Businesses collect data about their customers and employees. However some of this data is personal and therefore subject to privacy laws. In 2014 an unhappy Morrisons employee leaked contact details for staff and customers. The company was penalized for violating privacy laws. A number of privacy laws across the world such as the EU's General Data Protection Regulation (GDPR) employ this definition of personal data.
This includes information on a person's habits, activities and relationships that can be used to identify them. For example, a person's name address, address, email address or telephone number can be used to identify people, as can photos, videos and voice recordings of conversations with your employees and customers. The GDPR also requires you to protect sensitive personal information and requires specific disclosure and consent requirements on it.
Sensitive data is viewed as more vulnerable to misuse and therefore is given greater protection under various global privacy laws. This could include information on biometrics, health or political affiliations. You usually need express, unambiguous consent to process sensitive information, and the degree of security you must afford it will vary according to the laws of your jurisdiction.
You may need to keep an inventory of your laptops, computers and digital copiers to determine the location where you keep your personal information. You should look through the cabinets for files and computer systems as well as home computers mobile devices, flash drives and other equipment used by your employees. You should also take into account the personal information your business receives from suppliers and third parties.
