As a business you are responsible for the personal data of your customers and employees. By law, you are legally required to safeguard this information and ensure that it is handled in a safe manner. It is not always clear what constitutes personal information.
It is important to understand that the definition of personal data varies according to the jurisdiction and country. In general, personal information refers to any information that can be used to identify the identity of a person. This includes data such as the name of the person, their email address or number, but also other information that can be linked to an individual and allow them to be identified for instance, their date of birth, mother’s maiden name, biometric data, passport and visa information, credit card information, and other sensitive employment data (e.g. performance ratings and discipline records).
Additionally, the information must be reasonably identifiable to others. If it is difficult for others to recognize the information, it is not considered as personal. This is called the “practicability” test.
The final stage in determining whether something is personal is that it has to be about a living, identified person. This excludes business information, like invoices or orders.
Personal information with sensitive content can be extremely harmful if lost, stolen or otherwise disclosed without authorization. It is essential to educate employees on the importance of safeguarding sensitive PII. You should also make steps to secure the information when it is not in use like logging off unattended computers and eliminating paper records. It is also crucial to periodically review the PII stored within your system and restrict access to only those who have the business requirement to access the information.