Since the introduction of GDPR in 2018, the use of the word ‘personal data’ has exploded. The word has hyped on the news and social media, and you have probably had to change some practices in your workplace. Around that same time, you have also received emails from every company you have dealt with informing you about how they process your personal data. We know that it can be confusing to know what personal data is, and how to deal with it. In this blog post, we explain how it can be relevant to you, and what you can do to avoid personal data violations.
In the GDPR, ‘personal data’ means any information relating to an identified or identifiable person. This means that if the data can directly or indirectly lead to a specific person, then it can be classed as personal data.
It is also important to point out that this does not only apply to textual information, but can also be in the form of photos, audio recordings, or videos of a person. To illustrate what a broad range of things that can be considered personal data, here is a list just to scratch the surface:
As you can see, personal data can almost be anything about a person. Some personal data can be more sensitive in nature and therefore requires a higher level of protection. It can be classed as either general personal data or sensitive personal data.
Information such as name, gender, address and e-mail are considered ‘general’ personal data, whereas information about one’s political or religious beliefs, ethnic background, or membership in a trade union is considered ‘sensitive’ personal data.
Knowing what kind of information belongs in each category will seem obvious to some, but it can be difficult to know sometimes. To the surprise of some, social security numbers are actually considered general personal data, and not sensitive. But as it turns out, some countries employ specific rules for these types of data that it may as well be treated like sensitive personal data.
When working with personal data, you should be aware of which category it belongs in because there are much stricter rules in the GDPR for the treatment of sensitive data. If unsure, the best thing to do is to talk to your Data Protection Advisor (DPO). Your next best guess is an information officer in your company or the IT department.
Because of the new regulations, the effort to catch the incorrect handling of personal data has increased. The same goes for the sum of the fines, which can be up to 4% of a company’s global revenue. However, it is not the only consequence of the insecure handling of personal data. It can also lead to identity theft, financial fraud, invasion of privacy, or have detrimental repercussions for your organization.
In this blog, we provided some insight into what personal data is and why you need to careful when handling it. Although it may seem daunting to incorporate changes into your habits and work routine, it can go a long way just to remember three simple steps:
Technical solutions are important for tackling issues within IT, but it is just as important for people in your organization to be aware and handle data properly.
Employees’ knowledge and diligence are crucial for your IT security. CyberPilot offers awareness training which trains employees in IT security and good data processing. With our awareness training, you will achieve a higher level of security and secure a good foundation for compliance with the GDPR.
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.