuable when your team uses just one login for a specific tool or piece of software. When this happens, teams typically create an easy to remember password and share it with everyone who needs access. There’s no doubt that handling shared passwords that way without further authentication is a massive vulnerability.

A password management tool can make shared logins more secure by storing this login information and giving access to people who need it, without those people actually knowing the login information.

That way, if someone leaves the company, they won’t be able to log in to that tool because they never had the password in the first place.

Password managers also give you a way to easily shut off access to all tools if someone exits the company. Once the employee leaves your company, you can shut off access to the password manager and the user won’t be able to login to any of the other tools they use.

Then, once you’ve done that, you can shut off access to each individual tool, just in case. This reduces the likelihood that you’ll forget to cut off access to one tool. As you can see password managers really go a long way in protecting customer data.

4. Avoid data silos

Data silos aren’t just bad for data analysis; they can also lead to significant data vulnerabilities.

Data silos often mean that different pieces of data are being stored in different places. This often leads to data being stored in non-approved, unsecured applications. It also might result in you losing track of where certain data is stored. If you lose track of where certain data is stored, you might not even realize when you have a data breach.

When you break down data silos, you’ll develop a customer data management strategy. That data management strategy will detail exactly where and how data is handled. That prevents you from storing data in multiple tools, and losing track of what tools you use to handle data.

When you work to eliminate your data silos, you’re also going to use a data tracking plan. This plan helps you keep track of what data you’re collecting and why you’re collecting it. That’ll make your data collection audits, that we mentioned in Step 1, much simpler.

5. Set minimum security standards

Your data is only as secure as the tools you’re using. If you’re using a SaaS tool that handles some of your data, but that tool isn’t secure, your data could be vulnerable.

Anytime you’re considering adding another tool to your marketing stack, evaluate that tool’s security standards. If the tool isn’t as secure as possible, your data isn’t as secure as possible.

Make sure any tool you use complies with either SOC 2 or ISO 27001. Both of those standards require companies that comply with them to continuously monitor and upgrade their data security protocols.

For the tools you’re currently using, double-check their security standards. If they’re not using SOC 2, or ISO 27001, consider finding a more secure alternative.

Protecting customer data is vital to your business

Customers trust you with their most sensitive data, from credit cards to Social Security information, and it’s your responsibility to keep it secure. There’s never been a better time to take steps to protect your customer data with a CDP. If you’ve never evaluated your data protection practices, or it’s been a while since you've done it, these five steps that we outlined above will give you a good place to start.

Frequently asked questions


Segment's Privacy Portal

With the Segment Privacy Portal, you can automate your approach to keeping your customers' data private.

Get started

Getting started is easy

Start connecting your data with Segment.