Most businesses these days use the internet, from communications via email to full e-shopping providers. But it’s so important to ensure that any data that you collect, send or use on the internet is kept completely secure.
The Data Protection Act applies to the collection and use of personal data online, and can include the data on PCs, games consoles, mobile phones, media players, or any other equipment that connects to the internet.
It’s really important to get security right first time when dealing with customer data. Making sure that you keep customers safe can offer the following benefits:
- Greater trust and a better relationship with the people you collect information about;
- Reduced reputational risk caused by any inappropriate or insecure processing of data;
- Larger take-up of online services, meaning savings and greater convenience for customers;
- Minimised risks of breaches and consequent enforcement action by the Information Commissioner or other regulators;
- Gaining a competitive advantage by reassuring customers that you take their privacy seriously.
So What Can I Do To Help Keep Customer Data Safe Online?
To start with, you must only collect the information that is relevant. This also applies if you are taking details in person or over the phone. You mustn’t ask for any information you do not need to use for the exact purpose you are collecting it for. For example, if you are running an online shop you don’t need to know anything more than name, address, phone number and payment details. It would be wrong to ask for medical history or information about family members.
Ensure that the location you store data is encrypted and password protected. Make sure you know who has access to the data and change the password regularly. It is best practice when someone leaves your company to remove all personal access to data and change all passwords that person had access to.
Only allow staff access to the information they need to do their job. The more people that have access to data the more risks there are that data breaches will occur. Make sure each member of staff has appropriate access permissions and have secure access controls in place, for example, password protected PCs and software.
If your website offers auto-completion on forms make sure that the customer knows this. It’s really important just in case their device is stolen that no one else can access their details. The responsibility also lies with the customer, but if you make sure that you let them know they can take the appropriate measures. Never allow auto-completion for payment pages, especially in the card number field.
Anti-virus software is an absolute must. It’s worth paying for a really good one and ensuring that it is up to date. Install any security updates as soon as they are available.
Do not keep any customer data longer than you need to. As with any personal data you hold you must make sure that you only keep it for as long as you need it. And only keep the details that are relevant. For example you may wish to keep a customer’s full details for a year after their last activity, but after that just their name and address is sufficient, so you have a record of them if they are to return.
There isn’t a time set for retention on personal data but you must make sure you have a policy in place to review what data you have and dispose of it securely if it’s no longer needed.
Make Sure You Tell Customers What You Are Doing With Their Data
When you collect data online you must make sure that you are clear about what you are going to do with it. It’s one of the primary requirements of data protection law. In most cases it’s simple, for example, when someone provides name, address and payment details so that goods can be dispatched. But sometimes it’s more complex and many people may not understand the way their information is used.
You must write a privacy notice that is clear and easy to understand, and posted visibly on your website. A privacy notice outlines what you are collecting, why you’re collecting it, and what you are going to do with it. It is best practice to allow customers to opt out of marketing or other contact from you or third parties. Don’t make this complicated, just state something simple like “we would like to send you emails about offers. Tick this box if you do not want to receive emails.”
What if There is a Data breach?
If you suspect that data has been leaked, be it about customers, staff or company finances, you should report it straight away to the Information Commissioner’s Office (ICO).
If a data breach occurs, you must assess how serious it is, how many people have been affected and, if possible, immediately shut down the cause. If you have done all that you can, the ICO will look more favourably at your case.
When a breach is reported the ICO will assess the nature and seriousness of the breach and the adequacy of any remedial action you have taken. They may record the breach and take no further action, or investigate the breach. If it’s a serious breach of the Data Protection Act your organisation can be fined up to £500,000.
And finally, seek legal advice as soon as you can. A serious data breach can not only attract a fine from the ICO but you could have customers seeking compensation for the wrongful use of their data.
If you or your company have any issues or questions about data protection please contact Slater and Gordon’s expert Data Protection Solicitors. Call us on freephone 0800 916 9081 or contact us online and we will call you.