Skip to main content

What is data confidentiality?

Data confidentiality means keeping personal data, trade secrets, and other private information private and protected from unauthorized access. This article will focus on the confidentiality of personal data (PII or PI).

Data confidentiality

Definition of data confidentiality in the GDPR

According to GDPR’s Integrity and Confidentiality principle, “You must ensure that you have appropriate security measures in place to protect the personal data you hold.” This is the GDPR principle most concerned with data security.

What is data donfidentiality?

Data confidentiality and your company

The GDPR does not specify exactly what security measures you should take. That’s because technological and procedural best practices change constantly.

Right now, encryption and/or pseudonymisation anonymization of personal data are technical measures you can use to protect confidentiality.

Policies about who can access what, and training that includes how to protect passwords, work devices and emails are among the organisational measures you can take.

Get ShareSimple FREE for one user today!

Data confidentiality checklist

Here are a few things you can do right now to ensure data confidentiality:

1. Decide who should have access to personal data

Not everyone in your company needs access to everyone else’s personal information. Control access to customers, employees, and partners’ personal information, and especially their sensitive personal information. The fewer people have access to data, the lower the risk of a data breach.

2. Use encryption and passwords

Encryption uses algorithms to make data unreadable at rest or in transit. Strong passwords protect data from unauthorized access. Redacting or changing names and personal details

3. Pseudymise data

Pseudonymisation means processing personal data in such a way that this data can no longer be attributed to a specific individual, without the use of additional information. Pseudymised data still counts as personal data under the GDPR, but pseudonymisation does provide a measure of protection and is considered a suitable safeguard in some cases.

4. Anonymise or delete data you no longer use

Anonymised personal data can no longer be connected to an identified or identifiable individual in any way. It is no longer considered personal data. You should delete or anonymise personal data when there is no (more) lawful purpose to keep it in a way that enables identification of an individual.

5. Establish a confidentiality policy

Set up a confidentiality policy. A list of instructions on how employees should handle confidential data to ensure its protection. Make sure everyone understands what to do with personal data. This will save time and reduce the risk of common errors that could cause data breaches. Your data confidentiality policy will be for internal use, but it should be consistent with your public privacy policy. It should include:

  • What types of data you will accept/collect from people
  • How you can use it
  • Who you can share it with
  • How you will protect it
  • How long you can keep it, and so on.

Data confidentiality software

Data confidentiality software can help you find out who has access to what data, protect data at rest and in transit, improve your policies and more. Learn more →

Sebastian Allerelli

Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →