Data is the lifeblood of any business. Accounting records, market research and customer data are amongst the many types of business data used to drive investment decisions and marketing strategies.
While integral to business success, the collection and storage of business data has also come under the spotlight of the General Data Protection Regulation (GDPR). To avoid breaching any data protection laws and risking a fine, it’s important to know when business data might be considered as personal data under the GDPR.
While data about a business itself is not exactly personal, any data that relates to sole traders, business partners, directors and employees — which can be used to personally identify them — is classed as personal information.
Let’s say you have an online employee database which contains an email list. If an employee’s corporate email address contains their full name, such as “[email protected]”, it could be used to personally identify them and is therefore classified as personal data.
On the other hand, if the same email address is something generic like “[email protected]” and can’t be linked to a specific person, the laws wouldn’t apply.
Collecting and storing personal data, like customer credit card details and phone numbers, has long been common practice – however, businesses now face serious consequences if this isn’t done in compliance with local privacy laws.
Any personal data processed by your business becomes your legal responsibility to protect, for which purpose the GDPR has introduced stringent data security requirements. Like how this data should only be collected for a good reason and with each individual’s explicit consent — check out some examples of what opt-in consent looks like. The laws also state that customers should have the ability to opt-in and opt-out of any direct marketing, online tracking or processing of their data.
Your journey to compliance can be tedious, but establishing privacy-led business practices early will save you a lot of time (and grief) later.