Guide to process personal data

When sensitive data enters your systems, inboxes and shared drives, you as a company must process personal data in accordance with the data rules that apply to you. In the UK, you are subject to the data regulation UK-GDPR, which gives individuals a number of rights:

• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to object
• Right to data portability

Each of these rights gives more power to the individual citizen and makes organisations all the more responsible for their processing of personal data.

In addition to the processing of sensitive personal data, GDPR makes demands on your organisation, documentation and data security. We have created a GDPR checklist if you want help to comply with the entire GDPR directive.

If you transfer the GDPR into practice, you can say that there are a number of situations that your company must focus on when you process personal data:

1. Identification of personal data
The first step in processing personal data correctly is to identify the sensitive data your company handles. This will help you get an overview of your sensitive data. Read more about how you can find your sensitive personal data here.

2. Getting consent
According to the GDPR, it is necessary to obtain consent from individuals before you process their data. This consent must be clear, voluntary and informed. You should develop a consent collection policy and ensure that it is followed consistently. Read more about getting consent for processing of personal data here.

3. Storage of personal data
Protecting personal data when it is in your data systems is essential. Your company should implement appropriate security measures such as encryption, access control and regular security audits. It is also important to have a plan for how you will respond to data leaks should they occur. Read more about secure storage of personal data here.

4. Requests for personal data
GDPR gives individuals the right to make requests for their data. As a company, you must have procedures in place to receive and respond to these data requests and respond within a set time frame. Read more about handling data requests here.

5. Sharing of personal data
Individuals have the right to access the data you have about them. As a company, you must have a secure way to share personal data.

An obvious way to start a responsible processing of personal data is to make a comprehensive inventory of the data the company processes. This involves the identification and classification of all types of personal data, such as health information or financial information. One way to do this effectively is by using a Sensitive Data Discovery tool. By using this tool, a company can quickly and precisely identify where personal data is hidden in the company’s systems, whether it is in files, e-mails or images. This gives the company a clear overview of which data is processed and enables a more targeted effort in relation to handling personal data responsibly.

Processing personal data in a responsible way involves a lot of manual work. The use of software can make the task easier. Here are three types of software I would recommend for the purpose:

These tools can save valuable time for your business and protect you from data breaches. It gives your customers confidence that their data is safe with you. Finally, you should also have an eye on what a manual GDPR cleanup costs in comparison to an automated one.

I hope this guide was helpful to you in improving how you handle sensitive data. If you want to know how I personally would clean up our sensitive personal data, click here.