Governments of many countries are tightening the laws that regulate working with personal data. At the same time, the number of data leaks is only growing from year to year. If around ten years ago the most severe financial losses a company could suffer tended to be lawsuits and consequences of reputational damage, these days it’s penalties from regulators that can account for a significant part of the company’s damages as a result of a data-loss incident. Therefore, we decided to publish a series of tips that will help you organize secure processes for collecting, storing and transferring personally identifiable information in your company.
The first most important thing: collect data only if you have sufficient legal grounds to do so. Data collection may be formally provided for by the law of the country in which your company operates; a contract with terms that clearly permit the processing of PII; or consent expressed by a PII subject in electronic or paper form. Besides:
- keep evidence of your obtaining consent for processing and storage of PII in case of legal claims or regulator’s inspections;
- Do not collect data that’s not really needed for your work processes (data shouldn’t be collected “just in case”);
- If data that’s not required for work is collected due to some mistake or misunderstanding, delete it immediately.
If you collect personal data, it’s very important that you know where it’s stored, who has access to it, and how it’s processed. To do this, you may need to create a kind of “map” where all processes related to PII are registered. Then, it’s wise to develop strict regulations for the storage and processing of data, and to constantly monitor the implementation of both. We also recommend the following:
- To store PII exclusively on media inaccessible to outsiders;
- To limit access to PII to a minimal number of employees (it should only be available to those who really need it for business reasons);
- To promptly delete personal data that’s no longer required for work processes;
- If workflow requires storing paper documents, they should only be placed in secure locations (e.g., lockable safes);
- Unnecessary paper documents should be destroyed using shredders;
- If the data isn’t needed as it is, it should be anonymized (deprived of unique identifiers so that even in the event of a leak it would be impossible to identify the subject);
- If, due to your work processes, it’s not possible to anonymize data, it needs to be pseudo-anonymized — to convert the PII into a unique string so that the identification of the subject is impossible without additional information;
- To avoid storing PII on work devices and external or flash drives (they can be stolen or lost, and computer data can be accessed by an attacker);
- Not to store or process real PII on test infrastructure;
- Not to use new services for storing and processing data until you’re sure they meet basic security requirements.
All processes related to the transfer of personal data must be registered and approved by the security department, or data protection officer if you have one. All employees with access to PII should have clear instructions on how data should be handled in your company, which corporate or third-party services can be used for this, and to whom this data can be transferred. In addition, make sure that:
- Subcontractors (for example, MSP services) don’t have access with administrator rights to systems containing PII;
- Access to data is limited on an extraterritorial basis (data of citizens of one country should not be available from other countries unless cross-border data transder is not regulated);
- When transferring PII, encryption is always used (this is especially important when sending data by e-mail);
- When transferring personal data to third-party organizations, a data processing agreement (DPA) is signed;
- You have the legal right to transfer PII to third parties (that is, there’s clear consent for this from the PII subject, or this is specified in a contract or required by law).
Of course, neither these tips nor strict regulations can exclude the possibility of human error. Therefore, among other things, we recommend periodically conducting security awareness trainings. And it’s advisable to choose learning platforms that have lessons related to privacy and working with personal data especially.