Table of Contents
As a business owner, you must ensure that your company handles sensitive information, including consumer data, safely and securely. This is important from a customer service perspective. Additionally, it is a requirement of the General Data Protection Regulation (GDPR). It is essential that your company fully complies with the GDPR due to the powers given to the Information Commissioner’s Office (ICO) to issue fines of up to £17.5m to businesses that fail to do so. This article will explore the limits the GDPR establishes on customer data collection in England to help your business avoid hefty fines from the ICO.
What Limits Does the GDPR Place Upon My Company’s Collection of Customer Data?
The GDPR attaches great importance to customer information. In particular, the GDPR sets rules regarding pieces of personal information that can identify the customer, such as their:
- name;
- address; or
- telephone number.
Some of the main rules set by the GDPR regarding customer data include:
- your organisation must only keep customer data for as long as reasonably necessary;
- you must ensure your company handles all customer data openly and transparently; and
- your business must ensure that it does not collect information that is irrelevant, excessive or outside the purpose given to the customer.
Let us explore each of these limits in turn below.
1. Only Store Customer Data Whilst it Remains Useful
The GDPR and ICO require your business to only keep information for as long as it is practical. This means that your organisation should delete any customer data which no longer serves a useful purpose.
In the first scenario, the customer’s email address remains useful information because the individual asks your company to continuously send them an email newsletter until any date upon which they unsubscribe.
However, in the second scenario, it is questionable whether you need to keep the email address of a one-off customer from two years ago who has no interest in email correspondence. Your business should assess whether to delete the data within its next data audit.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
2. Handle All Customer Data Openly and Transparently
It is important to inform customers of your responsibilities and intentions regarding their information. Many businesses do so through a Data Privacy Policy (or similar), which can live on the company website.
3. Avoid Collecting Irrelevant or Excessive Information
One of the ICO’s main concerns involves businesses collecting irrelevant or excessive information. Instead, the ICO expects organisations to sieve such data and only record information allowing the parties to conduct business with each other.
For example, suppose a customer enters a shop to purchase milk. The ICO would disapprove if the cashier attempts to record their full name, postal address and phone number. This is because it is irrelevant to the transactional relationship.
In contrast, if an individual enters a bank to open a new bank account, the need for accurate ID would warrant collecting their full name, address, driving licence, and passport details. This is because all this information is relevant to confirming the individual’s identity. In this way, the GDPR and ICO focus on an actual need for information rather than setting hard lines. In reality, this means that your business must be able to provide reasoning for collecting certain types of personal data. Additionally, you must demonstrate that you do not breach the GDPR’s collection terms.
Key Takeaways
It is wise for your company to limit the amount of customer data in its possession. Doing so limits the risk of non-compliance with the GDPR whilst also lowering the risk of a hefty ICO fine in the event of a cyber attack (because less customer information is at risk of theft). From a financial standpoint, storing a lower amount of customer data also makes sense because it can help limit the cost of any digital storage devices (or the cost of online cloud storage).
If you need help ensuring your business collects and stores customer data in line with the GDPR, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
The ICO has the power to enforce fines of up to £17.5m against businesses in England. However, this is a ceiling and, realistically, penalties in the millions of pounds are relatively rare. In saying this, it is not uncommon for the ICO to hand out fines in the tens of thousands of pounds, so your business still needs to take heed of them and the relevant GDPR rules.
Because the GDPR (and, by extension, the ICO) believes that personally identifiable information (data that can identify an individual) is worth enhanced protection. Your organisation should take every reasonable step to protect this sensitive data.
We appreciate your feedback – your submission has been successfully received.