Businesses collect information about their employees and customers. However, some of this information is personal, and could be subject to privacy laws. In 2014, a disgruntled Morrisons employee leaked contact details for customers and staff. The company was fined as it had violated privacy laws. Several global privacy laws, including the EU’s General Data Protection Regulation (GDPR) employ this definition of personal data.
This includes information on a person’s habits, activities and affiliations that can be used to identify them. For instance, a name and address, an phone number or email address can be used to identify people such as images, videos and voice recordings of conversations with your employees and customers. The GDPR also requires you to safeguard sensitive personal information and requires specific disclosure and consent requirements on it.
Many privacy laws across the world provide more protection for sensitive data. This may include biometric, health or political associations information. You must get an explicit, unambiguous agreement prior to processing sensitive information. The level of security required will depend on the laws in your jurisdiction.
You might need to conduct an inventory of all computers, laptops digital copiers, and other equipment used in your business to find out the locations where personal data is stored. You should examine the file cabinets and computer systems as well as home computers, flash drives, mobile devices and other equipment that your employees use. Also, you should consider the personal information your company receives from third party and suppliers.