What’s the best way to store sensitive data? And why is it important to store them securely in the first place?
In this post, we explain why you must be careful when handling sensitive data and explain how you can reduce risk beforehand.
Sensitive data under data privacy laws like the GDPR, generally refers to a special category of personal data that requires higher levels of security and discretion. This information typically includes things like:
Because this data can greatly affect the well-being of an individual, and can even be used to discriminate against a person, it’s of the utmost importance that they’re stored securely.
Processing this type of data also means a higher responsibility falls on you, the data controller.
For this reason, it’s often prudent to assess whether or not you truly need to process sensitive or special category data. This is where the principle of data minimization becomes very relevant: you should collect only the data you truly need for the fulfillment of your purpose – and at the minimum amount possible.
However, if you do need to collect and process sensitive or special category data, then make sure you’re able to provide the higher levels of security legally required.
This article is a part of our series on data protection. Read also:
There isn’t just one way to store sensitive data securely, but there are some basic security measures you should consider implementing.
The first thing you need to do, before you start collecting sensitive data, is to have a precise idea and understanding of your processing activities. This step is useful because it clarifies exactly how you’re going to use those data. That’s why it’s critical that you keep accurate records of your processing activities: you can go back to them whenever you need to.
After going through your records, you will know the amount of data you need to collect to fulfill your purposes, and how long you’ll need to store them. As mentioned above, particularly with sensitive data, it’s important to practice data minimalization.
Second, though it may sound clichéd, you should invest in your business’s security system and train your staff appropriately. Everyone involved in the process should know how to handle sensitive data: you don’t want a security breach because of somebody’s lack of knowledge or carelessness.
Another step you may want to take is to encrypt your data. Encrypted data is very difficult to decipher without the proper key. In this way, if a data breach were to happen, it would be difficult to understand what the data are about.
Moreover, it’s always best practice to keep your encrypted data and their encryption keys stored in different places.
You wouldn’t lock your house and then leave the key on the door, right? Well, this is the same principle: if you encrypt the sensitive data you’ve collected, but you store them in the same place as your keys, then encryption is useless.
One more thing you need to take care of, especially if you use external storage platforms like Google Drive or Dropbox, is to add extra layers of security to your files before uploading them. As experts often say, online storage platforms are just someone else’s computer and, though they’re generally safe, they’re also easier to access. That’s why it’s safer to take further security steps, particularly when your users’ sensitive data are involved.
With that said, always consider hiring a security expert, especially if performing large-scale processing of sensitive data. Also, note that this type of processing may come with additional requirements.
To recap, here are the basic steps to consider when storing sensitive data:
It goes without saying that you should implement these measures before you start collecting and processing sensitive data.
The stakes are high: if a data breach were to happen, and your users’ sensitive information to leak, this could cause damage to them as well as to you, as a business. You would lose credibility and reliability, and your reputation could be significantly compromised. Furthermore, many privacy laws allow users to bring suit or seek compensation for damages where their privacy rights have been violated.
Processing sensitive data? You may need reliable tools to ensure you’re doing everything by the rule.
Here’s how iubenda’s solutions can help:
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.