As is the case for confidential information, the first step to protect the privacy of personal information collected from customers, employees, suppliers, and business partners is to identify what information the organization possesses, where it is stored, and who has access to it. It is then important to implement controls to protect that information because incidents involving the unauthorized disclosure of personal information, whether intentional or accidental, can be costly.