Company’s guide to process sensitive data

In today’s digital age, handling personal data is an important task for companies. With the introduction of the European General Data Protection Regulation (GDPR) in May 2018 and similar laws in other parts of the world, it has become essential to process personal data responsibly and in accordance with the law. In addition, there is the ethical aspect of dealing with individuals’ personal information as a company, and if you in any way reveal this information, it can have major consequences for the person whose information you expose. This blog post will guide your company in processing personal data correctly and protecting the interests of both customers and the company.

It is important to understand that GDPR applies to all types of personal data, from names and email addresses to more sensitive information such as health data. This data enters your systems, inboxes and shared drives. To comply with GDPR, you must keep track of how data is processed, organized, stored and managed. GDPR gives individuals rights, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to object
• Right to data portability

Each of these rights gives more power to the individual and makes organizations all the more responsible for their handling of personal data. This creates a need for you to reassess and improve your data processes.

If you translate the GDPR’s rights for individuals into everyday practice for companies, you can say that there are generally 6 situations that your company must focus on when you process personal data

1. Identification and classification of personal data
2. Collection of consent
3. Secure storage and protection of data
4. Data portability and erasure
5. Education and awareness
6. Ongoing compliance

1. Identification and classification of personal data

The first step in processing personal data correctly is to identify and classify the data your company handles. This involves creating a comprehensive list of all data sources and the associated categories of personal data. This will help you understand which data is most sensitive and requires extra protection. Read more about how you can find your sensitive personal data here.

2. Collection of consent

Under the GDPR, it is necessary to obtain consent from individuals before you process their data. This consent must be clear, voluntary and informed. You should develop a consent collection policy and ensure that it is followed consistently. Read more about the collection of personal data here.

3. Secure storage and protection of data

Protecting personal data from unauthorized access or exposure is essential. Your company should implement appropriate security measures, including encryption, access control and regular security audits. It is also important to have a plan for how you will respond to data leaks should they occur. Read more about secure storage of personal data here.

4. Data portability and deletion

The GDPR gives individuals the right to access their data and move it to other services (data portability). In addition, individuals have the right to request the erasure of their data (the right to be forgotten). As a business, you must have procedures in place to accommodate these requests and respond within a set time frame. Read more about the right to be forgotten here.

5. Education and awareness

It is important to train employees about GDPR. Employees must understand the importance of protecting personal data and comply with the rules. Read more about awareness training here.

6. Ongoing compliance

Finally, it is important to maintain ongoing monitoring of compliance and reporting to relevant authorities if required. This also involves appointing a data controller (DPO) if your company is large enough to require it.

Complying with international data regulations when processing sensitive data involves a lot of manual work. Using software can make it a lot easier. Here are three types of software we recommend:

1. DSAR management software
Set up a structured, streamlined way to keep up with data privacy requests (DSRs or DSARs). Manual response to data requests is time-consuming and problematic, taking between 30-40 hours per request to find and prepare a person’s data. Request management software can automate the process, saving you valuable manpower and resources.

2. Data Discovery tool
Let algorithms find and track the personal data your company stores, no matter where it is. This makes it easy for you to identify files that may present a risk of GDPR/data breach. Get a personal data inventory tool that recognizes high-risk keywords and ID numbers and organizes sensitive files by risk level and category. Then use it to regularly evaluate and improve your data processes.

3. A safe email portal
A safe email portal is a good option for sharing and collecting data securely. It can work with the email you already use, sending and receiving data in an encrypted folder with auto-deletion after a time period you customize. It will keep the personal information you share and request safe, accounted for, and neatly out of your inboxes and folders.