Since the introduction of the General Data Protection Regulation (GDPR) in May 2018, ‘personal data’ has become a big part of our work lives. You and your team may already know that it is important to handle personal data in a secure way but might not know how to put it into practice.
In this blog post, we discuss what personal data is according to the GDPR, the differences between general personal data and sensitive personal data. Finally, we give you concrete tips on how to handle personal data to be GDPR compliant.
Because the GDPR has been introduced for quite a few years, the effort to catch the incorrect handling of personal data has increased. The same goes for the sum of the fines, which can be up to 4% of a company’s global revenue. However, the insecure handling of personal data can also lead to identity theft, financial fraud, invasion of privacy, or have detrimental repercussions for your organisation.
Personal data can briefly be described as information that can be used to identify a specific person. It includes information such as name, address, license plate, a job application, or a picture of a tattoo. It’s a very broad term, so this information is further categorized into either general or sensitive personal data.
General personal data may include personal identification details such as:
If personal data is categorized as sensitive, the GDPR requires much stricter handling, as improper handling of such data can also lead to more significant consequences. Therefore, it is important that your employees are able to identify sensitive personal data and exercise extra caution. Most sensitive personal data can be classified into one of the following categories:
For many, these categories will seem obvious but there are some surprising examples. A social security number, for instance, is not considered to be sensitive. The social security number belongs to a third category – namely confidential personal data. While not considered to be sensitive personal data, some countries govern it with separate rules for how they are to be handled.
The requirements of the GDPR can seem unclear if, for example, you receive a document that contains both general, sensitive, and confidential data. Normally, you can quickly figure out how to process information if you’re good at recognizing sensitive personal data. Take a CV, for instance. The majority of the information in a CV can be categorised as general personal information, such as name, address, telephone number, age, and work experience. At the same time, some educational and employment experience may also be classified as confidential information. A rule of thumb for your employees is that you should start by identifying sensitive personal data when face with these situations. If you find even a single piece of sensitive data, the entire document must be treated as sensitive personal data. This avoids having to separately process each piece of personal information.
Depending on the category that personal data belongs to, the GDPR also contains rules for how we obtain and process personal data. If the collecting and handling of personal data is part of your job, then you also need to understand the context and its lawful basis for the processing of personal data. Being aware of those factors will help ensure that you do not violate the regulations and recognise if your organisation has the required permissions to process personal data.
Although it may seem daunting to incorporate changes into your habits and work routine, it can go a long way just to remember three simple steps:
Technical solutions are important for tackling issues within IT, but it is just as important for people in your organisation to be aware and handle data properly. Your team’s knowledge and diligence are crucial for your information security.
In this blog, we provided some insight into what personal data is and why you need to careful when handling it. But when it comes to handling personal data, it is not enough that only one person in the organisation knows what to do – everybody in the organisation must feel confident that they can properly process personal data without risking a hefty fine for the organisation.
At CyberPilot, we offer an awareness training e-learning course where your team can learn about how to handle personal data. Awareness training also provides a solid foundation to GDPR compliance and having a strong information security culture in your organisation. You can try it free for 3 months.
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.