Collecting personal data? Stay on the right side of the law
The Cambridge Analytica controversy has raised a lot of questions about collecting and using personal information for business purposes.
Companies, clubs, churches and other organizations that use text messaging as part of their communications strategy routinely collect information from customers as well as prospects. Mobile numbers, names and sales records are just the tip of the iceberg.
A new law in the European Union called the General Data Protection Regulation (GDPR) will affect businesses and organizations in the U.S. If your organization sells products or services in the EU, or even communicates with people there, you will have to comply with it.
Know what information you are collecting
Even if your organization does not actively seek and collect personal data, you probably have a lot stored. If you’ve ever had a survey on your website or asked people to text their preferences to you, you have collected some personal information. So are credit card information, sales or other transaction records, and any credit records. Review your communications and marketing policies and records for a clear picture on the personal information you have stored.
U.S. laws require organizations to give people the ability to opt out of data collection, to unsubscribe or otherwise stop receiving emails or text messages. The EU law goes a step further, requiring organizations to ask for permission to send in the first place.
Whenever you ask for names, mobile number or email address, include a check box that says something to the effect of: “Check here if you would like to receive communications from us.” Also, make sure that every communication you send out, by email, text or other means, presents the option to unsubscribe or be deleted from the list.
Protect confidential information
People are understandably alarmed when information gets hacked from large retailers or other firms. Protect personal data with encryption and passwords. If you publish or share such information, even internally, separate identifying data (e.g., names, addresses, numbers) from sales or other transaction data.
Regularly review your organization’s data collection and retention practices, and make sure your data protection systems are ahead of the hackers.