Customer loyalty boosted by Data Protection Trustmark Certification.
As a data intermediary, iColumn has a tough mission: It manages some four to five million customer records on behalf of about 35 malls in Singapore.
The digital marketing agency provides a proprietary customer relationship management (CRM) platform for shopping malls to run their loyalty programmes. Given the nature of the business, a recurring issue that iColumn faces is having to assure clients that the personal data under its care is safeguarded at all times.
“Before the Data Protection Trustmark (DPTM) came along, clients were already asking if there were third-party certifications to prove that we had robust data handling and data protection standards,” said iColumn’s Chief Executive Officer Mr Jason Cheong.
“When we found out about the DPTM, we were quite excited, knowing that the trustmark could be a testament to our data protection practices and strengthen clients’ confidence and trust in us.”
To advise and aid its clients in their marketing efforts, iColumn collects personal, transactional and behavioural information on shoppers who sign up for the malls’ loyalty programmes. This is done through a mobile application developed by the company.
The data flows into iColumn’s system and is analysed to help its clients make better business decisions. Its clients can use these insights to personalise and improve their customers’ experiences. For example, relevant and timely offers or coupons can be sent out to individual shoppers, potentially leading to a boost in sales.
“It is powerful information for marketing. By studying an individual’s shopping behaviour, for example how often they visit particular restaurants or stores, malls can upsell or cross sell products or services that interest them,” said Mr Cheong.
Life before the DPTM
Prior to its DPTM journey, iColumn already had in place policies and processes to ensure that it complied with the Personal Data Protection Act (PDPA), and that the personal data it handled was well protected.
For example, at the contractual level, it signs an undertaking with all its clients that it will not use the personal data beyond the purposes for which consent was obtained and also ensures that this is enforced internally.
At the technical level, iColumn partitions each client’s database in such a way that their data is stored separately. This helps to minimise data loss should a breach occur. The company also subscribes to alerts from security partners who monitor vulnerabilities and malware intrusions and flag out systems that need to be patched.
“We have security consultants to look at our whole set-up and how we protect our systems against common attacks,” said Mr Cheong.
In terms of internal controls, the company restricts staff from accessing personal and sensitive data. Only senior employees such as the chief developer and the chief database administrator have access to the personal data which they need for their work. To provide additional safeguards, these staff have a non-disclosure and confidentiality clause in their employment contract and can be held liable if they violate the terms.
Annually, the company also gets audited by its clients, who look at its data protection and information security processes.
The DPTM journey
When iColumn embarked on the DPTM certification process, it discovered a gap in terms of its lack of documentation.
“What we had was on-the-job training; seniors teaching the juniors what to do,” said Mr Cheong. “There was a lack of documented standard operating procedures (SOPs). We implemented data protection measures, but did not document our policies and practices properly.”
To address this, iColumn focused on developing a process documentation guide and SOPs for its business activities. “This made everything more methodological. It became easier to explain to our stakeholders how our practices are aligned with our data protection policies.”
iColumn also took the opportunity to engage staff and clients in conversations about its data protection policies and practices. From staff, it gathered feedback about their experiences in handling clients’ data and whether the existing data protection policies were clear to them.
For some clients, it reached out to their C-suite executives, IT departments and data protection officers to find out more about their concerns surrounding data protection and how they would like iColumn to address them.
By the time the company was assessed by the DPTM assessment body, it was found to be in compliance with most of the certification requirements. There were only some missing elements such as not equipping the data protection officer with proper training on data protection, which iColumn swiftly addressed.
Assurance, trust and more business opportunities
By and large, the response to the news that iColumn was undergoing DPTM certification was positive, said Mr Cheong.
When it attained the trustmark, an obvious benefit was the strengthening of clients’ confidence in the company.
“The DPTM shows that we are handling personal data responsibly and that we have robust data protection policies and practices that are compliant with the PDPA. This gives us more credibility. Our clients have more trust in how we handle their data.”
The malls, in turn, are able to provide their customers with greater assurance surrounding the protection of personal data collected for the loyalty programmes.
“Knowing that their vendor is certified, our clients can tell their own customers – the shoppers – that their personal data is safe with the malls. This confidence comes from the fact that their vendor is able to demonstrate the capability to protect the personal data that is passed to them to manage.”
From a sales perspective, when iColumn meets new clients, having the DPTM also gives it a distinct advantage over other vendors that do not have this certification, said Mr Cheong.
Looking back on the DPTM experience, he said: “As a data intermediary to the retail industry, it is imperative that we foster a culture of accountability and trust amongst our clients. This helps open doors to more business opportunities as well as strengthen our existing clients’ loyalty.”
For more information, visit the Data Protection Trustmark webpage.
(This story was first published in the Data Protection Trustmark Success Stories e-booklet.)