close up image of hands using a smartphone

How Can Organisations Protect Their Customers' Personal Data?

Published 24 January 2023

Individuals must protect their own personal data and be cautious when sharing it.  The same is true when data are shared with an organisation/company; they too must protect said data and be wary when sharing it. 

During International Data Privacy Week, data privacy professionals at Bridewell recommend three aspects for organisations to consider.

1. Ensure You Have a Lawful Basis to Process Personal Data.  

An easy way to keep track of the data you are processing, why, where it is stored, how it is collected and with whom it is shared is by keeping your Record of Processing Activity (ROPA) up to date.  Not only does this help show accountability - and make this information available when requested by the ICO - but it is a practical record by which you can ensure you have recorded all personal data processing in your organisation and the lawful basis for it.  Don’t forget to include your rationale for selecting one of the lawful bases under Article 6 of the GDPR, and Article 9, if your processing involves special category data. 

It's worth noting that just because personal data are available online, it doesn’t mean that it can be scraped, collected, stored and then used.  Such activities will need to be recorded and have a lawful basis too.

2. Privacy Notices and Cookies

Be transparent. Transparency is a key data protection principle which enables the exercise of individuals’ rights. Additionally, by being open and honest about what you’re doing with an individual’s data, their confidence in you as an organisation will increase.  It’s also likely to have a positive effect upon potential customers and other business organisations.  

Have a privacy notice or policy readily available on your website or where it will be seen and read. This notice is best written with the help of the Record of Processing Activities, so that nothing is missed. You should also ensure that your privacy notice is not written in legalese and is easy to understand by the persons who will be reading it; your customers. Consider their needs and adjust your privacy notice accordingly, which may be delivering it through a recording, using braille or gamifying it. 

No one wants to be faced with innumerable options on cookie banners; keep it simple. Give the user ‘accept all’ or ‘decline all’ options and stay away from nudge behaviour (encouraging the user to select one option over another).  Again, clearly explain what cookies you’d like to drop and why.  Letting your customer know what the cookies do and why gives them greater control and creates trust. 

3. Protect the Data

Protecting data is a fundamental security principle that is woven into data privacy and therefore covers a whole ambit of areas. An organisation is required to process data securely through ‘appropriate technical and organisational measures’ so the approach they take will be tailored to the organisation and the data it processes. There are lots of elements to consider; policies, risk analysis as well as physical and technical measures. These measures need to be integrated into business practices from inception onwards to make sure that data privacy is considered at the start of everything an organisation does. This is more commonly known as ‘data protection by design and by default’. 

The same considerations will flow down to suppliers too, who also must have certain contractual obligations in place. 
This will lead onto personal data breach procedures and ensuring that everyone within an organisation has data privacy training so that they are able to not only recognise a personal data breach but know how and whom to report it to. Inadequate information security leaves your services, systems and customers at risk which may cause real harm and distress to them. 

Data Privacy Week 24-28 January

The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. It is currently observed in the United States, Canada, Nigeria, Israel and 47 European countries. The week originates from The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was ratified by the Council of Europe on 28 January 1981. This treaty was the first international treaty concerning data protection and the privacy right of individuals.