The growth of digital record-keeping and internet communication has completely transformed society. As a result, personal data is collected and used by practically every business. Privacy and data protection laws vary in their scope and effectiveness. But common to many of these laws is a requirement to keep personal data safe.
You may not realize how much personal data your business actually deals with. The obvious stuff, such as employee records and customer databases, is just the tip of the iceberg. If you truly consider the amount of data flowing in and out of your company's systems, you might be surprised by how much of it qualifies as "personal data."
In this article, we'll be considering your legal and ethical responsibilities to keep people's data safe. We'll also be providing some practical tips on how to go about doing this.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. Personal Data and the Law
- 1.1. United States
- 1.2. European Union
- 1.3. Other Places
- 2. What is Personal Data?
- 2.1. Identifiability
- 3. Collecting and Storing Personal Data Securely
- 3.1. Network Security
- 3.2. Protecting Data at Rest
- 3.3. Restricting Access Within Your Company
- 3.4. Backing Up Personal Data
- 3.5. Data Breach Policy
- 4. Sharing Personal Data Outside of Your Company
- 4.1. Due Diligence
- 4.2. Data Processing Agreements
- 5. Transparency in Your Personal Data Practices
- 6. Summary
Personal Data and the Law
Protecting personal data is important for many reasons:
- It's ethically important to respect people's privacy
- It builds a relationship of trust with customers, users and/or employees
- It's the law
Let's focus on that third point. There are laws in most countries that regulate the processing of personal data. These laws fulfill several functions, including:
- Limiting the ways in which personal data can be collected, stored or shared
- Requiring companies to disclose the ways in which they use personal data
- Mandating a minimum level of protection of personal data
Here's a brief overview of some of the major data protection laws your company is likely to encounter. It's important to note that, generally speaking, you'll be bound both by your company's home laws and the laws of the countries in which your customers reside.
There is no pervasive, cross-sector data protection law in the United States (US). Instead, there are various sector-specific federal laws, and a patchwork of state laws with which most companies operating in the US will have to comply.
Here are some examples of important data protection laws in the US:
- Children's Online Privacy Protection Act (COPPA): A federal law that strictly regulates the collection of children's personal data.
- Health Information Portability and Accountability Act (HIPAA): A federal law regulating the data protection practices of healthcare companies.
Data protection laws are enforced by various entities including state Attorney-Generals, the Federal Trade Commission (FTC) and the federal government.
The European Union (EU) is home to the strictest and most demanding data protection law in the world - the General Data Protection Regulation (GDPR).
The GDPR is a long and comprehensive law that covers every aspect of the processing of personal data. Among other things, the GDPR:
- Requires that companies provide transparent information about the personal data they collect from consumers
- Permits the collection, storage or sharing of personal data only under a specific legal basis
- Enforces a high level of protection over personal data
The GDPR requires that businesses (and other organizations) "implement appropriate technical and organizational measures to ensure a level of security" over personal data.
Failing to do this can result in warnings, fines and other penalties from a Data Protection Authority. Those fines, by the way, can be anything up to €20 million or four percent of your company's annual turnover (whichever is greater).
The GDPR applies in every EU country (including the UK), who have implemented it via their own national laws.
Here are just a few examples of important data protection laws in other jurisdictions:
- Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
- Australia: Privacy Act 1988
- Singapore: Personal Data Protection Law (PDPL)
These laws vary in their specific obligations, but each requires some level of personal data protection.
What is Personal Data?
The question of what constitutes personal data is not a straightforward one.
In different legal jurisdictions, there can be very different answers. This means that certain information will be considered as personal data in some places, but not others. It is also possible that, even within the same country, certain information will be personal data in some contexts, but not others.
It's important to take a broad approach when considering what information to treat as personal data. Many companies have ended up in court arguing that a given piece of data is not "personal."
Many definitions of personal data come down to "identifiability" - can a person be identified by this information?
There are obvious examples, such as a person's name, email or physical address. Ask someone on your website to provide their name and shipping address, and it should be obvious that you're asking for personal data. The person can be directly identified by this information.
But you should also think more critically. If it's not obvious that a person could be identified by a piece or set of information, you'll need to consider whether they could be identifiable.
Under EU and California law, for example, anything from a person's IP address to their browser cookies can constitute personal data.
Such information can reveal a lot about a person. It can, in theory, be used to identify them. Therefore, it's treated as personal data in many countries.
Collecting and Storing Personal Data Securely
Whenever collecting, storing or transferring personal data, think about the steps you can take to keep it secure. Cyber attacks and other data breaches are increasingly common, and increasingly harshly punished.
For example, in 2015, UK retailer Carphone Warehouse suffered a data breach in which the personal data of three million customers was compromised. The company was fined £400,000 under the UK's pre-GDPR legislation (under which only smaller fines were possible) because it had failed, among other things, to test and maintain its data security systems.
You must take steps to ensure security whenever collecting or accessing personal data over a network. This includes:
- When receiving personal data via web forms on your website or app
- When facilitating remote access to personal data stored within your systems
- When transferring personal data over a network either internally or externally (i.e. to a third party)
It's important to consider all the steps you can take to secure personal data in transit.
