As a company, you deal with personal data of your customers and staff. You are required by law to safeguard the information and ensure that it is used properly. It isn’t always clear what constitutes personal information.
It is important to keep in mind that the definition of personal data is different depending on the country and jurisdiction. In general, personal data is any information that can be used to identify the identity of a person. This could include information such as the email address of a person or telephone number, but it also includes any other data which can be linked to an individual, thereby identifying them. For example the date of birth or maiden name of their mother biometric data, details about passports and visas or credit card numbers, and other sensitive data regarding employment (e.g. Performance ratings and the records of disciplinary proceedings).
The information should also be identifiable by other people. If it is difficult for other people to identify the information then it is not considered to be personal. This is the “practicability test”.
The final step to determine whether something is personal is to ensure that it can be about a living, identified person. This does not apply to business documents like invoices, orders or any other documents that are used for business.
If sensitive personal data is lost or stolen, or is disclosed in any other way without authorization, it could be very damaging. It is crucial to educate employees about the importance of protecting sensitive PII. You must also take steps to secure the information when it is not being used, such as closing off unattended computer systems and destroying paper documents. It is crucial to check regularly the PII within your system and restrict access to those with a business reason to do it.