Since the GDPR has come into fruition there is still some flagrant ignorance of both GDRP and the PECR (Privacy and Electronic Communications Regulation). This 9 point checklist issued by the ICO will help small and medium sized businesses that operate online to make sure they collect and use information about the people they deal with properly.his checklist applies to information such as customers’ names and email addresses, or records of their purchases or enquiries. It also applies to information collected through the use of a ‘cookie’, for example where this is used to target marketing at people.
Adopting the following good practice points will give you a competitive advantage because people will trust you with their information and will be more willing to provide the information you need to run your business successfully.
- Consider whether you actually need to collect information about people. Don’t ask people to login, register or provide their personal details unless you need them to. It is acceptable to ask for this information once people make an enquiry or decide to do business with you.
- When you collect information about people they should know who you are and what you’re going to do with their information. There should be a clear, prominent explanation of this on your website.
- You are under a legal duty to keep customer information secure. Ask your IT supplier to give you advice on encrypting information and make sure staff with access to the information are trained to keep it secure and look after it properly.
- If you use a subcontractor, for example to manage your database, make sure there is a written contract in place that requires them to look after your information properly, including keeping it secure.
- If you are going to use customer information to send them marketing material, eg promotional emails, give them a clear choice over this. You should be aware that different rules under the Privacy and Electronic Communications Regulations 2003 might apply depending on the method you use to send the marketing.
- Your website might show content provided by third parties, for example adverts. Although you may not be legally responsible for this content, your customers may assume you are. Therefore it is good practice to act as a single point of contact for the content displayed on your site. For example you need to have proper procedures in place where a customer objects to a particular advert.
- Ensure that you only collect the information that you use. If you no longer require the information then stop collecting it and dispose securely of any unnecessary information that you may have collected.
- Remember that people have a right of access to information you hold about them. Make sure your staff recognise a ‘subject access request’ and know how to deal with it.
- Encourage your customers to check the information you hold about them, for example by giving them online access to their account details. Give them facilities for updating and correcting their records if they are wrong.
For further information on collecting and using personal data online, see the full Personal information online code of practice.
For further information and good practice advice regarding data protection in general, see The Guide to Data Protection from the ICO