General security

8 Data Protection Tips for Handling Personal Information

Susan Morrow
July 31, 2018 by
Susan Morrow


The digitization of everything that is personal is truly a phenomenon. Our digital footprints cover the Internet like a trail of breadcrumbs and can reveal every transaction and communication we make.

Personal information is anything that can be traced back to an individual, and personal data covers a spectrum of digital attributes that ultimately creates a “digital me.” This includes name, address, date of birth and so on, but it also includes IP address, online behavior, political preferences, biometrics, and other scraps of information. The GDPR, which is now synonymous with personal data, says this about data and an individual:

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

“[A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

As custodians of personal information that represents an individual, an organization has to accept a level of responsibility towards this data. Here are some suggestions for data handling that will give your organization kudos and show you have respect for your customers, employees and your wider community.

8 Ways to Show Your Respect for Personal Information

Outline Your Principles of Notice and Choice

A standard model of notice and choice needs to become the norm for any organization that processes personal information. It’s all too common for an organization to feel they have a right to an individual's data by giving them a service. While it’s true that every action should have an equal and opposite reaction — you scratch my back and I’ll scratch yours — the processing of personal data has overstepped the mark.

The interaction between individuals and social media platforms gives us an insight into how people view the act of data sharing for a service. The rise of social media platforms has been meteoric by anyone’s standards. The fact that Facebook services almost one-third of the world’s population attests to that.

However, Pew research into attitudes towards data privacy and social platforms shows that people are now realizing that the relationship is unbalanced. The study found that 91% of Americans using social platforms believe they have lost control over the use of their personal data. The recent Facebook privacy debacle, of course, feeds into this belief.

Ultimately, a perception of one-sidedness in the handling of personal information will result in customer dissatisfaction. It’s important for companies to be aware of this shift in attitude and choose a principled approach to the collection and handling of data that has choice and consent built into the model.

One important aspect of this is to make choice granular, or gradual and ongoing. An off/on setting for choice is no choice at all. When collecting data, separate out your offers into what you must have, what you would like and what is truly optional. By giving choice, you also create a two-way relationship with your customer. Building lasting relationships should be a goal for any organization as it creates customer loyalty.

An organization should endeavor to have a “Principles of notice and choice” statement which outlines what data is collected, what choice the data owner has over the collected data, and what security and privacy measures are used to protect this information.

Minimize Data During Capture

A related issue to the above is the amount of data captured. During data capture:

  1. Only ask for personal information you truly need. For example, do you really need to know someone’s title?
  2. If you really need to profile people for marketing purposes, can you do so in some manner that pseudonymizes the data?

Minimizing the data collected minimizes the amount of data that can be exposed.

Minimize Data During Consumption

Personal data is driving many online transactions and will continue to do so as digital identity and the associated attributes become ubiquitous for consumers. Some things to consider when improving personal data-handling include:

  1. When consuming data during a transaction, use privacy-enhancing measures to minimize the data. For example, if a service requires to prove a person is over 21, instead of requesting/presenting the full date of birth of the individual, just ask yes/no for “age over.”
  2. The NIST guidelines on digital identity suggest using pseudonymization for access to government services.

Control Data Security and Access Throughout the Data Lifecycle

Whatever measures you use to minimize data you still have to, at some stage, make sure the data you do process is protected. You should implement the following minimum measures to ensure data protection throughout the lifecycle of the data:

  1. Encryption: For data during transfer and at rest. This includes correct implementation of HTTPS and database/hard disk encryption of any stored data.
  2. Access control and authentication: Use of robust authentication measures to control access to data — including the use of second-factor authentication and, if possible, risk-based authentication. Also, application of privileged access based on roles only gives access to data on a need-to-know basis.

Do You Need to Store Data or Not?

Consider if you need to actually store data. With some systems, you have an option to call out to data when needed, presenting the information on-the-fly with no storage. This prevents replication of data across multiple systems and reduces the chances of breach and exposure.

Insights Into Regulatory Compliance

Regulatory frameworks can be painful to follow but they are also designed by persons with a lot of experience in the field. Use the guidelines to help you determine the best practices for handling personal information. For example: HIPAA, which is designed for U.S. healthcare organizations, has extensions to cover associated businesses.

This discipline of ensuring that data protection measures are extended to third-party associates is an important one. It ensures that your data security is taken seriously by your vendor network, who must comply with your data protection requirements. This concept should apply to all industries, not just healthcare. Check industry-specific data protection regulations, even those outside your own sector, to see what measures you can take to protect personal information.

Set Time Limits on Data

Many pieces of personal information are fluid; that is, they change over time. Set up time limits for any data that you do need to store. This acts as not only a reminder to do a consent refresh, but it also acts as a customer touchpoint. As an extra benefit, this action ensures that the data you do hold is relevant and high-quality. It can also be used to cull unused data, removing data-exposure opportunities.

Set Data Access Roles

Who can access what, when and how are important rules to set in place. Privileged access should be a fundamental part of your data-security strategy. Limiting access to specific persons reduces the points of failure and helps to manage insider threats.


Data has been likened to the “new oil” and is driving new economies. As such, it is a valuable commodity that needs to be protected. Our duty as custodians and processors is to secure it and not misuse it. Hopefully, the eight tips above will give you some ideas of how to minimize risk to the data that you use for your business.


What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


Number of monthly active Facebook users worldwide as of 2nd quarter 2018 (in millions), Statistica

Americans’ complicated feelings about social media in an era of privacy concerns, Pew Research

Digital Identity Guidelines, NIST

Data is the New Oil, Michael Palmer

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.