When collecting any personal data on your website (including login credentials) it's important to use TLS/SSL cryptographic protocols. This requires hosting only with a dedicated IP address (not a shared IP address) and obtaining a TLS/SSL certificate.
It's going to be very obvious to your users if you're failing to provide secure access to a page on your site. Browsers are increasingly vigilant in drawing attention to a site's security levels. It's going to look unprofessional or downright shady if this happens on your website.
Protecting Data at Rest
Considering how personal data is stored within your company's systems and devices, and who can access it.
- Use full-disk encryption techniques such as FileVault for Mac or BitLocker for windows.
- Implement de-identification methods such as pseudonymization and anonymization wherever appropriate.
- Use file-level encryption and password protection for specific files. This is also important if you have to transfer personal data via an email attachment.
It's also crucial that you:
- Regularly audit the personal data stored within your systems.
- Erase any personal data you no longer need.
- Create a "retention schedule" to help you decide how long to keep different types of personal data.
Restricting Access Within Your Company
Make sure you know who has access to personal data within your company. Only grant access on a "need-to-know" basis.
If someone leaves your company, you must ensure that you revoke their access permissions. In 2014, a disgruntled ex-employee of UK supermarket firm Morrisons leaked the personal data of customers and colleagues. The employee himself received eight years' jail time, and the company has also been held legally liable for the data breach.
You should regularly review and carefully manage permissions for accessing all personal data stored in your systems.
Backing Up Personal Data
Where you need to keep records of personal data, it's important to keep backups. But you must only do so if you can guarantee that these backups are safe and accessible (to the right people).
Keeping backups of personal data can help protect against ransomware attacks, and mitigate the effects of a data breach.
Some important considerations:
- Make sure that your backup data is stored in an entirely separate system from the original data
- Ensure that the data is protected from access by most staff
- Integrate a system to regularly and safely back up data
You might consider using a cloud storage provider for backups. Storing data in "the cloud" qualifies as sharing that data with a third party. We'll discuss some of the considerations around this later in the article.
Data Breach Policy
It's important to consider what action you will take if the worst happens, and a data breach occurs. Remember that a data breach can concern the loss, theft or unauthorized access of personal data.
Data breach reporting is mandatory under certain laws. For example, if a company subject to the GDPR suffers a data breach of a particular level of severity, certain information must be sent to the Data Protection Authority and, sometimes, the affected individuals within 72 hours.
Get to know the laws that apply to you. Write a policy that covers:
- How data breaches could occur
- What requirements exist (if any) to notify an authority
- Who within your company should be the main point of contact if a data breach occurs
- What measures can be taken to contain the breach
- A post-breach evaluation process
If you need to contact an authority in the event of a data breach, it is prudent to prepare a template notification letter in advance.
Sharing Personal Data Outside of Your Company
You may need or want to share your users' personal data with a third party company. Examples of where this might be appropriate include:
- Collecting online information via third-party analytics or cookies
- Sharing a mailing list with an email marketing company
- Using a mail carrier to ship your products
If you're sharing personal data with third parties, you must be totally transparent about this and ensure you're earning appropriately clear consent from your users where necessary.
In April 2019, pregnancy and parenting company Bounty UK was fined £400,000 by the UK's Data Protection Authority because of the way it "carelessly" shared personal data. By failing to properly disclose and earn consent for sharing customer data for direct marketing purposes, the company was held to have "acted as a data broker."
It's essential to do some investigation into any company you're planning to share your users' personal data with.
Before handing over your users' personal data, check that the company is compliant with whatever data protection laws you need to abide by. Your questions might not be answered by the company's FAQs or documentation. If this is the case, drop them an email or, better yet, give them a call.
If your users have trusted your company enough to allow you access to their personal data, you must only share it with companies that can also demonstrate their trustworthiness.
Data Processing Agreements
Under EU law, personal data can only be shared between certain companies under strict conditions.
If, for example, you need to engage the services of an email marketing company such as HubSpot or MailChimp, you'll need to have a Data Processing Agreement (DPA) in place.
Here's an excerpt from HubSpot's standard DPA:
Not all data protection laws make a formal agreement like this a prerequisite for sharing personal data. But having a clear written contract for data sharing arrangements is never a bad thing.
Transparency in Your Personal Data Practices
Transparency is a requirement of even the most lenient of data protection laws.
Again, this is not only legally mandatory but also just plain good practice. If someone wants to know how their personal data is treated by your company, it should be easy for them to find out.
Protecting personal data in your business is crucial if you want to build customer trust and avoid legal problems.
Some of the ways you can do this include:
- Understanding the data protection laws that are relevant to your business
- Ensuring a high level of security when collecting and transferring personal data over a network
- Encrypting and regularly reviewing personal data in storage
- Strictly controlling access to personal data
- Creating back-ups and keeping them secure
- Creating a data breach policy in case of loss or theft of personal data
- Only sharing personal data with responsible third parties
- Having a written agreement in place when sharing personal data with third-party companies
- Always being clear and transparent about your use of personal data