×
DMA: Data and Marketing Association
Consumer Help

Data Security

*Effective July 18, 2018. To download the current version, click here.

The protection of Personally Identifiable Data is the responsibility of all entities.

Entities should assume the following responsibilities to help protect the security and integrity of Personally Identifiable Data:

  • Written Policies and Procedures. Establish written data security policies and procedures reflective of current business practices (including written policies and procedures related to personal devices and entity-provided devices, where applicable). Entities should ensure there are reasonable data security policies and practices that seek to assure the uninterrupted security of data systems within their organizations.Entities should, as reasonable, within their organizations:
    • Periodically audit data retention practices.
    • Employ appropriate data loss prevention technologies.
    • Employ an appropriate data minimization plan including a data destruction and purge process.
    • Maintain an inventory of system access and credentials.
    • Segment and isolate networks based on business function to avoid compromising sensitive personal data that is used in a network.
    • Create a reasonable incident response plan including vendor and law enforcement contacts as well as notification requirements.
    • Maintain a reasonable and ongoing employee training program.
    • Maintain a reasonable password policy including maximum password age and minimum standards for passwords complexity and changes.
  • Data Security Training. Provide data security training for relevant staff. Entities should create and implement reasonable staff procedures, training, and responsiveness measures to protect Personally Identifiable Data handled by relevant staff in the everyday performance of their duties.
  • Personal Devices. Train staff that use their own devices on steps designed to help prevent unauthorized access to the entity’s data as well as educate them about the inherent risks and ensure the entity has reasonable data security policies and safeguards in place for such devices.
  • Monitoring. Monitor and assess data security safeguards periodically. Entities should employ and routinely assess protective physical safeguards and technological measures within their entities, including data retention, destruction, deletion practices, and the monitoring and analysis of systems logs in support of data security.
  • Contractual Safeguards. Entities should contractually require all business partners and service providers that handle Personally Identifiable Data to ensure that their policies, procedures, and practices maintain a level of security consistent with or higher than the entity’s applicable data security policies, including partners’ own employees and contractors accessing data through their own devices. In addition, entities should contractually require all business partners and service providers to handle data in accordance with applicable laws and regulations.
  • Breach Plan. Entities should develop and maintain a data security breach readiness plan reasonable for the size and nature of the entity, their level of data collection, and type of data collected.
  • Notice. If a data security breach occurs, immediately inform compliance or legal staff as identified in the data breach readiness plan. Entities should, in the event of a security breach, inform Consumers as required by state and federal law.
  • Email. Entities should implement the appropriate email authentication protocol (SPF, DKIM, DMARC, or successor standards, as appropriate) to help reduce the risk of spoofed emails.
  • Sensitive Data. Entities collecting sensitive data must ensure appropriate data security measures are taken to protect such data. The appropriate digital certificate should be employed, meaning the Extended Validation Secure Socket Layer Certificates (“EV SSL”), or successor standards, should be used on all relevant pages of sites requesting sensitive data.
  • Data Transfers. If Personally Identifiable Data is transferred from one entity to another for Marketing as established by written agreement, the transferor should arrange the appropriate security measures to assure that unauthorized access to the data is not likely during the transfer process.
  • Employee Use of Data. Employees who have access to Personally Identifiable Data should agree in advance to use such data only in an authorized manner.

Login To Your Account