Every business collects information about customers and staff, but certain data is considered to be personal and is subject to privacy laws. For instance an employee who was disgruntled at UK supermarket chain Morrisons leaked details of the contact lists of staff and customers in 2014, the company was penalized for violating privacy laws. The definition of personal information is a key element in a variety of global privacy laws, including the EU General Data Protection Regulation.
This includes information on the person’s activities, habits and connections that can be used to identify them. For example, a name address, address, email address, or phone number can all be used to identify people and also images, videos and recordings of conversations with your staff and customers. The GDPR also requires you to protect sensitive personal data, and requires specific disclosure and consent requirements on it.
sensitive data is considered to be more susceptible to misuse, and so is granted greater protection under many global privacy laws. This might include biometric, health, or political associations information. You will need express, unambiguous consent before processing sensitive information. The level of security required will be determined by the laws that govern your state.
You may have to take inventory of all laptops, computers digital copiers, and other equipment in your workplace to find out the locations where personal data is stored. You should check computers and file cabinets as well as home computers, mobile devices, flash drives and other equipment employed by your employees. You should also look at the personal information your company receives from third party and suppliers.