As a business you are responsible for the personal information about your customers and staff. In law, you are obliged to safeguard this data and ensure that it is handled in a safe manner. However, it’s difficult to determine what is considered to be personal information.

It is important to know that the definition of personal information differs by country and legal jurisdiction. In general, personal information is any information that can be used to identify a person. This could include information like the person’s name, email address or telephone number, but also other data that can link to an individual and make them identifiable like their birth date mother’s maiden names, biometric data, passport and visa information or credit card data, and other sensitive employment information (e.g. performance ratings and disciplinary records).

The information should also be identifiable by other people. If it is difficult for others to recognize the information, then it is not considered to be personal. This is known as the “practicability test”.

The final stage in determining whether something is personal is that it has to be related to a real, identifiable person. This does not apply to business documents like invoices, orders, or other documents that are used for business.

Personal information with sensitive content can be extremely damaging if it is stolen, lost or divulged without authorization. It is crucial to educate employees on the importance of protecting sensitive PII. It is also important to take steps to protect the information when it is not being used, such as the logging off of computers that are not being used systems and destruction of paper documents. It is also essential to regularly check the PII stored in your system and limit access to only those who have the business requirement to access it.