Last updated on 01 July 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
The growth of digital record-keeping and internet communication has completely transformed society. As a result, personal data is collected and used by practically every business. Privacy and data protection laws vary in their scope and effectiveness. But common to many of these laws is a requirement to keep personal data safe.
You may not realize how much personal data your business actually deals with. The obvious stuff, such as employee records and customer databases, is just the tip of the iceberg. If you truly consider the amount of data flowing in and out of your company's systems, you might be surprised by how much of it qualifies as "personal data."
In this article, we'll be considering your legal and ethical responsibilities to keep people's data safe. We'll also be providing some practical tips on how to go about doing this.
Protecting personal data is important for many reasons:
Let's focus on that third point. There are laws in most countries that regulate the processing of personal data. These laws fulfill several functions, including:
Here's a brief overview of some of the major data protection laws your company is likely to encounter. It's important to note that, generally speaking, you'll be bound both by your company's home laws and the laws of the countries in which your customers reside.
There is no pervasive, cross-sector data protection law in the United States (US). Instead, there are various sector-specific federal laws, and a patchwork of state laws with which most companies operating in the US will have to comply.
Here are some examples of important data protection laws in the US:
Data protection laws are enforced by various entities including state Attorney-Generals, the Federal Trade Commission (FTC) and the federal government.
The European Union (EU) is home to the strictest and most demanding data protection law in the world - the General Data Protection Regulation (GDPR).
The GDPR is a long and comprehensive law that covers every aspect of the processing of personal data. Among other things, the GDPR:
The GDPR requires that businesses (and other organizations) "implement appropriate technical and organizational measures to ensure a level of security" over personal data.
Failing to do this can result in warnings, fines and other penalties from a Data Protection Authority. Those fines, by the way, can be anything up to €20 million or four percent of your company's annual turnover (whichever is greater).
The GDPR applies in every EU country (including the UK), who have implemented it via their own national laws.
Here are just a few examples of important data protection laws in other jurisdictions:
These laws vary in their specific obligations, but each requires some level of personal data protection.
The question of what constitutes personal data is not a straightforward one.
In different legal jurisdictions, there can be very different answers. This means that certain information will be considered as personal data in some places, but not others. It is also possible that, even within the same country, certain information will be personal data in some contexts, but not others.
It's important to take a broad approach when considering what information to treat as personal data. Many companies have ended up in court arguing that a given piece of data is not "personal."
Many definitions of personal data come down to "identifiability" - can a person be identified by this information?
There are obvious examples, such as a person's name, email or physical address. Ask someone on your website to provide their name and shipping address, and it should be obvious that you're asking for personal data. The person can be directly identified by this information.
But you should also think more critically. If it's not obvious that a person could be identified by a piece or set of information, you'll need to consider whether they could be identifiable.
Under EU and California law, for example, anything from a person's IP address to their browser cookies can constitute personal data.
Such information can reveal a lot about a person. It can, in theory, be used to identify them. Therefore, it's treated as personal data in many countries.
Whenever collecting, storing or transferring personal data, think about the steps you can take to keep it secure. Cyber attacks and other data breaches are increasingly common, and increasingly harshly punished.
For example, in 2015, UK retailer Carphone Warehouse suffered a data breach in which the personal data of three million customers was compromised. The company was fined £400,000 under the UK's pre-GDPR legislation (under which only smaller fines were possible) because it had failed, among other things, to test and maintain its data security systems.
You must take steps to ensure security whenever collecting or accessing personal data over a network. This includes:
It's important to consider all the steps you can take to secure personal data in transit.
When collecting any personal data on your website (including login credentials) it's important to use TLS/SSL cryptographic protocols. This requires hosting only with a dedicated IP address (not a shared IP address) and obtaining a TLS/SSL certificate.
It's going to be very obvious to your users if you're failing to provide secure access to a page on your site. Browsers are increasingly vigilant in drawing attention to a site's security levels. It's going to look unprofessional or downright shady if this happens on your website.
Considering how personal data is stored within your company's systems and devices, and who can access it.
It's also crucial that you:
Make sure you know who has access to personal data within your company. Only grant access on a "need-to-know" basis.
If someone leaves your company, you must ensure that you revoke their access permissions. In 2014, a disgruntled ex-employee of UK supermarket firm Morrisons leaked the personal data of customers and colleagues. The employee himself received eight years' jail time, and the company has also been held legally liable for the data breach.
You should regularly review and carefully manage permissions for accessing all personal data stored in your systems.
Where you need to keep records of personal data, it's important to keep backups. But you must only do so if you can guarantee that these backups are safe and accessible (to the right people).
Keeping backups of personal data can help protect against ransomware attacks, and mitigate the effects of a data breach.
Some important considerations:
You might consider using a cloud storage provider for backups. Storing data in "the cloud" qualifies as sharing that data with a third party. We'll discuss some of the considerations around this later in the article.
It's important to consider what action you will take if the worst happens, and a data breach occurs. Remember that a data breach can concern the loss, theft or unauthorized access of personal data.
Data breach reporting is mandatory under certain laws. For example, if a company subject to the GDPR suffers a data breach of a particular level of severity, certain information must be sent to the Data Protection Authority and, sometimes, the affected individuals within 72 hours.
Get to know the laws that apply to you. Write a policy that covers:
If you need to contact an authority in the event of a data breach, it is prudent to prepare a template notification letter in advance.
You may need or want to share your users' personal data with a third party company. Examples of where this might be appropriate include:
If you're sharing personal data with third parties, you must be totally transparent about this and ensure you're earning appropriately clear consent from your users where necessary.
In April 2019, pregnancy and parenting company Bounty UK was fined £400,000 by the UK's Data Protection Authority because of the way it "carelessly" shared personal data. By failing to properly disclose and earn consent for sharing customer data for direct marketing purposes, the company was held to have "acted as a data broker."
It's essential to do some investigation into any company you're planning to share your users' personal data with.
Before handing over your users' personal data, check that the company is compliant with whatever data protection laws you need to abide by. Your questions might not be answered by the company's FAQs or documentation. If this is the case, drop them an email or, better yet, give them a call.
If your users have trusted your company enough to allow you access to their personal data, you must only share it with companies that can also demonstrate their trustworthiness.
Under EU law, personal data can only be shared between certain companies under strict conditions.
If, for example, you need to engage the services of an email marketing company such as HubSpot or MailChimp, you'll need to have a Data Processing Agreement (DPA) in place.
Here's an excerpt from HubSpot's standard DPA:
Not all data protection laws make a formal agreement like this a prerequisite for sharing personal data. But having a clear written contract for data sharing arrangements is never a bad thing.
Transparency is a requirement of even the most lenient of data protection laws.
Again, this is not only legally mandatory but also just plain good practice. If someone wants to know how their personal data is treated by your company, it should be easy for them to find out.
Protecting personal data in your business is crucial if you want to build customer trust and avoid legal problems.
Some of the ways you can do this include:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022