Company’s guide to process sensitive data

In line with digitalisation, the handling of personal data has become a central challenge for companies all over the world. The protection of this sensitive information is not only a legal obligation under data regulations such as GDPR, but also a crucial factor in building and maintaining trust with customers and business partners.

In this guide, I will provide our recommendations in relation to demonstrating good practice for the processing of personal data in order to comply with the privacy regulations and build trust.

All companies are obliged to follow the data regulation applicable in the region in question. For European companies, this is the GDPR and for the UK this would be the UK GDPR. According to this, a number of basic principles how process personal data must be observed. These include:

1. Processing must be legal, fair and transparent.
2. Personal data must be relevant and limited to the purpose for which it was collected.
3. Personal data must be accurate and up-to-date.
4. Personal data must be stored securely and in accordance with relevant laws and regulations.

You process personal data when you:

• Collect personal data
• Store personal data
• Use personal data
• Transfer personal data
• Delete personal data

Processing of personal data can take place in many different contexts, e.g. in connection with employment, administration, marketing, sale, HR work, research and statistics etc.  This includes everything from collecting names and addresses, registering credit card information or health data, sending student information or deleting employee information, etc.

It is essential to have a systematic approach to the processing of personal data, including having clear procedures for the collection, storage, use, transfer and deletion of personal data. It is also important to have a crisis management plan to deal with data leaks or other security breaches involving sensitive personal data.

If you put the situations where you handle personal data into business practice, you can argue that there these steps you must focus on in order to process personal data properly:

1. Consent: Make sure you get approval to use personal data for the purposes you have
2. Security: Ensure that your IT systems are able to store and handle personal data.
3. Access control: Ensure that only the employees whose work affects the information have access to it.
4. Data minimisation: Only keep the information you need and delete it when it is no longer needed.
5. Awareness: Ensure that all employees, who have access to sensitive information, are aware of how to proces it.
6. Requests: Give data subjects access to their information and the ability to make requests for their data.
7. Sharing: Ensure personal data is protected when in transit
8. Identification: You must keep track of the personal data you proces. Therefore, find the personal data you have stored in your data systems.

Remember that handling of personal data is a continuous process, and you must continuously evaluate and improve your practices to ensure the security of the data.

It is illegal to process personal data when it is done without a valid legal basis such as consent from the data subject, a contractual necessity, a legal obligation, a task in the public interest or legitimate interests that outweigh the rights of the data subject. You also break the law if the processing violates the GDPR principles of data minimisation, purpose limitation or data storage. Furthermore, the processing is illegal if the security measures are insufficient and do not protect against unauthorised or illegal processing, loss, alteration or damage. In general, it can be said that any processing of personal data that does not comply with the legislative requirements and principles of data protection is illegal.

Handling sensitive personal data is an important task that requires a lot of time and resources. By following the above principles for handling personal data, you can protect the personal information you are responsible for. At Safe Online, we develop tools that make it easier for businesses to process personal data in a responsible manner. The tools can help you in three key situations when you process personal data: