Privacy management can be a contentious issue. Isn’t it the business’s data when I have it? The data is out there, so why can’t I use it? Why should businesses care about the management of data and privacy?
The Universal Declaration of Human Rights in 1948, has one of the earliest statements towards the right to an individual’s privacy.
That was over 70 years ago, and the rights of an individual, in relation to privacy, are still being defined and redefined; 1973 and the first Data Act, in Sweden. The 1998 Data Protection Act in the UK and then, subsequently, the 2018 General Data Protection Regulations (GDPR), led to countries around Europe updating their own data protection laws.
Businesses have adapted and changed in 70 years, especially with the advancement and speed in technology. Hence the changes and updates in legislation, especially in relation to information sharing.
Businesses need data to run their businesses. Ideally, many businesses would say, they need to gather information to contact prospective clients and use that data as they want within their business. Look at the big tech companies, like Meta, Google and Amazon, who rely on the collection and ‘reusing/distributing’ of data as a fundamental cornerstone of their business. The selling of data can be a considerable income stream.
It is no wonder that businesses, no matter how big or small, have difficulties with privacy; especially when you have to balance the needs of the business with the needs of the individual. The individual has rights!
And there is the conflict. Many businesses argue either the information is out there or that the person has given it to them, so why can’t I use it the way they want to?
Good data management is good for business. Having everything in place can mean that things run smoother, and ore importantly, it can help reduce costs (especially in relation to software).
Who’s data is it?
GDPR set out to clarify the importance of privacy and data security. More importantly, it determines who the owner of the data is. The individual owns the data, and not the business. Businesses are, in effect, custodians of the information held by a living person. As a result, they have to follow the principles of the regulations.
- Lawfulness, Fairness and Transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
In short, that means that businesses need to
- Identify the legal reason for collecting and storing the information AND have a way of informing the individuals.
- Ensure individuals’ rights are protected and acted upon.
- Only use the information for the purpose it was collected. This means we can not collect information and then use it for whatever reason we want, regardless of it being in the public domain.
- Only collect and store the bare minimum we need for the minimum amount of time we need to store it
- Ensure that the information we keep is accurate and if not correct it
- Ensure that the data is not lost or destroyed
- Being able to show compliance with the legislation.
Saying we are data protection compliant is not enough. Businesses need to prove it. Some key areas to look at are
- Know your data
- Map out what data you collect, save and keep; for what reason, and where it is.
- Only use it for the purpose collected
- One example of this is, networking contacts can not be added to your email marketing or send sales emails. They consented for you to have their details; they did not consent for you to add them to your email marketing
- Keep it up-to-date and accurate
- Account status, contact information, and payment history.
- Assess, review, and update
- Assess what documentation you have and need
- Review for updates and changes in practice
- Look at trends in data security
- Secure it
- Ensure that physical material is locked away securely
- Ensure digital devices are secure and backed-up
- Train your staff on what is data protection, and IT security
- Have policies and processes in place, so they know what to do
- Keep records
- log incidents and lessons learned
- keep records of equipment, software
- risk assessments and DPIAs
It doesn’t need to be complicated. Help is at hand. As a data protection specialist, I am here to support and assist with your data protection woes. Why not get in touch?