As a business you handle personal information of your clients and staff. According to law, you're required to protect this data and ensure that it is used correctly. It's not always easy to determine what constitutes personal data.
It is important to note that the definition of personal data is different according to the jurisdiction and country. In general, personal information refers to any information that can be used to identify a person. This includes information such as the name of the person, email address or number, as well as any other data that could link to an individual and allow them to be identified by their date of birth and mother's maiden name. biometric information such as passport or visa information, credit card information, as well as other sensitive employment data (e.g. performance ratings and discipline records).
Additionally the information should be able to be identified by others. If it is extremely difficult for another person to identify the information, then it is not considered personal. This is known as the "practicability test".
The final step in determining whether something is personal is that it has to be related to a real, identifiable person. This excludes information that is business-related, such as invoices or orders.
If sensitive personal information is lost or stolen, or if it is disclosed in any other manner without authorization, it could be very detrimental. It is crucial to educate employees on the importance of protecting sensitive PII. You must also take steps to protect the information even when not in use, including closing off unattended computer systems and destroying paper documents. It is also important to regularly review the PII stored in your system and limit access to only those who have the business requirement to access it.