Skip to main content

Protection of personal data

In line with digitalisation, the handling of personal data has become a central challenge for companies all over the world. The protection of this sensitive information is not only a legal obligation under data regulations such as GDPR, but also a crucial factor in building and maintaining trust with customers and business partners.

In this guide, I will provide our recommendations in relation to demonstrating good practice for the processing of personal data in order to comply with the privacy regulations and build trust.

Did you know that data leaks that include personal data lead to customer loss and impact on business sustainability? (Ponemon Institute).

Basic principles for processing sensitive data

All companies are obliged to follow the data regulation applicable in the region in question. For European companies, this is the GDPR and for the UK this would be the UK GDPR. According to this, a number of basic principles how process personal data must be observed. These include:

  1. Processing must be legal, fair and transparent.
  2. Personal data must be relevant and limited to the purpose for which it was collected.
  3. Personal data must be accurate and up-to-date.
  4. Personal data must be stored securely and in accordance with relevant laws and regulations.

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

When do you process sensitive data?

You process personal data when you:

  • Collect personal data
  • Store personal data
  • Use personal data
  • Transfer personal data
  • Delete personal data

Processing of personal data can take place in many different contexts, e.g. in connection with employment, administration, marketing, sale, HR work, research and statistics etc.  This includes everything from collecting names and addresses, registering credit card information or health data, sending student information or deleting employee information, etc.

How to process sensitive data

It is essential to have a systematic approach to the processing of personal data, including having clear procedures for the collection, storage, use, transfer and deletion of personal data. It is also important to have a crisis management plan to deal with data leaks or other security breaches involving sensitive personal data.

If you put the situations where you handle personal data into business practice, you can argue that there these steps you must focus on in order to process personal data properly:

  1. Consent: Make sure you get approval to use personal data for the purposes you have
  2. Security: Ensure that your IT systems are able to store and handle personal data.
  3. Access control: Ensure that only the employees whose work affects the information have access to it.
  4. Data minimisation: Only keep the information you need and delete it when it is no longer needed.
  5. Awareness: Ensure that all employees, who have access to sensitive information, are aware of how to proces it.
  6. Requests: Give data subjects access to their information and the ability to make requests for their data.
  7. Sharing: Ensure personal data is protected when in transit
  8. Identification: You must keep track of the personal data you proces. Therefore, find the personal data you have stored in your data systems.

Remember that handling of personal data is a continuous process, and you must continuously evaluate and improve your practices to ensure the security of the data.

Need help to process sensitive data?

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

When is it illegal to process sensitive data?

It is illegal to process personal data when it is done without a valid legal basis such as consent from the data subject, a contractual necessity, a legal obligation, a task in the public interest or legitimate interests that outweigh the rights of the data subject. You also break the law if the processing violates the GDPR principles of data minimisation, purpose limitation or data storage. Furthermore, the processing is illegal if the security measures are insufficient and do not protect against unauthorised or illegal processing, loss, alteration or damage. In general, it can be said that any processing of personal data that does not comply with the legislative requirements and principles of data protection is illegal.

Do you need help?

Handling sensitive personal data is an important task that requires a lot of time and resources. By following the above principles for handling personal data, you can protect the personal information you are responsible for. At Safe Online, we develop tools that make it easier for businesses to process personal data in a responsible manner. The tools can help you in three key situations when you process personal data:

DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily

Sebastian Allerelli

Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →

Contact me today


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit