Skip to content
Step 1 /
flag Introduction

Handling data safely

Good accounts and up-to-date systems only help if you are also careful in your daily actions: how you share something, what is on your desk, what is still sitting in a mailbox somewhere, and what agreements apply in your organisation.

target What you will learn in this module
  • check_circle How to share data safely and which channels to avoid
  • check_circle Why paper documents and your workspace are part of the protection
  • check_circle How long you may retain data and what to do with the code of conduct
forward_to_inbox Sharing safely

The right channel for the right message

A quick message is easy, but not every channel is suitable for personal data. Rule of thumb: the more sensitive the information, the more carefully you choose the channel.

  • WhatsApp and SMS are handy for arrangements, but they are not a work tool for customer or staff data. Messages often end up on colleagues’ personal devices, stay in someone’s chat history for years, and the line between work and private blurs.
  • Personal email (Gmail, Hotmail) you never use for work data. Always use your business email.
  • Work email is usually good enough, but be careful with placing several names in the TO and CC fields. Use BCC for mailings to multiple customers to protect their privacy.
  • Business collaboration tools (Microsoft Teams, Google Workspace, a shared folder) are usually the safest, because access and logging are set up professionally.
  • Very sensitive data (health, financial, staff records, copies of an ID) belong in a tool that is specifically built for it and approved by your organisation. Think of an HR system, a customer or case portal, or a secured document tool (Box, Tresorit, ShareFile, an in-house vault). Not a “temporary folder” or an ad-hoc solution. Unsure which channel goes with which data? Ask; that is not overkill, that is professionalism.
menu_book Read more in the knowledge base menu_bookWhatsApp and personal data

WhatsApp looks innocent, but for customer or staff data the risk is high. Read in the knowledge base why, and which alternatives are a better fit.

description Paper and clean desk

We often forget paper, but it counts

A data breach does not always start in a system. A file left open, a printout in the printer, a note in the bin: all just as visible to anyone passing by.

  • Clean desk: clear away files with personal data when you leave your workstation. Store sensitive items in a locked cabinet or drawer.
  • Lock your screen the moment you stand up. One key combination is enough (Windows key + L on Windows, Control + Command + Q on Mac).
  • Print deliberately: collect your printouts straight away. A forgotten printout in a shared printer is a breach waiting to happen.
  • Destroy: old documents with personal data go through the shredder, not just in the paper bin.
menu_book Read more in the knowledge base menu_bookSecuring paper documents

The GDPR makes no distinction between digital and paper personal data. A file on your desk counts just as much.

schedule Retention periods

Do not keep longer than needed

One of the pillars of the GDPR is that you do not keep personal data longer than necessary for the purpose for which you collected it. What you still have can also still leak.

In practice:

  • Applicants you do not hire: delete after a reasonable period (often 2 years with consent).
  • Customer data: keep as long as the relationship lasts and as long as tax or legal periods require (accounts usually 6 years in the UK), then clean up.
  • Employee records: according to the statutory retention period after leaving employment.
  • Temporary files in your downloads, on your desktop, in your mailbox: clean up regularly, even if they seem unimportant.
delete_sweep Cleaning up is also securing

The fewer old personal data you have lying around, the less can leak. A short annual “clean-up” of shared folders and mailboxes takes little effort and noticeably reduces your risk.

rule Code of conduct

The code of conduct, your house rules

Many organisations have a Privacy code of conduct An internal guideline that bundles agreements about how staff handle personal data: which channels to use, which data you share and with whom, what to do in an incident. It is not a legal obligation, but it is a strong way to make expectations clear and encourage consistent behaviour. or a privacy charter that bundles the agreements: which tools you may use, which data you share with whom, and what to do in an incident.

  • Read it at least once when you join or when it is revised.
  • When in doubt, it is your reference point: it describes what is expected of you.
  • Does your organisation not have one? This may be a good moment to put the topic on the table.
menu_book Read more in the knowledge base menu_bookPrivacy code of conduct

A short, readable code of conduct works better than a thick handbook no one opens. The knowledge base explains what belongs in it and how to draft one.

psychology What do you do?

A customer address via WhatsApp?

chat
A colleague driver sends you a WhatsApp message: they are at the wrong door and quickly need the address of customer Jenkins.

What do you do?

psychology What do you do?

Just popping out for a coffee

local_cafe
You are working on a customer file at a shared workspace. A colleague waves that they are heading to the coffee machine and you fancy the same. You stand up to go with them. The file is open on your desk, your laptop is on and not locked.

What do you do before you leave?

quiz Practice · question 1 of 2
info Just practice, this does not count toward your certificate
Why is WhatsApp better not used for customer or staff data?
Correct: WhatsApp is handy, but not suitable for customer or staff data. The messages end up on personal devices, including those of colleagues, and fall outside the normal management of your organisation. Use business channels such as Teams, your work email, or your own system.
quiz Practice · question 2 of 2
What does the GDPR say about how long you may retain personal data?
Correct: not retaining longer than necessary is one of the core rules of the GDPR. Some statutory retention periods (accounting, staff) require a minimum duration, but beyond that you clean up. What you no longer have cannot leak.
summarize Summary

What you take away from module 4

  • bolt Choose the right channel for the right message. WhatsApp and personal email are not a work tool for customer or staff data.
  • bolt Paper counts just as much under the GDPR. Clean desk, cleaning up, screen lock, and deliberate printing all belong to it.
  • bolt Do not keep longer than needed. What you no longer have cannot leak.
  • bolt A code of conduct bundles your agreements and gives a reference when in doubt. Read it at least once.
  • bolt Many small habits together make a big difference in your daily exposure.
workspace_premium Module complete

Module 4 complete 🎉

Going well. You know how to share data safely, respect paper, and not keep more than needed. In module 5 we close out with what to do when something does go wrong: spotting and reporting a data breach quickly.

lock_open 4 of 6 modules

On your way to your “Security awareness” certificate

Complete all 6 modules and pass the final exam (at least 70%) to receive a personal certificate of attendance in your name.

check_circle Modules 1-4 completeradio_button_unchecked Module 5radio_button_unchecked Final exam ≥ 70%
workspace_premium