Since the introduction of the General Data Protection Regulation (GDPR) in May 2018, ‘personal data’ has become a buzzword. Your employees will probably know that it is important to handle personal data in a secure way, but might not actually know how to do it.
In our blog post Personal data for beginners, we spoke a bit about how to safely handle personal data. In this blog post, we will elaborate on what personal data is, what types of personal data are available, and how to handle situations with mixed types of personal data.
Personal data can briefly be described as information that can be used to identify a specific person. It includes information such as name, address, license plate, a job application, or a picture of a tattoo. It’s a very broad term, so this information is further categorized into either general or sensitive personal data.
General personal data may include personal identification details such as:
If personal data is categorized as sensitive, the GDPR requires much stricter handling, as improper handling of such data can also lead to more significant consequences. Therefore, it is important that your employees are able to identify sensitive personal data and exercise extra caution. Most sensitive personal data can be classified into one of the following categories:
For many, these categories will seem obvious but there are some surprising examples. A social security number, for instance, is not considered to be sensitive. The social security number belongs to a third category – namely confidential personal data. While not considered to be sensitive personal data, some countries govern it with separate rules for how they are to be handled.
The requirements of the GDPR can seem unclear if, for example, you receive a document that contains both general, sensitive, and confidential data. Normally, you can quickly figure out how to process information if you’re good at recognizing sensitive personal data. Take a CV, for instance. The majority of the information in a CV can be categorised as general personal information, such as name, address, telephone number, age, and work experience. At the same time, some educational and employment experience may also be classified as confidential information. A rule of thumb for your employees is that you should start by identifying sensitive personal data when face with these situations. If you find even a single piece of sensitive data, the entire document must be treated as sensitive personal data. This avoids having to separately process each piece of personal information.
Depending on the category that personal data belongs to, the GDPR also contains rules for the situations in which they may be processed. We will not go into depth with these rules in this blog post but if you are interested, you can read much more about them on the GDPR guidelines itself. This will help you to ensure that you don’t violate the regulations yourself and to recognize whether organizations have the required permissions to process your own personal data.
Employees’ knowledge and diligence are crucial for your IT security. CyberPilot offers awareness training which trains employees in IT security and good data processing. With our awareness training, you will achieve a higher level of security and secure a good foundation for compliance with the GDPR.
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.