Data is everywhere and smart companies know how to use customer data to their advantage. If you regularly harvest customer data to understand consumer patterns and for remarketing purposes, you must know about the rules and regulations that protect customers from unethical data harvesting practices. The GDPR – Data Protection Act 2018 (DPA 2018) in the UK, protects customer personal data and prevents it from being misused and protects it. Here are points to know about the Data Protection Act 2018 when processsing customer data.

UK GDPR – The Data Protection Act 2018

The Data Protection Act first came into practice in 1998, two days before the GDPR (EU General Data Protection Regulation) was introduced to the general public. The GDPR and the DPA are set to protect customers and their data.

There are subtle differences between the two acts. For instance, the GDPR requires companies handling criminal data to have official authority, the DPA does not. If your company caters to the UK and the EU, you should consider brushing up on both acts. In this article, we will focus more on the GDPR.

The major difference between the DPA 1998 and the DPA 2018 is that the latter requires companies to be more transparent with their data harvesting methods, how they plan to use customer information and to reproduce, replace or remove data if requested by respective customers.

1. Processed Lawfully, Fairly and in a Transparent Manner

All personal data that is provided by customers who know where the data is being (or going to be) used. This principle prohibits companies from extracting data without the customer’s knowledge and informing them through a Privacy Policy/Notice (We can help you draft a Privacy Policy for your company).

For instance, asking for customer email addresses to build a company newsletter is deemed ethical as long as customers know how their mails will be used (marketing, connecting, converting etc). The email addresses cannot be harvested for marketing purposes and later sold to a third party company without explicit consent.

2. Purpose Limitation

Data must be ‘collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.’ This simply means that customers must know why the data is being collected.

Companies cannot use the data for anything other than what was proposed. Companies in the U.K should consider registering with the Information Commissioner’s Office (ICO) of how and why they want to collect certain data. Companies that process personal information for payroll related data or for maintaining the public sector are the companies exempted from this policy.

3. Data Minimisation

This principle was created to streamline customer data and harvest as little information as possible. It protects customers from giving information that has no use in the company.

Data minimisation works in three important steps. All data must be:

Adequate – Companies must have enough data to successfully carry out their purpose

Relevant – All data must be collected for a specific purpose

Necessary – Companies can only collect strictly necessary information

4. Accuracy

Accuracy covers a wide range of data protection rights. According to the GDPR, all customer information must be deemed accurate. Depending on the type of company, incorrect information must either be removed or be marked as ‘incorrect’. Article 5 of the GDPR states that all personal data must be ‘accurate where necessary’.

5. Storage Limitation

Storage limitation controls how long a company can store customer data. It protects customers from unnecessary marketing when they are no longer a prime candidate for a business. Companies cannot keep customer information after the purpose of the information is fulfilled. There is no set duration for storing customer data but this principle prevents enterprises from keeping data forever. Companies must ensure customer data is regularly screened and that all outdated data is removed on time.  It is recommended to draft data retention schedules for category of personal data or record and then remove data in accordance with the retention schedule.

6. Integrity and Confidentiality

This is perhaps one of the most important principles in the DPA because it deals with online safety. The DPA outlines that all customer data must be handled ‘in a manner [ensuring] appropriate security, protection against unlawful processing, accidental loss, destruction or damage.’

You must take essential cyber security measures to make sure your customer’s identities and data are safe. While it is not mandatory, companies that handle delicate customer information should consider getting an official certificate, like the ISO 27001, to solidify their cyber security knowledge, or Cyber Security essentials certification.

7. Accountability

The final principle puts everything together and deems the company accountable for the data harvested and stored. This regulation reinforces all the principles above and forces the company to keep track of all customer information.

Companies must be able to produce documentation that proves their compliance with the GDPR when required. They must also be able to prove that their data protection methods are sufficient.

How DataOlogie can help you

It may seem overwhelming at first but if you are looking out for your customer’s best interests, these regulations will come to you quite naturally. As long as you are making sure your customers are safe, their data is accurate, safely stored and not used for unethical reasons, you will not get in trouble with the law.

Struggling to manage customer data? Dataologie has deep knowledge of industry and data protection laws and regulations including the GDPR and can help you company solve for risks and issues and adhere to the GDPR. Let us give you a helping hand with the customer data protection process so that you can excel in what you set out to do! All the best!

Are you following the GDPR? Or are you struggling to keep your head above water? Tell us all about it in the comment section below.