Check all computers, storage disks and other file storage devices to determine where your company keeps sensitive information. Preferably, you should have all information organized according to type and location. Remember to thoroughly search all areas where personal information could possibly be stored: file cabinets, desktops, laptops, portable hard drives, mobile phones and other related devices. Also, take note of information received through websites, business associates and other sources.
Determine what personal data reaches your business by speaking with different department representatives in your company as well as reaching out to external service providers. Make sure you have a concrete idea of the following:
- The source of personal information transmitted to your business. Where does your business get information? Is it from credit card companies, customers, contractors or other businesses?
- Process of receiving personal information. How do you receive information? Is it through email, post or fax? Do you receive it through websites?
- Type of information collected. What kind of personal information does your business receive or require from customers?
- Ways of storing the personal information your company receives. How is information stored? Where is it stored? Is it stored in employees’ laptops or home computers? Is it kept in filing cabinets? Is it transmitted to satellite offices?
- Individuals who have (or potentially have) access to the information. Which individuals in your company are authorized to access the information? Who else outside your company has access to it? Are contractors, suppliers or IT personnel able to get hold of that information?
There are unique risks associated with different kinds of information. You should always maintain awareness of the methods by which personal information is being stored. Sensitive information such as credit card details and social security numbers is most prone to abuse and violation by fraudulent individuals.