Who has access to the data? 

You need to know who has access to the personal data you have collected. Particularly with sensitive data, make sure that the group of people is only as large as necessary. For example, it is acceptable for several departments to have access to an internal customer database. The situation is different for application documents or employee data. Here, access to the data should be restricted. 

As the person responsible, you must weigh up how worthy the data is of protection and who has access to it and to what extent. If you are unsure in this case, consult with the team or other specialist departments.

The basic rule is: as little data as necessary and as much protection as possible.

Source: Luis Estrada on Pixabay