Every business gathers information about customers and staff however, certain information is considered to be personal, and can be regulated by privacy laws. For instance the time a disgruntled employee at UK supermarket chain Morrisons released employee and customer contact lists in 2014, the business was penalized for violating privacy law. The definition of personal information is a part of a number of global privacy laws including the EU General Data Protection Regulation.
This includes information on a person’s habits, activities and connections that can be used to identify them. For example, a name and address, an phone number or email address can all be used to identify people, as can videos, photos and even recordings of conversations between your employees and customers. The GDPR also requires that you protect sensitive personal information, and imposes specific disclosure and consent requirements on it.
Many privacy laws across the world offer greater protection for sensitive data. This can include information about biometrics, health or political affiliations. You usually need express clear and unambiguous approval to process sensitive information, and the level of security you are required to provide differ based on the laws in your jurisdiction.
It is possible that you will need to take inventory of all computers, laptops digital copiers, as well as other equipment in your workplace to determine the locations where personal data is stored. You should examine computers and file cabinets as well as home computers mobile devices, flash drives and other equipment utilized by your employees. You should also look at the personal information your business receives from third party and suppliers.