circular tunnel

Data generated through customer relationships is a key component of modern business operations. It enables manufacturers to optimize production, retailers to sell more efficiently, financial services providers to tailor products and tech experts to create more useful digital tools.

Though data collection has become a business imperative and competitive advantage, it also carries a range of potential risks that businesses must plan for, including cybersecurity risk.

It is crucial that companies foster a culture of data risk management and enhance data controls, given the increase in cyber events, insider threats, reliance on third-party data processing and evolving data-related regulations.

Big fines rattle businesses

The widening scope and reach of data protection, privacy and cyber regulations has led to fines and other consequences when regulators allege companies did not meet their obligations.

  • Uber settled a lawsuit for $148 million after state attorneys general from across the U.S. alleged that the ride-hailing company failed to promptly notify drivers whose personal information was compromised.
  • Home Depot settled with 46 U.S. states and Washington, D.C., for $17.5 million after the state attorneys general alleged a data breach exposed payment card information of about 40 million customers.
  • Ireland’s Data Protection Commission fined Meta €265 million after a data breach compromised Facebook users’ personal details in violation of GDPR’s Article 25.
  • The United Kingdom’s Information Commissioner’s Office fined British Airways £20 million after a data breach exposed more than 400,000 customers’ personal, payment and travel records.

5 tips for improving data privacy controls

While big businesses make headlines, small and midsize companies can just as easily mishandle data or fall victim to a data breach. Or, they may be hamstrung by a lack of cybersecurity resources that impacts their cyber awareness, resources, controls and culture.

These areas of focus can help businesses eliminate gaps, tighten controls and better integrate data privacy into organizational risk management.

1. Understand privacy obligations

What’s the risk? Global e-commerce makes it easier for businesses to transact internationally. But cross-border relationships can create risk if companies mishandle data for customers abroad.

What can be done? Fundamentally, companies should know the where, why and how of data collection. They must understand their obligations for stewardship across the data life cycle, from creation through destruction. That includes knowing what jurisdictions they’re collecting data from, why they’re collecting that data and how it is being stored. Understanding these essentials can help companies establish a baseline for their data privacy obligations and uncover hidden liabilities.

2. Limit employee access to data

What’s the risk? Employees who have more access than they need can become vulnerabilities if phished or hacked, or if they use the data in an improper way.

What can be done? Companies may consider determining access on a need-to-know/role-based basis: The more sensitive the data, the smaller the population that should have access. This helps root out needless cyberattack exposure and centralize data in hands that thoroughly understand the applicable regulations.

3. Consider vendor practices

What’s the risk? Third parties with weak cybersecurity can become big problems for companies that otherwise are vigilant with data privacy.

What can be done? It’s important to learn what controls vendors have and what data-sharing relationships are in place. A hack on a vendor could compromise a company that takes protecting customer data seriously: One weak link undoes the chain. Organizations should have cybersecurity standards for vendors and a standardized process to continually validate effective controls, as well as to reconsider if they absolutely need to share certain data.

4. Use encryption

What’s the risk? External movement of data may be unavoidable in some cases, but each instance is also a prime opportunity for cybercriminals.

What can be done? Limiting counterparty data flow is the best way to minimize risk, but it’s not the only option. Encryption can offer a cybersecurity advantage whenever disseminating data outside the organization. There are numerous tools and configurations, and businesses should research options.

5. Follow regulatory updates

What’s the risk? Not paying attention to developments in the regulatory landscape can put compliance at risk.

What can be done? Business leaders need to keep apprised of regulatory current events. Doing so not only improves strategy preparation and fine-tunes ongoing compliance, but it also promotes a culture of security and vigilance.

What else can be done?

It’s not enough that businesses simply have controls for upholding data privacy—they should also have dependable processes for enforcing and adhering to these controls. That means building a culture of cybersecurity that prioritizes:

Recognizing—at a C-suite level—the importance of strategic planning

  • Informing employees on their responsibilities throughout the data life cycle
  • Regularly training staff in protocols and incident response
  • Ensuring third parties have adequate controls for protecting customer data

We're here to help

JPMorgan Chase is dedicated to cybersecurity, and we have a number of tools, products and resources to help protect your business. Talk to your relationship team about how we can help you mitigate cybersecurity risks.

This material is not intended to provide legal, tax, investment, accounting, financial, business, real estate, technology or other advice, and should not be used for or relied upon for these purposes. Visit for disclosures and disclaimers related to this content.

JPMorgan Chase Bank, N.A. Member FDIC. Deposits held in non-U.S. branches are not FDIC insured.