8 Ways to Comply with Data Protection Legislation
A large amount of information is collected on people by enterprises. But how should all of this metadata pulled together from various sources be valued? And how can you comply with data protection legislation?
The Data Protection Landscape
People care more about what happens to their personal information. And they will continue to do so as we move into a digitally-dominated environment. The Snowden leaks (related to the National Security Agency in the US and its surveillance activities) and the level of public debate that followed highlight just how important data privacy has become for both citizens and enterprises around the globe.
Get it on the Balance Sheet
If you treat your data as an asset and, although there are no clear rules on how to value it from an accounting perspective, it should go on the balance sheet at some point. The new data protection legislation planned for Europe will offer opportunities for enterprises that treat data as an asset, and by this we mean an asset with a value.
Manage it like Other Assets
The planned regulations will put more emphasis on data ownership and the need for governance to ensure data is handled correctly and stays current. But this data needs to be kept alive as people move, products change and all kinds of additional information becomes available. This means that your enterprise needs to make sure it has a real process in place to manage data in the same way you manage other assets.
Making sure customer data is accurate and providing a trace of who changes what and when will help your organization make customer communications more cost effective. Cleaner and enriched databases will offer you the opportunity to create a ”single customer view” containing business-critical information. This includes an accurate name and address, purchasing preferences and multichannel delivery and contact points.
Improved Customer Satisfaction
Data will become a very valuable tool in the future and you will be able to do a lot more for your customers if you learn how to leverage the data you collect while ensuring the protection expected by your customers.
Who needs to comply?
Organizations and professionals that need to store personal data from clients in order to do business need to comply. Most companies in Europe that process customer data fall under the requirements of the Data Protection Act. The Data Protection Act can be complex and difficult to interpret. However it consists of eight key principles that organizations must adhere to.
8 Ways to Ensure Compliance with Current Legislation
1. Obtain and process information fairly
Example: Personal data will be obtained fairly by the tax authorities if it is obtained from an employer who is under a legal duty to provide details of an employee’s pay, whether or not the employee consents to or is aware of this.
2. Keep it only for one or more specified, explicit and lawful purposes
Example: A not-for-profit chess club only uses personal data to organize a chess league for its members. The club is exempt from notification, and the purpose for which it processes the information is so obvious that it does not need to give privacy notices to its members. The specified purpose of processing should be taken to be the organization of the members’ chess league.
3. Ensure that it is adequate, relevant and not excessive
Example: A debt collection agency is engaged to find a particular debtor. It collects information on several people with a similar name to the debtor. During the enquiry some of these people are removed. The agency should delete most of their personal data, keeping only the minimum data needed to form a basic record of a person they have removed from their search. It is appropriate to keep this small amount of information so that these people are not contacted again about debts which do not belong to them.
4. Keep it accurate, complete and up-to-date
Example: A journalist builds up a profile of a particular public figure. This includes information derived from rumors circulating on the Internet that the individual was once arrested on suspicion of dangerous driving. If the journalist records that the individual was arrested, without qualifying this, he or she is asserting this as an accurate fact. However, if it is clear that the journalist is recording rumors, the record is accurate – the journalist is not asserting that the individual was arrested for this offence.
5. Retain it for no longer than is necessary for the purpose or purposes
Example: A bank holds personal data about its customers. This includes details of each customer’s address, date of birth and mother’s maiden name. The bank uses this information as part of its security procedures. It is appropriate for the bank to retain this data for as long as the customer has an account with the bank. Even after the account has been closed, the bank may need to continue holding some of this information for legal or operational reasons.
6. Give a copy of his/her personal data to an individual, on request
Example: An individual makes a request for their personal data. When preparing the response, you notice that a lot of it is in coded form. For example, attendance at a particular training session is logged as “A”, while non-attendance at a similar event is logged as “M”. Also, some of the information is in the form of handwritten notes that are difficult to read. Without access to the organization’s key or index to explain this information, it
would be impossible for anyone outside the organization to understand. In this case, the Act requires you to explain the meaning of the coded information.
7. Keep it safe and secure
Example: An organization holds highly sensitive or confidential personal data (such as information about individuals’ health or finances) which could cause damage or distress to those individuals if it fell into the hands of others. The organization’s information security measures should focus on any potential threat to the information or to the organization’s information systems.
8. Do not transfer it outside the European Economic area unless that country or territory ensures an adequate level of protection
Example: A multinational company transfers a list of internal telephone extensions to its overseas subsidiaries. The nature of the information makes it unlikely that the individuals identified would suffer significant damage in the unlikely event that an unauthorized source obtained the list. It is reasonable to decide that adequate protection exists.