There is no doubt that the management’s focus is on the continuous growth of the business, but such endeavours need to happen in a legally compliant manner.
Each department of a business has its own, specific, legal challenges. One topic, though, is or to some extent should be, a common concern of all departments, namely the topic of data privacy compliance.
To a certain degree, personal data is processed by the HR department, but also by marketing, sales, accountancy, even by the administrative department which handles the correspondence of the company through the office desk or is doing the continuous monitoring of the spaces through the CCTV system.
These topics are for sure not new or unfamiliar to businesses. That is why, the aim of this article is to recall some of them which are still disregarded or not properly implemented, and which raise major red flags in respect of data privacy compliance. If technical/IT protection measures are given a high enough importance, in most cases those of an organizational nature, which seem less likely to generate risks, are given a low importance even though, in most cases, human error is the biggest source of risk.
Hence, from practical perspective, how much, to what extent and in what circumstances the collection and use of private information about individuals is allowed might still be current questions to ask each time the company needs to process personal data.
Let’s see some examples of non-compliant practices that companies need to eliminate from their daily data processing activity.
Why eliminate them? Because every manager needs:
to protect the business growth from fines;
to protect the company’s image and reputation on the relevant market;
to make sure that the company is compliant with the contractual obligations undertaken by it towards its business partners.
Here is our blacklist for data privacy related conduct that companies need to keep away from:
Sending significant quantities of personal data by email, without protection or communication of passwords needed for accessing it using the same means of communication or, even worse, in the same email. Protecting the documents sent by email with passwords is a safety belt in case, by mistake, the sender chooses the wrong email address from the Outlook address book. The risk of sending an email to a wrong addressee is potentially higher than a cyberattack on the email server! So, use the safety belt and use password protection or other secured way of transmission of data.
Disregarding the fact that the business email addresses containing the name of the company’s employees/representatives are personal data too and the prior consent from such data subjects for sending marketing communications is needed.
Sending marketing communications even after the targeted individuals exercised their opposition right to such processing or even the right to be forgotten. Keeping up to date records of those contact details which opted-out for marketing communication or required the erasure of their personal data is highly recommended.
Disregarding the minimization principle. Do not collect and use more personal data that you need for the specific purpose you envisage. The person in charge with the processing for a specific purpose should make up a list of the categories of personal data that might be needed for that purpose and then ask herself why each category is needed. It should not come as a surprise to see that they will not find a reasonable and objective explanation for processing some categories of personal data. If such happens, for that purpose, there is no need to process such category of data.
Starting the processing activity without the prior notification of the data subjects. Provide Notice of information to individuals before collecting their personal data. They need to know, before disclosing their personal data what the company is going to do with their data and for how long. Use the contracts signed with individuals or legal entities to provide such Notice of Information, use the company’s website to communicate such information, use the company’s social media account(s) for this purpose. The most important aspect is to communicate it to the data subjects in a way that ensures that they are properly informed.
Asking for the consent of the employees for the processing of their data for labour purposes. Relying on consent, as legal basis for processing, should be avoided in a labour relationship. The processing of data related to labour contracts has other legal grounds of processing, such as, the execution and performance of the labour contract, fulfilment of legal obligations and the employer’s legitimate interest. We note that there might be cases when the legal basis for processing employees’ personal data should be consent; however, they need to be analysed on a case-by-case basis.
Not applying the “clean desk” rule and forgetting printed documents at the printer or elsewhere, in unsecured places of the office. If someone takes the paper comprising personal data, this is clearly a data leak and a potential security incident.