The DPO Centre, in conjunction with Opinium Research, surveyed 2,000 people during the Covid-19 pandemic about their concerns regarding the mishandling of personal data. More people than ever started using online services during lockdown and this turned out to be more than a passing fad, with digital interactions between businesses and customers here to stay.
Companies that interact with their customers online can no longer afford to be complacent about privacy and cybersecurity, especially if they need to be GDPR-compliant, the survey revealed.
“The DPO Centre undertook research during the pandemic that revealed over two fifths (44%) of UK adults have concerns about their personal data being mishandled by companies,” said Rob Masson, CEO of the DPO Centre. “These results highlight that companies need to be doing much more to reassure customers that their data is safe and being stored and processed correctly.”
“Businesses need to show customers that they are collecting their information in a secure and transparent way,” Masson advises. “Four years ago, the GDPR was introduced to help provide consumers with more control over how their data is used [but] this made it more complicated for organisations to comply, which was further exacerbated by the pandemic and the rush to the virtual world.”
Masson says there are a number of practical steps businesses can take to reassure customers that their data will be handled carefully, such as communicating expectations to staff about how personal information should be processed and protected.
“The policies and procedures required to achieve this need to be written in plain English [or the local language of the operator], contain as few words as possible and present practical, actionable procedures and protocols to be followed,” says Masson. “Staff must be trained on the requirements of data protection annually – this training should cover the specifics of these policies, how to identify certain situations, such as a data breach, or data subject rights request, including Data Subject Access Requests, and who specifically within the organisation they should consult with.”
“Organisations must be transparent about their processing – they should publish separate privacy notices for their customers and their employees that detail what personal data is being collected, the purposes for which it is used and the lawful basis upon which it will be processed,” continues Masson. “They should provide clarity around how the data will be protected, how long it will be retained and who enquiries about the processing should be directed to.”
Masson recommends that larger organisations should create a governance committee and appoint data protection champions in all departments, branches or offices. He says this will not only improve communication, but help flag up any issues to senior management as they arise.
“Data protection by design and by default – generally known as Privacy-by-Design – is a requirement of Article 25 of the GDPR, but it is those organisations that embed this practice as standard within their policies and procedures and work to create a company culture that instils a privacy-first approach and mentality that stand the gain the most,” says Masson.
Courtesy of Georgia Lewis