Nowadays, the world of data has made people more concerned about how their personal data is being used and accessed by various companies. We all know that our data is collected each time we access a website, connect to social media, or shop online. At this time, different sets of data are tracked and analyzed. One such type that is tracked and analyzed is personally identifiable information (PII).
What Is Personally Identifiable Information (PII)?
Personally identifiable information (PII) is data that can be utilized to recognize a specific individual based on different parameters. PII comes in different forms — social security numbers, mailing or email addresses, and phone numbers are some of the most common PII data types. Though these are considered as conventional PII data types, technology has widened the ambit of PII. Now it encompasses digital images, login IDs, IP addresses, social media posts, biometric, geolocation, behavioral data, etc. However, with the use of such personal data comes the question of privacy, which brings our attention to GDPR.
What Is GDPR?
GDPR, which stands for General data protection regulation, is a set of protocols that guides the use of personal data that protects privacy. It can be seen as the world’s strongest data protection rule containing 99 articles that dictates the healthy use of personal user data.
GDPR has enhanced itself, and thus superseded the old 1995 data protection directive.
What Is Non-PII?
Not every company intends to collect your personal data. Apart from personal information, there are various data points that serve a substantial purpose. Such data points come under non-PII.
To put it in simpler terms, non-personally identifiable information (PII) is a data set that is anonymous. It cannot be utilized to trace the identity of an individual. IP addresses, device IDs, cookies are some of the data sets that fall under the non-PII data type category.
Creating Data Privacy Framework
In light of recent high-profile company and consumer data leak incidences, data protection is becoming increasingly mandatory. Such breaches generally result in two of the following types of damage.
- Damage to a company’s reputation
- Financial damage from the fallout
The implications of such leaks can be devastating, with implications forcing companies to pay up for credit-monitoring services, settle lawsuits by making pay-outs, or sometimes, even ransoms to recover hijacked data.
Organizations must plan and prioritize over multiple issues and have those priorities implemented by the business in order to help the teams tasked with the management of compliance obligations and risks.
Organizations looking to create a data privacy framework must implement the following ten steps to manage and structure their data-privacy program.
Choose a Framework
A standard, ISO 19600, by the International Organization for Standardization, is published to provide baseline support for compliance programs. The ISO 19600 delivers broad guidance, which is formulated on internationally agreed best practices. The ISO 19600 is flexible in terms of adjusting to the maturity level of each organization, the context, complexity, and nature of activities carried out by the organization.
Set Priorities Straight
When building a data privacy framework, a common mistake that organizations make is to jump right into legal technicalities without seeing the bigger picture, which leads to the neglect of the most important aspects of the business. The initial step organizations take must be understanding the necessity to comply. This requires a thorough analysis of the obligations of the business, what the risks and implications of breaching the obligations may be, and what risks the company is willing to burden itself with.
Once the obligations have been taken care of, organizations need to go ahead with the planning with the mindset that a violation will occur. This would require the analysis of multiple factors, including the type of data, the sensitivity of the data, the people that can access that data, the security processes, and the competency of handling previous data breaches, if any. This provides organizations with complete knowledge about the risks, and the impact of data breaches if they occur. This enables discussion about the level of risk that the organization is willing to take to conduct business.
Document Company Policies
Upon successfully understanding the obligations and risks, it is important to document the exact risk management policies as not all risks are managed in the same way or even to the same extent. A policy should provide appropriate guidance in areas concerned with consent, access, and breach management.
Gain Business Owners’ Acknowledgement
Well, if not the owners exactly, the top management needs to agree to and sign off on the data privacy analysis. This is a pivotal step as it results in the gaining of resources for remediation efforts such as technology, personnel, or training to acknowledge the comfort level of the leadership with the associated risks. Also, it sets a tone of importance when the leaders speak about privacy and show their support for the program.
The data privacy framework tends to fail when left without a team that is responsible for the risk. It often happens that the owner is jointly taken care of by the legal, HR, IT, and compliance teams/ departments due to the various skills that are needed for the framework to succeed. Every company structures ownership differently.
Communication and training can be provided in various forms, such as through classroom sessions, e-learning, posters, and web blogs, among others. However, organizations must ensure that all employees are competent for their individual job roles in a way that aligns with the compliance culture and policies of the organization.
Deploy the Program
Immediately after deployment, the data privacy framework must focus on the daily tasks that pose potential risks. These tasks are as follows.
