Policies first

6 Things You Have to Take Into Account When Handling Customer Data

6 minutes reading

by by Esther Idris Beshirová

Nearly 92% of companies use a database to store information on a customer or a prospect. You probably already know that the system you use to store all customer data must be in compliance with the GDPR. Here are some of the key areas you can improve to protect your data adequately.

1. Stop thinking of GDPR as of an enemy

Since the GDPR came into effect, breaches of the regulation have done a lot to damage consumer trust. The number of fines that some companies suddenly had to pay frightened many businesses. However, trust has remained a crucial commodity, and the GDPR is not just another irritating bureaucratic burden for your business – it actually helps you build a trustworthy relationship with customers.

So, instead of being scared, try to think of it as of a guide that prevents your customers from withholding their data or abandoning your company altogether. For example, you can start by establishing privacy portals where your customers can access their data and give their consent for the personalised services they find valuable. 

Or you can challenge yourself and make your privacy statement more readable, as the number of people who read privacy statements in their entirety is still quite low. According to a 2019 survey by The European Commission, only 13% of 27,000 people read privacy statements to the end. Most give up on reading because these statements are too long or too difficult to understand. All online companies that care about their digital identity should provide privacy statements that are concise, transparent and easily understandable by all users. 

2. Make sure that you and your colleagues understand the term “personal information”

Sounds odd or too basic? There is still a misunderstanding of this term among businesses; thus, it is essential to properly define what personal information is.

Today, each of us leaves data trails of our personal lives on the internet, similar to Hansel and Gretel laying a trail of breadcrumbs to find their way home – but anyone could use these breadcrumbs to monitor them. Personally identifiable information (PII) consists not only in IBANs, IDs, emails and contact information. PII also includes any information related to an identifiable natural person, including social media posts, profile images and IP addresses of devices.

In an interview with IT expert Jaroslav Oster, he stressed how the understanding of these nuances should be part of effective training on the GDPR. “In small and medium-sized companies, they are gradually beginning to understand that information security can’t be built without adequate training of employees – the main users of a company’s information systems,” he explained.

3. Choose a good DPO

If your business involves regular and systematic monitoring of data subjects or processing a large scale of special categories of data as core activities, then you need to appoint a data protection officer (DPO). The DPO’s main responsibility is to ensure that all processes touching customer data are in compliance with the GDPR – that includes the data of your staff, providers or any other individuals your business contacts. 

But how do you choose one? A DPO needs to understand the practical implications of data privacy regulations and know how to assess the levels of risk along with appropriate solutions to present to management. Therefore, the DPO should also have well-developed persuasive and negotiating skills to communicate effectively.

4. Keep evidence of compliance

Sooner or later, you might be called upon to explain how your business deals with data. Do you really use customer data for the purpose it’s collected for? Good. And are you prepared to prove it to a legislator? 

You should keep track of all data touchpoints, from collection to use. Try to implement data leak prevention technologies and processes that help your organisation both reconcile information across systems and processes and build stronger auditing that can trace data trails. Do not forget about the data you store offline. This is especially important during any crisis that impacts the way you run your business, such as COVID-19. 

5. Do not leave compliance with the GDPR to one department

Leaving the responsibility for compliance only to your IT department is not the right solution. The GDPR affects many different areas of business, and all of your employees should be provided with training in order to understand how the GDPR affects both them and customers. 

If you have your own IT team, it is surely able to manage some of the key steps that lead to better compliance with the GDPR. But if your IT team has to manage everything, it may get overwhelmed. Your IT staff also needs to stay on top of patching, monitoring for threats and being ready to respond to any security incidents. Responsible employee behavior will go a long way toward relieving the burden on IT staff.

6. Beware of accidental spread of information about customers on the internet

Monitoring data leaks has brought a lot of surprising information. Even though customers’ details are often considered one of the most critical data assets – mainly in healthcare and the financial sector – businesses are still suffering leaks of sensitive data containing customers’ information, such as activation contracts and IDs. 

This often happens due to negligence. Beyond that, this data is sometimes uploaded to public servers for free file sharing where anyone can download them. And there are darknets, where the data could be sold, too. According to the GDPR, your customers have the right to know what data is collected on them and even to delete their data records. Make sure that you have taken sufficient security measures to keep this data safe against any breach. 

Eset Endpoint Encryption banner

 

 
Did COVID-19 create special measures in relation to the GDPR?
Yes. 
The Chair of the European Data Protection Board (EDPB) has issued a statement clarifying that the GDPR allows employers to process personal information in the context of epidemics, such as the current COVID-19 situation. Consent of the data subject will not be required if employers can rely on appropriate legal grounds such as reasons of public health and the public interest, or to protect vital interests. 
For example, employers may require health information from employees to ensure they can fulfill their duties. Any information about staff who have contracted COVID-19, for example, should be communicated to other staff only as necessary, for example, to prevent its further spread. Employees should be made aware that their information will be shared and with whom. Any processing of health data must be done in accordance with national laws.
Do not forget that data protection laws still apply to any personal information that an organisation uses for the control of diseases or other purposes. Therefore, all collected information about health requires a higher degree of protection. It should be clear to individuals why a business is collecting their information, how it is being used and that it is not being used for commercial gain.