All businesses collect information about customers and staff, but some of this data is considered to be personal, and is subject to regulation by privacy laws. In 2014, a disgruntled Morrisons employee leaked contact details for customers and staff. The business was fined because it violated privacy laws. A number of privacy laws across the world, including the EU’s General Data Protection Regulation (GDPR) utilize this definition of personal data.
This includes information about an individual’s behavior, habits and other associations that can be used to identify them. Names and addresses, emails addresses, and telephone numbers can be used to identify a person, as well as images, videos, and voice recordings from conversations with your employees and customers. The GDPR also requires that you protect sensitive personal data, and requires specific disclosure and consent requirements on it.
Sensitive data is viewed as more prone to misuse, and thus is granted greater protection under various global privacy laws. This can include information about health, biometrics, or political associations. You will need express, unambiguous consent before processing sensitive information. The level of protection required will depend on the laws in your jurisdiction.
You may need an inventory of your laptops, computers and digital copiers in order to determine the locations where you store your personal data. You should examine file cabinets and computer systems as well as home computers mobile devices, flash drives and other equipment employed by your employees. You should also take into account the personal information that your company receives from suppliers or third parties.