Loyalty: Data Security, Privacy, and Compliance | Annex Cloud

Data is the underlying reason for your decision to embark on a loyalty strategy. It’s the data that unlocks all the opportunities and, ultimately, the experiences you can deliver. Keeping this data secure needs to be your top priority.



It goes without saying that you need to ensure your customer data is protected. Therefore, you should look for a loyalty vendor that guarantees high-end security for your customer data. To assess the loyalty vendor from the data security perspective, the first step is to find out about the security protocols the vendor has in place for safeguarding the data. Does the vendor have security and compliance certifications that demonstrate they’re secure enough to collect and manage your data? Next, ask the vendor for their position on collecting data. Most loyalty vendors will talk to you about not sharing personal identifiable (PII) or payment card industry (PCI) data if it’s not needed. This isn’t because they don’t have the standards to keep your data secure, it’s because they understand that the fewer places your data travels, the better. Typically for loyalty, you will want the vendor to collect PII data. You’ll want customers to create a profile and share their preferences with you. On the flip side, it’s seldom necessary for a loyalty vendor to collect or use PCI data (such as credit card information). Next, you need to ensure that your data is stored properly. Your foremost security concern should be about where and how the customer loyalty data is stored—whether the vendor deploys in-house servers for this purpose, uses cloud services, or leverages third-party data centers. The data collected will need to flow between systems. For this, the vendor will follow standard encryption rules and ensure the data is encrypted both at rest and in transfer. You may also find out if the vendor's loyalty platform facilitates data exchange with other applications via a totally secured channel. It's crucial to know if the loyalty solution includes the essential security measures that allow only the authorized people to have direct access to the data.


Globally there is a significant movement happening, both in the U.S. and abroad, to protect people’s privacy. This movement is requiring companies to be good stewards of peoples’ data—including safe keeping of the data as well as giving customers a say in how a company uses their data. This started in Europe with the General Data Protection Regulation (GDPR). Then came the California Consumer Privacy Act (CCPA) which morphed into the California Privacy Rights Act (CPRA) in California. Ten U.S. states have hopped on board and now the federal government is looking at legislation to ensure the safety of personal data. Plus, new laws have come to fruition across the globe, including new laws in Australia. GDPR compliance ensures your data stays private and secured—it’s a prominent data protection standard set by the European Union. GDPR is designed as a standard framework for data protection, which global service providers commit to maintaining to ensure optimum privacy of their client's data. To reiterate, GDPR is only one of the many laws being enacted. Your own company compliance team should have a solid understanding of these laws. Make sure that your loyalty partner uses a similar standard.



One way to really kick the tires on your loyalty provider is to understand if they’ve gone through and completed IS27001 and SOC 2 security compliance. ISO27001 and SOC 2 standards evaluate the vendor's effectiveness against specific security principles and related data security criteria. The loyalty vendor's compliance to SOC security standards establishes the fact that the vendor fully meets the established security criteria and is competent to prevent unauthorized access to data.

Let's dig into the SOC 2 Type 2 evaluation.


ISO/IEC 27001 is an international standard for how to manage information security.The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, then revised in 2013. It details requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS)—the aim of which is to help organizations make the information assets they hold more secure.

Most organizations have a number of information security controls.However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Security controls in operation typically address certain aspects of information technology (IT) or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole. Moreover, business continuity planning and physical security may be managed independently of IT or information security, while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.

ISO/IEC 27001 requires that management:

  • Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable
  • Adopt an overarching management process to ensure the information security controls continue to meet the organization's information security needs on an ongoing basis

Note that ISO/IEC 27001 is designed to cover much more than just the IT department.

What controls will be tested as part of certification to ISO/IEC 27001 is dependent on the certification auditor. This can include any controls that the organization has deemed to be within the scope of the ISMS and this testing can be to any depth or extent as assessed by the auditor as needed to test that the control has been implemented and is operating effectively.

Additionally, ISO27001 was strengthened with Annex C Controls, which include:

  • Information security policies
  • Organization of information security
  • Human resource security—processes applied before, during, or after employment
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development, and maintenance
  • Information security incident management
  • Information security aspects of business continuity management
  • Compliance—with internal requirements, such as policies, and with external requirements, such as laws

The controls reflect changes to technology affecting many organizations—for instance, cloud computing solutions.

Let’s dig into the SOC evaluation. It’s a multi-level evaluation across multiple principles.

SOC 2 Type 2

The SOC 2 Type 2 audit is based on criteria used to evaluate controls relevant to the security, processing integrity, availability, confidentiality, and privacy of any system. The SOC 2 Type 2 report includes audit details of the service organization controls outlined by the Trust Services Criteria (TSC) set by AICPA.


IT system software and application programs


All manual and automated procedures


Personnel using the system


Physical, IT, and related hardware


Files, tables, data bases, transmission streams, and output processed by a system

Some other areas specifically analyzed under a SOC 2 Type 2 audit include:

  • How customer data integrity is protected from data entry to data deletion and all points during the data lifecycle
  • How privacy is communicated to customers and enforced through company policies
  • Protecting rights customers have regarding their data
  • Steps taken to protect customer data confidentiality
  • How the company guarantees data availability
  • Whether access to data, software, functions, and other IT resources is restricted to authorized personnel only
  • Whether physical access to sensitive locations is restricted to authorized personnel only
  • Whether appropriate background screening procedures are in place
  • Whether an access control and monitoring system is implemented to detect intrusions
  • Whether incident response procedures are suitably developed and tested
  • Whether clients and employees understand their role in using the system
  • Whether hardware, software, and related infrastructure are updated regularly
  • Whether any system changes are communicated to the correct personnel in time
  • Whether a change management process is available to address deficiencies in control
  • Whether a disaster recovery plan is tested and documented
  • Whether systems for addressing environmental risks are in place
  • Whether data is processed, stored, and maintained accurately and timely
  • Whether risk assessment includes identification of potential threats to the system and analyzing risks associated with each threat
  • Whether a fully documented data retention policy is in place
  • Whether physical and logical access controls are in place

©2021 All Rights Reserved. AnnexCloud