Perspective in Practice: The Data You Didn’t See
As we move very pleasantly, into what promises to be an uncommonly sunny late-May Bank Holiday weekend, I wanted to share some insight in respect of a risk that is rearing its head.
When you welcome new clients or customers on board, they probably receive terms of business/terms and conditions that would nowadays most likely include information about data protection.
But what about ‘initial enquiries’ or ‘initial meetings’ or ‘prospective estimates’?
Typically, at the point that these are being made or sent out, the individuals to whom they are being sent are not clients or customers; what is being overlooked, in droves, is that such individuals are nonetheless Data Subjects and as such they have rights which should be communicated to them without delay; at the latest, at the time that you take their data.
For example, an organisation might arrange approximately ten meetings per week with individual prospective clients/customers. These meetings are arranged in conversations over the telephone or by drop-in at the organisation’s reception desk, during which, the name and contact details of the individual are added to the organisation’s diary.
What is being overlooked here, is that when the organisation writes down or electronically retains (in the diary) or records any personal information about the individual, they are, in fact, recording personal data. Immediately, they have a responsibility to that individual (who has now become the ‘Data Subject’) to safeguard that information and to have effective processes or procedures for the management and indeed, the disposal of that information in due course.
Also, at the point of taking the information, the Data Subject should be informed of their data protection rights.
For the organisation I mentioned above, this means that they are accumulating approximately 500 sets of data, per year, where the Data Subject has not been adequately informed of their rights or effective controls are not in place.
Further, where such information has not been recognised as being personal data, many organisations are not necessarily recording it in their map/register of data. Nor is there a process or procedure for updating or removing the data when it is no longer required.
In one organisation I encountered, it turned out there were records of such meetings (and copies of proposals/estimates) going back five (yes, five!) years. Many of the staff didn’t realise that this data even existed, and the management team didn’t have a process for controlling or safeguarding it, nor did they realise the extent of the risk. Also, they realised that even if they were to conduct a substantial amount of work to investigate/update the records, there was almost no way of identifying in every case as to whether those Data Subject had become a client/customer or had declined the organisation’s services or, changed their name, or for that matter, were even alive.
That is a lot of risk! It would only take one of those Data Subjects to make a complaint for the extent of the problem to unpack with alarming volume and speed.
Some organisations point to their websites. It is not at all uncommon nowadays, for websites to include a copy of the organisation’s privacy/data protection policy, so that anyone intending to interact with the organisation has the opportunity understand how their data would be collected, how it will be used, how it will be kept safe, how long it will be retained and with whom at the organisation to get in touch to discuss any data protection concerns.
Of course, that assumes that those potential clients/customers/visitors will bother to visit the website at all before they interact with the organisation. That assumption is therefore, clearly not a safe one. And of course, not everybody has access to the Internet.
In contrast to the risk, I am also encountering organisations that have found simple, and efficient, means of dealing with it.
Quite simply, when a telephone call takes place with an individual (the Data Subject) to arrange a meeting, there is a simple ‘script’ that is conveyed to the Data Subject, informing them that the organisation has obtained their personal data in order to organise/facilitate the meeting and that the organisation’s data protection information is available on its website.
Having then informed the Data Subject, the organisation itself must safeguard the personal data it has collected. This means ensuring that the organisation’s management is aware that it has the data, for what purposes and for how long it has held the data. To manage this aspect, at one organisation such bookings/information are passed, on a weekly basis to an individual in the organisation who then maintains a register (an encrypted Excel document) which records all of the meetings that have been arranged, on a weekly or monthly basis.
After a prescribed amount of time (which could be six months, for example) the person who maintains the Excel document instructs that the data is expunged from the organisation’s records, unless, in the meantime, the Data Subject has either become a client/customer (in which case they will have received further data protection and the basis for processing their data might have changed, anyway) or the Data Subject has either cancelled their meeting has asked to be removed from the database.
There are other ways to manage this risk, including some very capable customer/client management systems and applications. But, at present, the lack of visibility or control is staggering in its proportion, for something that is actually, remarkably easy to resolve.
Before I ‘close down’ for the Bank Holiday weekend, it would be remiss of me not to point out that whilst I have been referring to ‘prospective clients/customers’ as Data Subjects, exactly the same principles apply to any natural person whose data you obtain for similar purposes, including; potential suppliers/contractors and maintenance people and of course, prospective staff.
It is easy to focus attention on the avoidance of highly visible, large breaches and areas of risk; the sort that is often reported in the news. But, it is sometimes the smaller aspects that actually become a threat simply because they weren’t spotted in the first place.
We have helped dozens of organisations to identify/map their data and to apply ‘real world’ processes and training to manage risks like these.