There are many laws and regulations that dictate how and when you can store customer data, especially historic customer data and that of the sensitive kind. Here are a few that you need to be aware of…
General Data Protection Regulation (GDPR)
The right to be informed, the right of rectification, the right to access their data, the right to restrict processing, the right of erasure, the right to data portability, the right to object.
GDPR does not dictate how long you can store legacy customer data – this is up to the organisation and how long they think it is acceptable for them to store it.
EU-U.S. Data Privacy Framework
The previously used Privacy Shield framework was invalidated during the Schrems II court case in the EU but is still a recognised framework in the U.S for organisations which have self-certified. This means that organisations sharing data from the EU into the U.S. must still abide by this framework, partially. This isn’t an EU law but definitely something to be aware of in 2023 if your organisation shares data between international regions or with U.S. partners.
It is likely that organisations in the EU will need to be compliant with this regulation by 2025, as it may come into place in 2023 with a 24 month transition period.
This regulation dictates additional privacy rules for traditional means of electronic communications across digital platforms such as WhatsApp, Facebook Messenger, and Skype. If you use these platforms for customer interaction, and you store transcripts or chat logs, make sure you read up on this regulation in 2023.
The Payment Card Industry Data Security Standard (PCI DSS) is a security framework ensuring that organisations that accept, process, store or transmit credit card information maintain a secure environment for this data and the transaction itself.
This framework was launched in the mid-noughties so you should already have this covered. If you’re launching a new business, we’d be happy to have a chat with you about how to ensure you are compliant with PCI DSS.
UK Data Protection Act
This legal act was passed in 2018, and it dictates that organisations that work with customer data, follow strict rules called ‘data protection principles’.
All customer information that is processed and stored must be; used fairly, lawfully and transparently, used for specified, explicit purposes, used in a way that is adequate, relevant and limited to only what is necessary, accurate and kept up to date, kept for no longer than is necessary, handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
There are even additional legal requirements if the information in sensitive, and even further safeguarding measures for criminal offence and conviction data.
Although there is not a specific timeframe on how long organisations are allowed to store legacy customer data, this law does specify that organisations must not keep customer data for any longer than is necessary.
Information Privacy Act 2014
The Information Privacy Act 2014 (ACT), commenced in 2014, and introduced new privacy laws for public sector agencies in Australian Capital Territory. This act sets out standards for handling personal information, including the rights and obligations for the collection, use, disclosure, storage, accessing and correction of personal information.
The act allows an individual to:
- know why their personal information is being collected.
- know how their data will be used.
- know who is going to have access/view their data.
- have the option of using an alias or pseudonym to avoid personal identification
- ask for access to their personal information
- ask for their personal information that is incorrect to be corrected
- make a complaint about an agency or contractor covered by the Information Privacy Act, if they think the agency or contractor has mishandled their personal information
The Notifiable Data Breaches scheme
The NDB scheme came into place in 2018 and requires any Australian organisations with an annual turnover of $3 million or more and covered by the Privacy Act to personally notify any individuals likely to be at risk of serious harm by a data breach. The offending organisation must advise the individual on remedial and safety steps to protect themselves in response to the data breach.
There are many more data privacy laws and legislations. The important thing to note is that you research the laws that apply to you and your organisation to avoid any legal problems or issues in the future. LiquidVoice are able to support on understanding compliance factors and help out with achieving these compliant standards, but do not take responsibility for organisations breaking these laws or legislations.
Find out how we can support your organisation with a data compliance solution: https://www.liquidvoice.com/compliant-recording/