Information is a raw material for running business operations. That is why it is important that you think about the confidentiality, availability, and reliability of the information. The dangers are that when confidential information leaks, it is no longer reliable and/or unavailable. This can have consequences for your business operations.
Types of classifications of informationThere are different types of classifications of information. Each company can use its own classification system. From a safety point of view, classifications are distinguished on the basis of the effect of a data leak. Typically, the following classifications are distinguished:
- Secret information:sometimes information must be classified as 'secret'. This is the case with information where a company must comply with legal requirements and where a leak of this information could cause serious damage to the company.
- Confidential information: when the leak of this information leads to negative consequences for the company or when information can be related to a person.
- Internal information:when information is required for internal business operations. A leak does not lead to negative consequences.
- Public information:when information may be shared with the outside world.
Customer and personal dataA specific form of company information is customer and personal data. As an entrepreneur, you collect names, zip codes, dates of birth, telephone numbers, and email addresses of people and customers. Bank and credit card details are also often part of this list. How a company should deal with customer and personal data is laid down in the General Data Protection Regulation (GDPR). You can find the full text here. How you handle customer and personal data is not only a legal issue, but also a trust issue. Apart from any fines from the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP), the reliability of your company gets damaged if your customer and personal data is stolen or published on the internet.
Tips for handling customer and personal dataThe level of classification determines the degree to which the information needs to be secured. Appropriate measures can be taken per level. The measures for secret information are determined by the specific legal requirements. Below are the measures you can take regarding confidential information. You can take the same measures for internal information, depending on the level of security required.
- Have employees give documents with confidential information a recognisable label, for example by putting the term 'confidential' on every page.
- Get permission from the owner of the information if their confidential information is to be shared with others.
- Make it possible for employees to send and store confidential information digitally. This includes encryption of email and the encrypted storage of information.
- Make employees aware that confidential information should not be automatically forwarded to non-personal email addresses or to external addresses unless authorised by the information owner.
- information in use
- information in motion (transit)
- information at rest