As an owner of a business as a business owner, you are responsible for dealing with the personal data of both your staff and customers. According to law, you’re obliged to safeguard this data and ensure that it is handled in a safe manner. However, it is not always easy to determine what is considered personal information.
It is important to understand that the definition of personal information varies depending on the country and the jurisdiction. In general, personal data is any information that can be used to identify an individual. This includes data such as the person’s email address or telephone number, however it can also include any other information that can be linked to an individual, thereby identifying them. For example their birth date or maiden name of their mother biometric data, information about visas and passports and credit card information, as well as other sensitive data related to employment (e.g. performance ratings and disciplinary records).
In addition the information must be reasonably identifiable by others. If it is very difficult for someone else to identify the information, then it is not considered personal. This is the “practicability test”.
The final way to determine whether something is personal is to determine whether it concerns a living person. This doesn’t include business information such as invoices, orders and other documents that are used for business.
Personal information that is sensitive can be extremely damaging if it is lost, stolen or otherwise divulged without authorization. It is vital to train employees about the importance of safeguarding sensitive PII. You should also take steps to protect the information when not in use such as by locking off computers unsupervised and eliminating paper records. It is also crucial to periodically review the PII stored within your system and restrict access to those with a business need to perform this.