GDPR – Here’s What You Should Know Before Collecting Customer Personal Data
- Customer Data
- Data Protection
- Data Protection Act
- DPA 2018
- DPA UK
- Privacy principles
UK GDPR – The Data Protection Act 2018
The Data Protection Act first came into practice in 1998, two days before the GDPR (EU General Data Protection Regulation) was introduced to the general public. The GDPR and the DPA are set to protect customers and their data.
There are subtle differences between the two acts. For instance, the GDPR requires companies handling criminal data to have official authority, the DPA does not. If your company caters to the UK and the EU, you should consider brushing up on both acts. In this article, we will focus more on the GDPR.
The major difference between the DPA 1998 and the DPA 2018 is that the latter requires companies to be more transparent with their data harvesting methods, how they plan to use customer information and to reproduce, replace or remove data if requested by respective customers.
1. Processed Lawfully, Fairly and in a Transparent Manner
For instance, asking for customer email addresses to build a company newsletter is deemed ethical as long as customers know how their mails will be used (marketing, connecting, converting etc). The email addresses cannot be harvested for marketing purposes and later sold to a third party company without explicit consent.
2. Purpose Limitation
Data must be ‘collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.’ This simply means that customers must know why the data is being collected.
Companies cannot use the data for anything other than what was proposed. Companies in the U.K should consider registering with the Information Commissioner’s Office (ICO) of how and why they want to collect certain data. Companies that process personal information for payroll related data or for maintaining the public sector are the companies exempted from this policy.
3. Data Minimisation
This principle was created to streamline customer data and harvest as little information as possible. It protects customers from giving information that has no use in the company.
Data minimisation works in three important steps. All data must be:
Adequate – Companies must have enough data to successfully carry out their purpose
Relevant – All data must be collected for a specific purpose
Necessary – Companies can only collect strictly necessary information
Accuracy covers a wide range of data protection rights. According to the GDPR, all customer information must be deemed accurate. Depending on the type of company, incorrect information must either be removed or be marked as ‘incorrect’. Article 5 of the GDPR states that all personal data must be ‘accurate where necessary’.
5. Storage Limitation
Storage limitation controls how long a company can store customer data. It protects customers from unnecessary marketing when they are no longer a prime candidate for a business. Companies cannot keep customer information after the purpose of the information is fulfilled. There is no set duration for storing customer data but this principle prevents enterprises from keeping data forever. Companies must ensure customer data is regularly screened and that all outdated data is removed on time. It is recommended to draft data retention schedules for category of personal data or record and then remove data in accordance with the retention schedule.
6. Integrity and Confidentiality
This is perhaps one of the most important principles in the DPA because it deals with online safety. The DPA outlines that all customer data must be handled ‘in a manner [ensuring] appropriate security, protection against unlawful processing, accidental loss, destruction or damage.’
You must take essential cyber security measures to make sure your customer’s identities and data are safe. While it is not mandatory, companies that handle delicate customer information should consider getting an official certificate, like the ISO 27001, to solidify their cyber security knowledge, or Cyber Security essentials certification.
The final principle puts everything together and deems the company accountable for the data harvested and stored. This regulation reinforces all the principles above and forces the company to keep track of all customer information.
Companies must be able to produce documentation that proves their compliance with the GDPR when required. They must also be able to prove that their data protection methods are sufficient.
How DataOlogie can help you
It may seem overwhelming at first but if you are looking out for your customer’s best interests, these regulations will come to you quite naturally. As long as you are making sure your customers are safe, their data is accurate, safely stored and not used for unethical reasons, you will not get in trouble with the law.
Struggling to manage customer data? Dataologie has deep knowledge of industry and data protection laws and regulations including the GDPR and can help you company solve for risks and issues and adhere to the GDPR. Let us give you a helping hand with the customer data protection process so that you can excel in what you set out to do! All the best!
Are you following the GDPR? Or are you struggling to keep your head above water? Tell us all about it in the comment section below.
What is the new SCC? Organizations subject to the EU GDPR are subject to Article 45 EU-DSGVO (with the exception of Article 45 EU-DSGVO (that is, unless they provide an "appropriate guarantee" within the meaning of Article 46 EU-DSGVO (with the exception)....
GDPR and how SaaS (Software as a service) businesses can become compliant with the GDPR On May 25, 2018, the European Union introduced the General Data Protection Regulation (GDPR) to ensure maximum data protection privileges for people across the European Union....
Data in sports Data analytics in sports was first popularized by the efforts of Billy Beane during his reign as General manager of the Oaklands Athletics baseball team (also portrayed in the commercial film Moneyball). However, it’s a common practice now for...
Ring video doorbell : GDPR and Privacy - what homeowners need to know A recent case in the Oxford County Court highlighted the perils for homeowners of operating a Ring product to protect their properties. Ring products, such as smart doorbells and security...
The risks of over or under retention Organizations want to be conscious of the legal guidelines that pertain to their personal data processing. Personal data have to be kept lengthy adequate to comply with applicable legal responsibility. The minimum or maximum...
Article 27 – UK & EU Representative services The UK entered a period of transition which ended on 31st December, 2020, as the Brexit uncertainty ended with the passing of the withdrawal agreement bill. Data controllers or processors are under the obligation to...