Businesses collect information about their employees and customers. However some of this data is personal and therefore subject to privacy laws. In 2014, a disgruntled Morrisons employee leaked contact details for staff and customers. The company was fined because it violated privacy laws. The definition of personal information is a part of a number of global privacy laws including the EU General Data Protection Regulation.
This includes information about a person’s actions, habits and relationships that can be used to identify them. Names, addresses, email addresses, and phone numbers can all be used to identify a person, as well as images, videos, and recordings of conversations with your employees and customers. The GDPR requires that you safeguard sensitive personal data and imposes disclosure and consent requirements.
Data that is sensitive is considered more susceptible to misuse, and thus is granted greater protection in many international privacy laws. This could include information on biometrics, health, or political associations. You will need to obtain explicit, clear and unambiguous consent prior to processing sensitive information. The level of protection required will depend on the laws that govern your state.
You may need an inventory of your computers, laptops and digital copiers to determine the locations where you store your personal data. You should examine your computers, file cabinets and also the personal computers at home, flash drives, mobile devices, and other devices used by employees. You should also consider the personal data your business receives from third party and suppliers.