How To Be GDPR Compliant With Track and Trace

With the government’s easing of lockdown in June, there have been many questions regarding the compulsory Track and Trace policy. GDPR has been a confusing issue for some businesses for years. Many are still unsure if they are GDPR compliant regardless of new Covid-19 policies. We have got it all covered for you, to ensure that regardless of what industry you are in, you can remain GDPR compliant.

What is Track and Trace?

Track and Trace is the term used for the NHS and UK Government’s new policies of monitoring the spread of Covid-19 within the UK, officially called ‘Test and Trace’. It makes it compulsory for different businesses from a variety of industries to store their customers contact information. The businesses then store this information for a prolonged period of time. If in the event that someone who has been in a business and has contracted Covid-19 then the NHS may get in contact with you and request this information to be sent to them. In the collection of this information GDPR compliance is a legal requirement and there are specific steps to follow.

Collect Customer AND Staff Information

As well as collecting the information of the customers it is vital to collect the information of your staff. While you may think that this information is easy to maintain, lots of independent businesses may not be retaining all the required information that is needed. With that being said make sure that both sets of information are GDPR compliant.

Woman office worker typing on the keyboard

Collect Only Relevant Information

The information that you collect from both customers and staff doesn’t need to be extensive and certainly doesn’t need to be more personal than usual data collection. Keep the information you collect simple, their name, emails, contact number and their time of arrival and departure in your business. Having other data being collected can be seen as invasive and reflect poorly on your business.

Store Your Data Appropriately

When you collect your data from staff or customers make sure that all this information has been organised properly. This information is important if required so ensure that it is all correct. As well as this, you must store this data securely, meaning that you should make sure this information cannot be seen by other customers or anyone that is not in charge of keeping these records. The customers are not bound by law to give their information to you, so by giving it to you they are trusting that you can keep it secure. A breach of this information is obviously not GDPR compliant, further showing its importance.

Man storing information for track and trace to be GDPR compliant

Use Your Data Professionally

When you have this information collected, there are a few ways that the use of this data can fail your compliance. If you are a business, such as in the hospitality sector and you use that information within your company data collection; as long as you are GDPR compliant, you are free to continue to store and use that information. However, if you are a business that does not use that type of data and are only collecting this data for the purpose of Track and Trace, then you cannot use or keep this information in any other way and must dispose of it after the required length of time has been reached. It must not be used for general marketing and other opportunistic ways that fall outside of contact collection. If so, you are not GDPR compliant. A business that would use this information for marketing purposes as well must make this known at the time the information is collected. Customers are likely to be upset if they find this data being misused and will reflect poorly on your business.

Maintain Your Data For The Correct Period of Time

While the incubation period of catching Covid-19 is 14 days, the Government is making it a requirement to keep hold of this data for 21 days. If you have kept records or data for other business purposes then you do not have to dispose of your data after this set time. If there is any data that is collected for the sole purpose of Track and Trace then they must be properly disposed of after the 21 days.

Delete Your Data Properly

When you are deleting or disposing of the data you have collected you must make sure it is done in a specific way in order to comply with the government guidelines and to be GDPR compliant. If you have this data collected on a paper, then it must be shredded or disposed of to the extent where no information can be collected, simply throwing paper into a bin is not GDPR compliant. In regards to digital data, you must delete the documents permanently. Deleting files from your recycle bin and removing them from any cloud storage will keep you GDPR compliant, if any data can be recovered then this needs to be addressed and removed in order to be compliant.

At 6s Global we serve Government run businesses so we are well experienced in keeping GDPR compliant in line with new policies relating to Covid-19. If you are unsure about if your data collection is GDPR compliant then our services will be perfect for you. You can feel more secure and confident in your business if you know that you are compliant and we can give you this confidence hassle free. Book a call with us to see what we can do for you.

Alternatively, if you think you may have further queries about being GDPR compliant, we offer a free analysis which can help you determine this.