GDPR makes the management of personal data crucial for all organisations. And when it comes to the definition of ‘personal data’, it’s detailed and prescriptive. Here’s how to take control of the personally identifiable information you handle:
Control where your data is and how it’s stored, shared and accessed
What is Personally Identifiable Information?
Every piece of data or information that can be used to identify an individual is personally identifiable information (PII). This can be
- name
- email addresses
- phone numbers
- social security numbers
- an IP address
- a user name
- a login ID
- a social media post
- a photograph
- a video from a security camera
Audio visual, geolocation, biometric, ethnic, religious, sexual and behavioural data can also be classified as PII.
Individuals or ‘subjects’ as defined by GDPR can be customers, staff, partners as-well as ex customers, ex staff and ex partners; all are entitled to know, on request, the information being held on them by an organisation, whether that organisation is public, private, sporting or charitable.
Audio visual, geolocation, biometric and behavioural data can also be classified as PII Click To TweetRecommended reading: Has Your Business Answered These Key Questions About Personal Data?
Data encryption, security protocols, storage and transmission will be at the forefront of meeting compliance obligations.
Here are the steps you need for taking control of that personally identifiable information:
1. Make sure that personal data is stored securely
Is your data secured both physically and electronically and is all access to it safeguarded, logged and tracked?
2. Restrict unauthorised access to personal data
Are user privileges in place to restrict unauthorised access?
3. Restrict data usage only to authorised users with appropriate privileges
Do you have authorised access with appropriate privileges in place?
4. Keep data collected for different purposes separate during processing
Can data collected for different purposes be kept separate during processing?
5. Pseudonymise/anonymise data where possible
Do you have the ability to pseudonymise or anoymise data so that it can’t be used to identify a specific individual?
6. Make sure email attachments are handled in a secure way
Do you have a policy for making sure personal data isn’t sent by email attachment?
7. Put data transmission controls in place
Do you know how often personal data is transmitted and how it is transmitted? Can data be read, copied, changed or deleted by unauthorised personnel during electronic transmission, when it’s being stored, shared and backed up? Where will the data being transmitted end up?
8. Encrypt all personal data
Is your data encrypted – at rest, in transit or end to end?
9. Ensure you know the location of the data storage hardware
Do you know the geographic location of the hardware that your data is stored on? You will need to have this in your privacy policy and terms of use as well as be able to answer this if any data access requests are made.
10. Ensure all data is shared securely
This means not only internally but with particular regard to external sharing with suppliers, partners.
11. Set in place an audit process for data and activities
Does your audit allow you to see if data has been changed, shared, accessed, deleted or in any way interfered with and by whom and from where?
12. Create back up plans for damage/loss scenarios
Do you have back up plans in place so that data can be accessed even after damage or loss?
13. Ensure data retention/deletion policies are put in place
You will need policies to ensure data isn’t kept beyond the necessary timeframe. Can your company control these policies especially with external service providers?
14. Check that your external service providers compliant
Are they meeting their GDPR compliance obligations even if non EU companies?
15. Ensure your contracts for external service providers include personal data security
Do your contracts refer to GDPR requirements such as reporting data breaches quickly? Are your suppliers sharing personal data securely with you?
16. Update your business terms and conditions
Have you updated your t&c with respect to collection of personal data and privacy policies?
17. Make sure it is clear to your customers what you will do with their data
Do prospects and customers know why you are collecting their data and what you will do with it?
18. Implement active consent to data collection
Wherever your data collection touchpoints are, have you implemented active consent?
19. Ensure you have a Subject Access Request (SAR) process in place
Who handles SARs and how do you ensure they are carried out within 30 days as required by GDPR?
20. Put a Data Breach Risk Plan in place
Have you put in place a serious data breach risk plan? This includes PR and communications, customer communication, regulator communication, data security and so on.
Recommended reading: The Costs of a Data Breach May Shock You
Making Sure The Way You Store Personally Identifiable Information is GDPR Compliant
Under GDPR personal data must be stored securely with auditable data management processes in place. This need not be a complex task but it does need to be carried out to ensure efficient, law abiding, handling of data in the future.
When you understand how, why, where and when you’re holding personal data, and you put your data storage and processes in place, you’ll then be able to better manage compliance, as well as the requests and risks involved.
You’ll be prepared for SARs, you’ll be able to give them access to their data with a copy of the data in a usable and portable form, as required by law. And if individuals want to enact the ’right to be forgotten’ – a right under the law, you’ll be able to identify and erase all of their idata.
It’ll make data breaches less likely but also provide invaluable documented mitigation for the regulator if they do happen and lessen the probability of heavy fines or penalties.
Rinodrive has been built to meet these requirements. It can map and seamlessly ingest your company’s data into a dedicated secure infrastructure where you can start to answer yes to all the questions asked above. Try Rinodrive and discover for yourself that there’s an affordable and easily implemented solution.
Recommended Reading: There May Be Some Surprising Benefits of GDPR
Ready to give Rinodrive a go? Signing up for a free trial is just
How has your business implemented changes for collection and storage and sharing of personally identifiable information? Did you find this article useful? Tell us your thoughts in the comments below.
Join our conversation ‘all about data’ on Twitter and LinkedIn. And keep up with what’s going on in the world of data by trusting us with your email for monthly mailings (and we store it on Rinodrive so it’s super safe).
About The Author:
More posts by