Maksim Kabakou - Fotolia

Security Think Tank: Find out what personal data your company holds

How should businesses go about setting up and maintaining a comprehensive and accurate inventory of personal data?

According to PwC’s Global state of information security survey report, keeping an accurate inventory of personal data is a key priority for UK organisations in 2016.

Asset registers are a key component of any ISO 27001-compliant Information Security Management System (ISMS), and without them you cannot be certain that your company is contractually or legally compliant. 

Start by conducting a cross-company survey to identify what personal information your business holds, where that information is located and the sensitivity of that information.

Before any review is started visit the website of the Information Commissioner’s Office to ensure you are properly prepared. Try typing “What is personal data? A quick reference guide” into the ICO search field.

An excellent example template of a personal information asset register (p-iar) can be downloaded from the National Archives website

When compiling a p-iar, remember that any particular asset must only have one owner and that asset must be located in one place – though in some special cases and based on a formal risk review and risk acceptance, one master source and a controlled distribution of copies may be acceptable (think replicating databases). 

Local copies of data taken by staff (because a central application did not do quite what they wanted) needs to be identified as part of a review and remedial action taken (remove or possibly formalise the situation).

Access to informational assets must be controlled and logged. For example, the informational asset owner must set out formally who (or what) can access any specific piece or set of data, what can be done to the data (create, delete, modify, move/copy, read, print) and determine its live lifetime and its archival lifetime.

In a large company the human resources (HR) director would typically be the owner of personal information, however in practice the decision-making process would be formally devolved to another person.

Remember that email servers and domain controllers can store personal information and just because they are part of the IT infrastructure does not mean they are exempt from being included in the personal information asset register.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Privacy and data protection