- Impact Assessments
- Interactions with People
- Third-Party Transfers
- Breach Management
For this, organizations are advised to consider systems and tools that support these processes efficiently to ensure documentation of these activities.
To be up to date with the current happenings of the data privacy framework, a monitoring plan must be cut out. The monitoring plan sets out the following.
- What requires monitoring and why
- Methods of monitoring, analyzing, measuring, and evaluating
- When to monitor and measure
- When to analyze and evaluate monitoring and measurement results that are to be reported
The aim of the data privacy framework is to ensure efficient management and continuous improvement of the programs. Performing a formal and regular review is essential and ensures that the program is up-to-date and ready for any changes in law or business. These reviews allow the organization to understand the impact of changes and their tracking and assessment.
Safeguarding Personally Identifiable Information
The personally identifiable information that companies stores are an open invitation for would-be attackers who can sell PII on the black market for a pretty good amount. Criminal activities such as identity theft, social engineering hacks, and fraud can be committed using personally identifiable information. Therefore, safeguarding individual and company personally identifiable information is of utmost importance. Failure to safeguard PII leaves an organization vulnerable to highly targeted criminal attacks, heavy fines, and the complete loss of customer trust and loyalty.
To safeguard and secure personally identifiable information, here are ten steps that organizations must utilize.
- Identify the personally identifiable information the company stores
- Find all the places of personally identifiable information storage
- Classify personally identifiable information by sensitivity
- Delete old, unrequired personally identifiable information
- Establish a usage policy
- Encrypt personally identifiable information
- Eliminate permission errors
- Educate employees about personally identifiable information safeguarding
- Formulate a standard procedure for departing employees
- Enable employees to report suspicious behavior through set lines
PII examples can range from several factors. Some personally identifiable information examples are as follows.
Full Name, Mother’s Maiden Name, Maiden Name, or Alias
- Personal Identification Numbers
Driver’s License Number, Taxpayer Identification Number, Passport Number, Patient Identification Number, or Credit Card Number
- Personal Address Information
Street Address, or Email Address
- Personal Telephone Numbers
- Personal Characteristics
Fingerprints, Photographic Images (of the face or any other identifying characteristics), or Handwriting
- Biometric Data
Voice Signatures, Retina Scans, or Facial Geometry
- Information Identifying Owned Property
VIN Number or Title Number
- Asset Information
Media Access Control (MAC), or Internet Protocol (IP) addresses that link to a particular person
The following examples, by themselves, do not comprise personally identifiable information. This is because more than just one individual can share the same factors. However, when linked to one of the above factors, they could classify as PII.
- Place of Birth
- Geographical Indicators
- Business Telephone Number
- Business Mailing or Email Address
- Date of Birth
- Education Information
- Employment Information
- Medical Information
- Financial Information
Complying With GDPR
While it may sound overwhelming and arduous at first, here are five steps that make GDPR compliance manageable and reduce the burden from the organization’s shoulders a bit.
In this first step, organizations must access all of their data sources. Irrespective of the technology, traditional data warehouses, structured or unstructured data, etc., organizations are required to investigate and audit what personal data is stored and used across their data landscape.
Once an organization has accessed each of its data sources, it needs to inspect the type of individual data that is present in each source. Personal data is often found deep in semi-structured fields, which need to be parsed to extract, categorize, and catalog the personal data elements.
For GDPR compliance, the documentation and sharing of privacy rules across all lines of business are required to ensure that personal data can only be accessed by those given the right to do so. To achieve this, roles and rights must be put in place in the form of a governance model.
Upon establishment of personal data inventory and a governance model, a certain level of protection for the data must be set up, for which three techniques that align with GDPR compliance may be used, namely, encryption, pseudonymization, and anonymization.
The final step requires organizations to produce reports to distinctly show regulators that:
- The organization knows what personal data it has, and where it’s located
- The organization can efficiently manage the process of getting consent from involved users
- The organization can prove how personal data is used, by whom it is used, and why it is used
- The organization has appropriate processes in place to manage data breaches and other issues
Personally, identifiable information is used by organizations such as businesses, hospitals, and schools, among others. It is data that can be used to locate, identify, or contact an individual and comprises information such as name, place of residence, date of birth, phone numbers, credit card details, criminal record, age, medical records, race, gender, and a lot more. It is extremely essential for businesses to ensure the safeguarding of personally identifiable information on various parameters with the help of precise planning and data privacy frameworks.