Are you allowed to be any less scrupulous with personal data during a crisis than you are during day-to-day operations?
From a legal perspective, the answer is clearly no. You're not free from adhering to data protection regulations just because your organisation has been hit by an unexpected incident. Nevertheless, few businesses have the necessary processes in place to protect sensitive information during an emergency, leading to difficulties with regulatory compliance and effective data protection.
In this blog post, I will show you how to prepare ahead of an incident, leaving you free to focus on managing the crisis effectively rather than worrying about protecting the personal data of both your customers and staff.
What is Data Protection?
Data protection laws are in place to give the public control over how organisations use their private and personal data. This includes, but isn't limited to, personally identifiable information (PPI) which relates to any data that can be linked to a specific individual, such as addresses, dates of birth, email addresses, phone numbers and so on. Whenever this data is stored or shared by a company, the handling of that information must be compliant with the law and any additional industry specific standards.
You must be explicit about how you intend to use PII when it's collected. These regulations are widely-accepted in Europe under GDPR and apply to all forms of personal data, regardless of whether it's stored electronically or as a hard copy.
Structure is at the Heart of Data Protection
It's important to develop and implement internal processes for collecting and handling personal information before an incident occurs. After all, when the unexpected happens, it is too late to make plans there and then.
In practical terms, this could be a table such as the one below which states the nature of the data being collected and clearly explains the reasons for processing it.
Precise and extensive data collection is essential, but you need to ensure that the information you collect is specific and truly useful to your organisation. It's virtually impossible to document the intention behind your work in retrospect, so make sure you take continuous notes. That said, the most crucial aspect of data protection isn't where you store the information, but that you store it securely and protect it from cyber criminals.
The Two Golden Rules of Handling Private Data
There are two golden rules for work involving data protection, and any responsible organisation should adhere to them.
DATA Privacy is a Management ResponsibilityProtecting private data is a solemn duty and the responsibility of management. The organisation must comply with data protection laws and regulations to protect itself from financial reputational damage. Shirking responsibility for this is not an option.
Implement data protection policies in existing management systemsMany organisations work in silos, not often communicating between departments. But, protecting private data requires a company-wide focus and effort. Ensure your organisation's data protection policies are communicated to, and supported by, all departments.
- If you use a data processor, you need a data processing agreement.
- Only collect information you need and in the smallest quantities possible.
- Everyone has the right to view all personal information you hold about them. Your organisation must be prepared to deliver this upon request.
What Happens After the Crisis?
If you've sufficiently planned ahead, you will have already gained permission from individuals whose PII you need to collect. However, if you've failed to prepare, this isn't always possible during a crisis. Put processes in place to ensure that you receive permission from those involved as soon as is practical after an incident.
You should also create a process for reviewing information after it has been registered. It's highly likely that you’ll make errors during a chaotic situation and these must be corrected. If you find that any personal data you have in your database is no longer of use, delete it to ensure you remain compliant.
Broadly speaking, there's nothing inherently wrong with sharing information. In fact, it's the only way you can achieve situational awareness. However, you must always review your data collection and data security processes before and after a response to a crisis.
As with many aspects of crisis management, planning and preparation is everything. Spend time getting your data protection procedures in place before an incident strikes and you'll not have to spend valuable time during crisis management concerned with being compliant.