Since the introduction of the General Data Protection Regulation (GDPR) in May 2018, ‘personal data’ has become a big part of our work lives. You and your team may already know that it is important to handle personal data in a secure way but might not know how to put it into practice.
In this blog post, we discuss what personal data is according to the GDPR, the differences between general personal data and sensitive personal data. Finally, we give you concrete tips on how to handle personal data to be GDPR compliant.
Because the GDPR has been introduced for quite a few years, the effort to catch the incorrect handling of personal data has increased. The same goes for the largest GDPR fines, which can be up to 4% of a company’s global revenue. However, the insecure handling of personal data can also lead to identity theft, financial fraud, invasion of privacy, or have detrimental repercussions for your organisation.
Personal data in a nutshell
Personal data can briefly be described as information that can be used to identify a specific person. It includes information such as name, address, license plate, a job application, or a picture of a tattoo. It’s a very broad term, so this information is further categorized into either general or sensitive personal data.
General personal data may include personal identification details such as:
-
Name
-
Address
-
Mobile number
-
Date a birth
-
Occupation
If personal data is categorized as sensitive, the GDPR requires much stricter handling, as improper handling of such data can also lead to more significant consequences. Therefore, it is important that your employees are able to identify sensitive personal data and exercise extra caution. Most sensitive personal data can be classified into one of the following categories:
-
Race or ethnic origin
-
Political, religious, or philosophical beliefs
-
Trade union membership
-
Genetic data/biometric data (e.g. fingerprints)
-
Health information
-
Sexual relationships or orientation
For many, these categories will seem obvious but there are some surprising examples. A social security number, for instance, is not considered to be sensitive. The social security number belongs to a third category – namely confidential personal data. While not considered to be sensitive personal data, some countries govern it with separate rules for how they are to be handled.
Documents with mixed types of personal data
The requirements of the GDPR can seem unclear if, for example, you receive a document that contains both general, sensitive, and confidential data. Normally, you can quickly figure out how to process information if you’re good at recognizing sensitive personal data. Take a CV, for instance. The majority of the information in a CV can be categorised as general personal information, such as name, address, telephone number, age, and work experience. At the same time, some educational and employment experience may also be classified as confidential information. A rule of thumb for your employees is that you should start by identifying sensitive personal data when face with these situations. If you find even a single piece of sensitive data, the entire document must be treated as sensitive personal data. This avoids having to separately process each piece of personal information.
The handling of personal data
Depending on the category that personal data belongs to, the GDPR also contains rules for how we obtain and process personal data. If the collecting and handling of personal data is part of your job, then you also need to understand the context and its lawful basis for the processing of personal data. Being aware of those factors will help ensure that you do not violate the regulations and recognise if your organisation has the required permissions to process personal data.
Tips to handle personal data
Although it may seem daunting to incorporate changes into your habits and work routine, it can go a long way just to remember these three tips:
-
Know when you are processing general or sensitive personal data. When it comes to sensitive personal data, you should pay extra attention.
-
Treat personal data as something you borrow. Take care of it, return it when finished, and do not lend it out to others. It means to keep it safe, delete it when you are done, and never pass it on to other people.
-
If you are in doubt about how personal data should be handled in your organisation, ask the person in charge, e.g., your DPO.
Technical solutions are important for tackling issues within IT, but it is just as important for people in your organisation to be aware and handle data properly. Your team’s knowledge and diligence are crucial for your information security.
In this blog, we provided some insight into what personal data is and why you need to careful when handling it. But when it comes to handling personal data, it is not enough that only one person in the organisation knows what to do – everybody in the organisation must feel confident that they can properly process personal data without risking a hefty fine for the organisation.
At CyberPilot, we offer multiple different courses from protecting personal data to safe treatment of sensitive information. Awareness training provides a solid foundation to GDPR compliance and having a strong information security culture in your organisation.