As a company you are responsible for the personal data of your customers and staff. According to law, you’re required to protect this data and ensure that it is used correctly. However, it’s not always easy to determine what is considered personal information.

It is important to note that the definition of personal data varies according to the jurisdiction and country. In general, personal information is any information that can be used to identify an individual. This includes data such as the person’s email address or phone number, but it includes any other information that can be linked to an individual, making them identifiable. For instance, their date of birth and their mother’s maiden name biometric information, information regarding visas and passports and credit card information, and other sensitive information about employment (e.g. performance ratings and discipline records).

In addition the information should be reasonably identifiable by others. If it is difficult for other people to recognize the information, it is not considered to be personal. This is called the “practicability test”.

The final factor in determining whether something is personal is that it must be related to a real, identifiable person. This excludes business information, such as invoices or orders.

Personal information with sensitive content can be extremely damaging if it is stolen, lost or disclosed without authorization. It is vital to educate employees on the importance of safeguarding sensitive PII. It is also important to make steps to secure the information even when it’s not being used for example, by logging off computers that are not being used and destroying paper records. It is important to regularly review the PII in your system, and restrict access to those with an official reason for doing so.