Data Privacy For Beginners
By Ching Hei Cheung, Last updated: 2021-08-04 (originally published on 2019-10-22)
With the uprising of technology as an indispensable facet of the business market, transactions between companies and consumers have never been more convenient and efficient. However, with this transition towards an increasingly technology-based business industry comes a plethora of security scares and privacy breaches. Ensure that your company issues the appropriate documents and data policies in order to keep your consumers informed about how their data is being used online.
It’s Happening Now
Data privacy has quickly become an issue of increasing urgency. From social media scandals to privacy and security threats, discussions about personal data and the role of consent in today’s cyber age of online transactions are extremely prevalent. For all businesses at any stage of lifecycle, all data, including that of customers, employees, and business partners, is considered the company’s most valuable and irreplaceable asset. Apart from data security concerns that the company should be informed about, you should also note that there are legal obligations on how personal data should be handled, which govern and dictate the way in which a business should run on a daily basis so as to ensure absolute confidentiality and privacy.
Firstly, a Data Protection Policy
As many companies utilise the efficiency and convenience of technology as a major component of their business to maximise their outreach and network, it is important to consider the fact that if your business uses computer equipment, operates online, or even uses email to conduct business correspondence and transactions, you need to ensure that you put in place an effective data protection policy.
While the practice of conducting business transactions online has become increasingly popular and grants proximal productivity, it nevertheless demands an even more stringent degree of regulatory processes. These will ensure that employee, client, or partner information does not risk being leaked. A leak will surely jeopardise the reputation of your company and its relationships with customers.
A data protection policy is an internal document serving as the core of an organisation’s privacy compliance practices, thus, demonstrating compliance with the General Data Protection Regulation (GDPR) for businesses in the EU, and above all, an awareness and acknowledgement of the importance of data confidentiality.
It is recommended that every data protection policy include the purpose of the policy which, for EU companies, should entail its relation to complying with the GDPR. Also a definition of various key terms within the policy such as controller, processor, data subject, etc, its scope and who exactly it applies to, as well as the main principles of data protection and how your company intends to hold itself accountable to these guidelines. It may be useful for your business to appoint someone as a Data Protection Officer (DPO), of which his/her contact information should be included in this document.
Data Request Form
Alternatively, through the use of online business transactions and correspondence, the client or consumer also possesses the ability to issue a Data Request Form and obtain a copy of their personal data as well as other relevant supplementary information. This type of information may be requested for a myriad of reasons, but most importantly, it demonstrates the company’s willingness to keep its customers informed about how and why it is using its information, and ensure that these processes are legal.
From a business standpoint, an individual, whether it be a customer or employee, is entitled to obtain the following information from your company:
- Confirmation that you are processing their personal data;
- A copy of their personal data; and
- Other supplementary information – this corresponds to information that you may choose to include within your company’s aforementioned Data Protection Policy.
An individual only has the right to obtain information regarding their own personal data, and not to information relating to other people, unless the information is also about them or they are acting on behalf of someone. Therefore, it is important that your company and its employees are clear on what your data policy entails and whether the requested information directly relates to their personal data.
Data Request Response Letter
Ultimately, your company should issue a Data Request Response Letter as common practice in response to the individual’s request, which is also easily accessible through Zegal’s customisable templates curated specifically for any business’ clients and customers. Other information that individuals have the right to obtain include:
- The purposes of processing personal data;
- The recipients you disclose the personal data to;
- The retention period for storing personal data or the criteria for determining how long the information will be stored for;
- The safeguards you provide if you transfer personal data to a third country or international organisation.
Data Erasure Request Form
Conversely, under Article 17 of the GDPR, individuals have the right to have personal data erased, often referred to as the ‘right to be forgotten’. However, this is not an absolute right and is subject to certain limitations to which it may not apply. In any case, an individual may issue a Data Erasure Request Form, available on Zegal for your convenience, but may only be granted approval in the following circumstances:
- The personal data is no longer necessary for the purpose which you originally collected or processed it for;
- The business is relying on consent as the lawful basis for which the data can be held, and the individual withdraws their consent;
- The business has processed the personal data unlawfully;
- The business is relying on legitimate interests as a basis for processing personal data, and there is no legitimate interest to continue the processing.
Data Erasure Request Response Letter
Thus, the business may, through the issuance of a Data Erasure Request Response Letter, either grant the individual the ability to have his/her information erased, or reject this request, stating its justification for not doing so in its response letter. Examples of circumstances whereby the right to erasure does not apply includes cases whereby the personal data is being used to:
- Exercise the right of freedom of expression and information;
- To comply with legal obligations;
- For the establishment, exercise, or defence of legal claims.
Data privacy is often considered one of the most laborious, time consuming, and meticulous components of modern business, whether it be a startup or established company. What’s more, with advancements to technology rapidly evolving day by day, employees and customers alike often demand more stringent means of protecting the data that they are entrusting a business with.
Thus, it is extremely important that your business issues all the relevant data request forms and privacy policies. And we’re here for you. All these templates are available right here on Zegal to make your life much easier and help you to maintain a loyal customer base, reinstate the values of the company as a whole, and reassure consumers by implementing means of protecting private data.
This article does not constitute legal advice.
The opinions expressed in the column above represent the author’s own.
Ching Hei Cheung is a first-year law student and aspiring solicitor studying at the University of Bristol. She is involved in a myriad of extra-curricular activities such as debating team where she has obtained first place in a national competition judged by a panel of legal professionals from Baker McKenzie, commercial awareness society and pro-bono society, in order to refine existing skills in public speaking and negotiations, as well as develop a greater understanding of the commercial market that encapsulates the everyday workings of the legal sector.