What to consider when classifying data as confidential at work?
What data is confidential?
This is a question I am asked regularly by clients, prospects and other inquisitive minds. The answer is not really a straightforward one, so I tend to respond with some advice and guidance to anyone who asks.
A key point is data that is consider confidential in my business, may not be considered confidential in yours and vice versa. In the past I have worked with business who openly share salaries and pay scales between all staff, and also business that guard this information as if their lives depended on it. So is payroll data confidential?
The answer is it depends, it depends on how you are authorised to use this information by the subject of the data.
In order to ensure that confidential data is not in-advertently shared I offer the following steps as a guide to people who want to classify the data they are dealing with, and this applies whether this is data relating to a company or to an individual.
Three things to consider
Would I be happy to share this data to the world if it was about me?
Consider if this, if that were your name and address you were jotting down or printing off, would you be happy to hand it to mail marketing firm? If the phone number you just took from a customer was your personal mobile number would you be happy to pass it on a telemarketing firm to utilise? If the customer account details you printed off to analyse where your bank accounts would you display them on your social media profiles?
The answer to these questions is pretty obvious, and if you start thinking of all the data as if it were your own you will become more aware of the value that this information has. A word of warning though, please remember this data is not yours and if there are instances you think “yeah id share that” always refer to point 3.
Would I be happy to pass this information to our most fierce competitor?
Some of the information we produce on a day-to-day basis contains no text at all, and no discernible personal data to speak of. So how do you know if this is confidential data? I’m talking about spreadsheets, implementation plans, growth plans, marketing material, designs and strategies etc.
When dealing with this information I suggest always asking yourself, would I pass this on to our most fierce competitor. Think about it, something as innocuous as a proof for a marketing leaflet, would you send this unfinished proof to them and allow them to know your next move in the market place and counter this or even beat you to market. What about sales strategies for the next year? How do you think these would be received by your counterparts in the competition business? What would you do with that information on your competition?
By asking yourself this second question about feed the competition valuable information, you will re-assert how valuable the information you hold is to the operation of your business. If its important enough not to share its important enough to treat as confidential.
Is the data I am working with covered by legislation?
Asking yourself the first two questions should in most cases offer a pragmatic robust approach to assessing what is or is not confidential. Though it is not a failsafe method to keep on the right side of the legislation. After asking yourself the two questions above if you still feel that you are unsure if the data should be deemed as confidential, then treat it as confidential just in case.
Personal data is primarily the confidential information that is protecting by legislation under the GDPR, this legislation is enforced by the Information Commissioners Office. Their website has some fantastic resources to help people understand the legislation, including in-depth information on what is personal data, and some compliance toolkits too.
In short my advice is always boiled down simply to be sensible, respect the data you are processing and if in doubt treat it as confidential.
If you have any questions about this article please get in touch with us.