How Your Organisation Can Manage Personal Data Effectively
Putting together personal data inventory is considered a good idea for organisations that handle personally identifiable data from consumers. Data is viewed as some form of currency and is understandably more challenging to track than physical products. That being said, it would make perfect sense to have a thorough account of sensitive information that flows through the organisation.
Conducting a personal data inventory can be hard to do manually. This is especially true if you have a massive amount of information to take into account. Fortunately, this is where a data inventory map as well privacy management tools like DPOinBox can come in handy.
What is personal data?
In a nutshell, personal data inventory is a record of personally identifiable information found in the organisation. Since an organisation can house a massive amount of information, doing an inventory can be a challenging task.
To make the task easier, it is important to be clear about what constitutes personal data. Under the GDPR, personal data can cover a broad amount of information, including information that’s used to identify an individual by:
- Identification number
- IP address
- Phone number
- Banking information
However, that’s not all. Under the GDPR, personal data can also include some less obvious online identifiers such as:
- Ethnic origin or race
- Political opinions
- Health status
- Ethical or religious beliefs
- Trade union membership status
- Biometric or genetic identity
- Sexual history and orientation
What information is included in a personal data inventory?
When compiling inventory, the first thing you should do is identify all the places where personal data resides. This can include the organisation’s website, affiliated URLs, and third-party services that collect information on behalf of the organisation. A thorough data inventory should include the following:
- Titles or names of data owners (i.e. human resources)
- Where the data can be found within the system (i.e. HR intranet)
- Types of data (i.e. job applicant data)
- How said data was collected (i.e. through online employment submissions)
- Data subjects (i.e. new job applicants)
- How data is used (i.e. demographic research)
- How long data will be stored
- Who has access to the data
- Policies for preserving or deleting data
How can you manage personal data effectively?
The following can help organisations manage their personal data more effectively:
Appointing a Data Protection Officer
Assign at least one person to create the organisation’s personal data policies. Same person should also oversee the organisation’s PDPA compliance. Other tasks appointed person should take care of include:
- Creating good policies for the handling of personal data that is in compliance with the PDPA
- Communicating data protection processes and policies to customers, members, and employees
- Handling complaints or queries about personal data and alerting the organisation should any risks to personal data may arise
Mapping Out Personal Data Inventory
Any organisation is held responsible for personal data that’s in their care. In line with this, it is crucial that the organisation is clear about the following:
- The personal data they have collected
- How and where the points of collection are and whether there was consent
- The uses and purposes of the personal data
- The people the personal data has been disclosed to
- The people authorised to access the personal data
- How and where the personal data is secured and kept
- The personal data that’s retained and for how long
Implementing Data Protection Processes
Once there is a clear understanding of the organisation’s personal data inventory, the data protection officer can now review the processes of the organisation to ensure they are aligned and in compliance with the PDPA.