By PlanetVerify on 22 June 2020
Personal information is becoming more… personal… than ever and keeping information safe is becoming more problematic. Where once upon a time, customers may have been surprised if a company asked for their email address, businesses now know the granular detail of customers’ and employees’ lives, sometimes down to their blood types, vehicle registration numbers and IP addresses.
Join us as we discuss the how and why of personal data and its expanding reach, and how to protect personal information online.
What counts as personal information?
Personal information is just that – private, confidential, sensitive, information that companies have on their files regarding their employees and/or customers. Not only does this mean data explicitly linked to a person’s identity, like their name and date of birth; it also covers any additional information that could be linked to the person through combination with other data.
So, if a company holds data on a person’s online behaviour which is not explicitly linked to their name, that information could still be classed as personal information if it can be associated with payment details, IP addresses, or any other data that could reveal a person’s identity.
In a nutshell, it’s good practice to think of any data relating to a person as personal information.
How the scope of personal data has changed
Traditionally, details like names, addresses, phone numbers and social security numbers were considered the standard forms of personal information, along with payment information such as card details and bank account numbers.
As the internet has grown more central to B2C and B2E relationships, that list has grown to include information used in digital interactions, such as email addresses, IP addresses, device types and login details.
Many companies are now adding to these basic personal identifiers with finer personal details, such as GPS locations, online activity, biometric data, blood types and health vital signs. This trend has been driven by the proliferation of devices and digital tools capable of recording detailed personal information, from smartphones and fitness trackers to browser cookies and web analytics applications.
There’s often a fair justification for collecting in-depth user data. For instance, a medical or fitness app will often require a person’s biometric data and vital signs in order to do its job.
In some cases, the expanding reach of personal information has enabled businesses to know more about a person than that person’s own relatives know. A classic example is the case of an American father, who found out his teenage daughter was pregnant via a piece of direct mail sent by Target. The retailer’s automated marketing system had sent her coupons for baby clothes and cribs after recognising patterns in her buying behaviour that indicated she might be having a baby.
There is undeniably an ethically questionable side to how some companies are gathering and using personal information. For instance, certain companies in the United States have reportedly used CCTV images in combination with a vehicle licence database to map out where people have been.
Another contentious practice which is common throughout the digital world is the use of heatmap software, which can tell the owner of a website exactly how its visitors have used the site, down to which parts of the page they hovered their cursors over. Some would call this a useful tool for helping websites serve their visitors better; others might call it invasive.
Why are companies collecting more personal data?
Collecting detailed personal data is both an opportunity and an obligation for businesses.
Several types of personal data – especially customer behaviour and employee performance data – can help businesses optimise their processes, do better marketing and make more sales. For example:
- If we can look at Employee A’s task completion data from a project management software, we can get some indication as to whether their productivity has changed over time. If productivity is up, the employee can be rewarded; if it’s down, they can be offered guidance.
- If we can review Customer Z’s purchase history in our store, we can identify items that the customer buys regularly, and tailor our marketing to them accordingly.
- If we can see Customer Y lodged two complaints in the last two months, we can identify that making a courtesy call in the next month will likely help get their experience back on track.
In each example, personal data that goes beyond far beyond traditional identifiers helps achieve a positive outcome for all parties.
Storing personal information can also be about compliance. For example, under the UK Data Protection Act, HR departments are required to keep the following records on their employees:
- Accident Records: Minimum of 3 years since the last entry, or potentially longer if a child was involved in the accident.
- Income Tax and NI: Minimum of 3 years from the end of the relevant financial year.
- Maternity and Paternity: Minimum of 3 years from the end of the tax year in which the leave ends.
- Salary and Pay: Minimum of 6 years.
- Working Time: 2 years.
Businesses throughout the developed world are tasked with storing personal details like these in order to comply with applicable legislation.
Why personal data is a challenge as well as an opportunity for companies
Whatever personal information a company collects, and however that information is used, the data needs to be stored securely. This requirement has become ever more of a challenge for companies as the volume and range of data collection has increased. We’re no longer talking about basic personal identifiers channelled through a handful of data sources; we’re talking about lots of different forms of data, collected through multiple sources and device types.
And as the challenge of safe data storage has become more severe for businesses, the opportunities for cyber-criminals to hack into data have become more numerous. From data breaches affecting tens of millions of customers in the retail hospitality sectors to cyber-attacks targeting HR records and accounts, the threats to personal data have grown in-step with our use of it. This is an especially pronounced risk for HR departments using legacy information transfer channels such as phone and email, where candidate data is typically spread across multiple user accounts, communication devices and databases. Based on PlanetVerify client feedback, using these non-automated processes entails an average of 2-3 chase-up phone calls or emails per job applicant in order to secure the data and documents needed for the application, meaning their personal identification ended up scattered across multiple communication channels.
As we’ve seen, the expanding reach of personal data has helped businesses operate more effectively in a variety of ways. It’s important, however, for businesses to note that there’s a trade-off involved here. Yes, you can sell more and work better with the help of detailed personal data – but these benefits bring with them the responsibility to invest a share of your gains into increased resources and smarter solutions for keeping personal data safe. Not only is this the best policy for your company’s security and reputation; it’s what customers expect.
If you’re looking to make your company’s personal data handling more secure, we suggest you take a look at our ebook, HR Guide to Hiring in the Gig Economy, which is available as a free download. Some of its contents are specific to HR professionals and gig workers, but it also contains plenty of advice that could help any company or team tighten up their approach to personal data. You can get a copy here.