Data Protection: Personal Information Inventory

Data Inventory and Classification

• An organization must undertake an inventory of all personal information it collects, stores, uses, or discloses, including customer and employee data records.
• The inventory should identify the types, sources, and uses of personal information (PI).
• Data location and flow must be documented, including how, when, and with whom information is shared.
• Risks that could affect reputation or legal compliance must be identified.

Classifying Information

• Data should be classified according to its level of sensitivity after completing an inventory.
• The classification level defines the clearance of individuals who can access or handle data and the baseline level of protection required.
• Steps for classifying information include:
  • Completing an inventory of personal information
  • Classifying data based on level of sensitivity
  • Segregating highly sensitive data from less sensitive data
  • Instituting controls on access
• Classification levels include:
  • Confidential
  • Proprietary
  • Sensitive
  • Restricted
  • Public