Skip to main content

Processing sensitive data

Meeting data compliance standards has become more challenging than ever. Data protection laws put much greater responsibility on your company whenever you collect data. They require you to have a legal basis for collecting personal data, provide security for it, and limit the amount of time you keep it.

Data protection laws also set a higher standard for how you treat people and communicate with them about their data. This means you must be much more aware and in control of your data processes and data flows.

Let’s look at data compliance standards and what you can do to meet them.

 

What are data compliance standards?

Data compliance standards are the legal requirements for data processing. Every day, your organization receives and manages large amounts of personal data. All that data makes its way into your storage systems, emails and databases. To be data compliant, you need to keep track of how all of it is being processed, organized, stored and managed.

To comply with the transparency element of regulations, you should also be able to communicate these processes to data subjects (customers, employees, and anyone else whose data you store) and be prepared to account for them in case of audit. You must be familiar with privacy rights, including the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, etc. You should be aware of how long you keep data. Data must not be kept longer than the time necessary for the purpose for which the data is being processed. The exact time frame is not predefined; it may vary for employee data and customer data, different types of data, and how long the data is relevant for the purpose it was collected for.

 

Meeting compliance standards when processing sensitive data

Data compliance is an important focus for your company from both an ethical and an economic point of view. Today’s consumers pay attention to data ethics. They care about the types of sensitive data you collect about them, how much you collect and how long you keep it. Your data policy can effectively be a dealmaker or a dealbreaker for your customers.

Another obvious reason to stay data compliant is to avoid fines. A data breach can cost your company hefty fines of up to 4% of its annual turnover. The average cost of a data breach in 2020 is $3.86 million, according to a new report from IBM and the Ponemon Institute.

Get ShareSimple FREE for one user today!

How to process sensitive data

Here are five areas you should focus on to meet data compliance standards when processing sensitive data:

1. Security
Regulations require you to follow the principle of “data protection by design and by default,” and implement “appropriate technical and organizational measures” to protect data. Data protection should always be at the top of your mind when you handle personal data, and should be built into your processes. Technical measures you can take to protect data can include encryption of data at rest and in transit. Organizational measures can include things like setting data retention limits, training your employees to protect their work devices, and so on.

2. Transparency
All companies are required to be transparent about their activities and show they have a lawful basis for collecting data. Companies that have 250 employees or more, or who conduct higher-risk data processing are required to keep an up-to-date and detailed list of their processing activities and be prepared to show that list to regulators upon request.  But even if you are not sure if it is required, listing your processing activities is a good idea since it helps you evaluate your own processes and it will make complying with the GDPR’s other requirements easier. For example, you will be able to keep your privacy policy up-to-date and report any breaches or problems on time. Transparency includes stating:

  • Your purposes for collecting data
  • What kinds of data you will collect
  • Who in your company will have access to personal data
  • Any third parties that have access to data and where they are located
  • What you will do to protect the data
  • How long you will keep it

3. Accountability
You should establish a compliance team or designate a compliance officer. Having a dedicated team or individual responsible for compliance can help ensure that compliance is given the attention it needs and that any issues are dealt with promptly. The designated compliance team or officer should stay informed and up-to-date about changes in laws, regulations, and industry standards can help ensure that the company’s compliance efforts stay current and effective. To summarise, a company must do this:

  • Put someone in charge of monitoring your daily processes to ensure they are in line with regulations.
  • If any other organisations process data on your behalf, make sure you sign a data processing agreement with them.
  • If your company is outside of the EU, appoint an EU representative.
  • Decide if you need to appoint a Data Protection Officer (DPO).

4. Culture
As a company you should make sure you implement the policies and procedures you say you have. Having clear policies and procedures in place can help ensure compliance with laws and regulations.

  1. Foster a culture of compliance, where compliance is valued and upheld by all employees can help ensure that compliance is integrated into all aspects of the company’s operations.
  2. Provide training and education: Providing training and education to employees on compliance matters can help ensure that they understand their responsibilities and are aware of any changes in laws or regulations.
  3. You processes should be regularly reviewed and updated as necessary.

5. Privacy Rights
With the GDPR, everyone has a number of rights linked to the processing of their personal data. First, personal data must not be stored longer than the time necessary for the purpose for which the data is processed. The time frame is not predefined; it can vary for employee data and customer data, different types of data and how long the data is relevant for the purpose for which it was collected.

People have the right to know what data you have about them and how you use it. To stay within the rules, you must ensure that individuals are informed about what their data is used for and that they give specific, unambiguous consent for you to process them. It should also be possible to withdraw consent. When proper consent has been given, your organization can only use data for the purposes described in the agreement.

People may also make a number of other requests regarding their data that you should be prepared to respond to. When someone makes a request for their data, you must ensure that:

  • Verify their identity
  • Notify them that their request has been received
  • Assign someone to collect data and respond
  • Collect all the relevant data
  • Send it to them securely
  • Respond on time (usually within a month)
  • Document all these steps

The smart way to process sensitive data

Complying with international data regulations when processing sensitive data involves a lot of manual work. Using software can make it a lot easier. Here are three types of software we recommend:

1. DSAR management software
Set up a structured, streamlined way to keep up with data privacy requests (DSRs or DSARs). Manual response to data requests is time-consuming and problematic, taking between 30-40 hours per request to find and prepare a person’s data. Request management software can automate the process, saving you valuable manpower and resources. Read about our DSAR management software, RequestManager →

2. Data discovery tool
Let algorithms find and track the personal data your company stores, no matter where it is. This makes it easy for you to identify files that may present a risk of GDPR/data breach. Get a personal data inventory tool that recognizes high-risk keywords and ID numbers and organizes sensitive files by risk level and category. Then use it to regularly evaluate and improve your data processes. Read about our data discovery tool, DataMapper →

3. A safe email portal
A safe email portal is a good option for sharing and collecting data securely. It can work with the email you already use, sending and receiving data in an encrypted folder with auto-deletion after a time period you customize. It will keep the personal information you share and request safe, accounted for, and neatly out of your inboxes and folders. Read about our safe email portal service, ShareSimple →

A multi-pronged approach

The three types of software we’ve mentioned above can minimize the tendency of personal files and information to linger in your systems, floating around aimlessly at risk of being leaked in a data breach.

Compliance tools save valuable time for your business and protect you from liability. Finally, it gives your customers confidence that their data is safe with you.

I hope this guide was helpful to you in improving how you handle sensitive data.

Sebastian Allerelli

Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →