Businesses need to hold a range of information on customers, staff and the business itself. It is essential to ensure that this information is protected and as secure as possible. Any business holding information must also be sure that they are meeting the terms laid out in the Data Protection Act 1998.
When managing customer data you need to consider the following areas:
Make sure you and your staff are aware of the Data Protection Act 1988. The Act governs the collection and storage of personal information and possible systems abuse.
A self-assessment guide (PDF) explaining whether or not you need to register is on the Information Commissioner's website. If you are still uncertain check with the Information Commissioner who enforces the Data Protection Act.
There are eight principles of data protection and anyone processing personal data must comply with them. These state that data must be:
A more comprehensive definition of these principles is on website of the Information Commissioner's Office.
You must be clear as to the type of information you wish to store on customers or potential customers and why, eg name, address, any personal details. This includes information taken electronically, eg from e-commerce transactions. Make sure that you take the data protection principles into account when storing customer data.
You need to ensure that any customer information is stored securely. Manual (paper) data is vulnerable to accidents such as fire or flood and, if stored in a basement, can be damaged by rodents, damp or vandals. Electronic information, stored on floppy discs, CD-Roms etc are easily stolen, fire damaged or can corrupt. Practical security should be considered. For example it is pointless storing sensitive documents in a safe if the keys are left lying around or anyone has access to the information stored.
Risk evaluation should be carried out to ensure that security systems are in place to protect data. For example it may be decided not to give out client details over the phone, part of the security system would be in ensuring all staff are aware of this policy.
Storing or archiving all of the business correspondence and documentation can be time consuming and make retrieval difficult, you must have systems in place to manage data storage and retrieval. Make sure there is minimum duplication of customer information between for example the accounts system and a customer database. This helps manage the customer data and comply with data protection law.
Businesses should always back-up or copy essential data as damage to files can mean the loss of essential information, including data on sales and market predictions or the businesses financial records.
Staff should receive training in the business data protection policies and understand the reasons behind confidentiality procedures.