Employee Responsibilities¶

Everyone who handles personal data plays a role in privacy compliance. This section covers what you need to do.

General Responsibilities¶

Data Access¶

• Access only the personal data you need for your current task
• Do not browse customer records out of curiosity
• Log out of systems when stepping away
• Do not share login credentials

Data Handling¶

• Follow documented procedures for processing personal data
• Do not email personal data unless encrypted or through approved channels
• Do not copy personal data to personal devices or cloud storage
• Delete or return personal data when no longer needed

Security Practices¶

• Use strong, unique passwodatabase for each system
• Enable multi-factor authentication where available
• Lock your screen when leaving your desk
• Report suspicious emails to IT before clicking links
• Keep software updated

When Something Goes Wrong¶

Report immediately to your Data Protection Officer or manager if:

• You sent data to the wrong person
• You notice unauthorized access to systems
• You lose a device containing personal data
• You suspect a security breach
• A customer or colleague reports a privacy concern

Speed matters. Early reporting limits damage and helps meet regulatory notification deadlines.

Role-Specific Guidance¶

Marketing Teams¶

Before sending communications:

• Verify you have a valid legal basis (usually consent or legitimate interest)
• Check opt-out records are up to date
• Include clear unsubscribe options
• Keep records of consent collection

When buying or renting lists:

• Verify the source has valid consent for sharing
• Document due diligence
• Consult your privacy team before proceeding

Sales Teams¶

During prospecting:

• Know your legal basis for outreach
• Respect opt-out requests immediately
• Do not add personal contacts to marketing lists without consent

When collecting information:

• Only collect what you need
• Explain how information will be used
• Note consent or other legal basis in your CRM

Customer Service¶

Handling customer requests:

• Verify identity before disclosing personal information
• Recognize data subject rights requests (access, deletion, correction)
• Know your escalation path for complex requests
• Document all interactions related to privacy

Common rights requests to recognize:

• "What data do you have about me?"
• "Delete my account and all my data"
• "Stop sending me marketing emails"
• "Give me a copy of my information"

IT and Engineering¶

System design:

• Apply privacy by design principles
• Minimize data collection in new systems
• Implement access controls based on role
• Encrypt sensitive data at rest and in transit

Operations:

• Maintain audit logs for data access
• Monitor for unauthorized access attempts
• Support incident response when needed
• Implement data retention automation

Third-party integrations:

• Assess privacy implications before adding new tools
• Ensure Data Processing Agreements are in place
• Limit data sharing to what is necessary

HR Teams¶

Employee data:

• Collect only necessary employment information
• Limit access to personnel files
• Apply retention periods to employee records
• Handle employee data requests (current and former employees)

Quick Reference: What to Do¶

Next: Best Practices