More and more governments are reinforcing the laws that regulate the manipulation of personal data, while the number of leaks continues to grow year after year.
For this reason, if some ten years ago the most important financial losses that a company could suffer were due to lawsuits and damage to its reputation, now the sanctions of the regulators take center stage, which can represent a significant part of the damages the company as a result of a data loss incident.
Given this situation, we have decided to publish a series of tips that will help you organize secure processes to collect, store and transfer personally identifiable information in your company.
The Collection Of Personal Data
First and foremost: collect data only if you have sufficient legal grounds to do so.
Data collection may be formally provided for by the law of the country in which your business operates, a contract with terms that allow the processing of personally identifiable information (PII), or consent expressed by a subject PII in electronic or paper format. Besides:
- saves evidence of consent obtained for the processing and storage of PII in case of lawsuits or inspections;
- do not collect data that is not necessary for your work processes (data should not be collected “just in case”).
- If data that is not needed for the job is collected due to some mistake or misunderstanding, delete it immediately.
The Storage Of Personal Data
If you collect personal data, you must know where it is stored, who can access it, and how it is processed.
To do this, you may need to create a kind of “map” where all PII-related processes are recorded.
So, it will be advisable to develop strict regulations for data storage and processing, and constantly monitor the implementation of both. We also advise the following:
- Store PII exclusively on media inaccessible to intruders.
- Limit access to PII to a minimum number of employees: it should only be available to those who need it for work reasons.
- Immediately delete personal data that is no longer required for corporate processes.
- If your workflow requires the storage of paper documentation, it should only be stored in secure locations such as a locked safe.
- Unnecessary paper documents should be shredded.
- If the data is not needed as it is, anonymize it. In this way, they will be devoid of unique identifiers so that, even in the event of a leak, it is impossible to identify the subject.
- If it is not possible to anonymize the data due to your corporate processes, you should pseudonymize it: convert the PII into a unique string so that subject identification is impossible without additional information.
- Avoid storing PII on corporate devices and external hard drives or USB sticks: they can be stolen or lost, and an attacker can use them to access data on your computer.
- Do not store or process actual PII in the test infrastructure.
- Do not use new services to store and process data until you are sure that they meet basic security requirements.
The Transfer Of Personal Data
All processes related to the transfer of personal data must be registered and approved by the security department or the data protection officer, if any.
In addition, all employees with access to PII must have clear instructions on how to handle company data, what corporate or third-party services can be used for this, and to whom this data can be transferred. Also, make sure that:
- subcontractors, such as a managed service provider, do not have access to administrator rights to systems that contain PII.
- data access is limited to an offshore basis: data of citizens of one country should not be made available in other countries unless cross-border data transfer is not regulated.
- When transferring PII, always use encryption – this is especially important when sending data via email.
- when transferring personal data to third-party organizations, a data processing deal (DPA) is marked.
- You have the lawful right to share PII with third parties. That is, there is consent to it from the subject PII, whether specified in a contract or required by law.
Of course, none of these tips, not even the strict regulations, can exclude the possibility of human error.
Therefore, among other things, we recommend that you periodically carry out security awareness training.
For this, it is advisable to choose learning platforms that include, above all, content related to privacy and the manipulation of personal data.