All businesses collect data about customers and staff however certain information is considered personal, and therefore subject to privacy laws. For instance, when a disgruntled employee at UK supermarket chain Morrisons released the contact lists of staff and customers in 2014, the company was fined for breaching privacy law. The privacy laws of many countries, including the EU’s General Data Protection Regulation (GDPR), use this definition of personal data.
This includes information on an individual’s habits, activities and affiliations that can be used to identify them. For example, a name address, address, telephone number, email address can all be used to identify individuals and also videos, photos and even recordings of conversations between your staff and customers. The GDPR requires that you safeguard personal information that is sensitive and makes disclosure and consent mandatory.
Many privacy laws across the world provide more security for sensitive data. This can include biometric, health or political association information. You will need express, unambiguous consent before processing sensitive information. The degree of protection required will depend on the laws that govern your state.
You may need an inventory of your laptops, computers and digital copiers in order to determine the location where you keep your personal information. You should examine your computer systems, file cabinets and the home computers, flash drives, mobile devices, and other equipment utilized by employees. You should also take into consideration the personal information your company receives from third parties and suppliers.