Personally Identifiable Information (PII) Compliance Checklist & Best Practices: Protect Yourself
Research from Gartner suggests that, by 2023, more than 60% of the world’s population will be covered by some form of personal data protection legislation. From GDPR to CalPRA, privacy regulations are on the rise.
These compliance regimes aim to protect a user’s rights to their data — which, in practice, means that businesses need to implement more effective approaches to security. Here’s what the current landscape of PII compliance looks like, and how businesses can take concrete steps to implement PII compliance best practices.
What is PII compliance?
PII stands for personally identifiable information, any data that can be used to identify a specific person. The most common forms of PII include things like Social Security numbers, email addresses, and phone numbers. PII can also refer to digital identifiers, such as biometric data, geolocation, user IDs, and an IP address.
PII compliance is a complex ecosystem. Unlike Protected Health Information (PHI), which is primarily governed by HIPAA, there is a network of regulations all over the world that aim to enforce PII compliance.
In the U.S., the National Institute of Standards and Technology (NIST) Guide to Protecting the Confidentiality of Personally Identifiable Information defines “personally identifiable” as information like name, Social Security number, and biometric records, which can be used to distinguish or trace an individual’s identity.
The EU relies on the General Data Protection Regulation (GDPR), which aims to protect consumer privacy by mandating companies to be transparent about the data they collect, regulate how companies process data and improve reporting of data breaches.
In Australia, the Privacy Act 1988 defines “personal information” as information or an opinion, whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained—a much broader definition than in most other countries.
Clearly, protecting PII is a top priority for governments and consumers. How can your enterprise meet PII compliance standards?
PII data classification: sensitive PII and non-sensitive PII
First, it’s important to differentiate between sensitive PII and non-sensitive PII. This distinction helps you prioritize your security tools and processes to ensure you are meeting minimum PII compliance standards.
Sensitive PII refers to any information that has “legal, contractual, or ethical requirements for restricted disclosure,” according to Experian. This includes things like Social Security numbers, passport information, bank details or a credit card number, and medical records covered under HIPAA.
Non-sensitive PII is any information that can be found in the public record, such as in a phone book or in an online directory like LinkedIn. Non-sensitive PII includes things like date of birth, address, religion, ethnicity, or a business phone number.
PII compliance requires protecting both types of PII data. Sensitive data, for obvious reasons, should be encrypted due to the potential damage that could result if the information is compromised. Non-sensitive data is less of a risk; but, when combined with sensitive data, this PII can still be used to commit fraud or identity theft.
For this reason, it’s important to include both sensitive and non-sensitive data in your PII compliance measures.
PII compliance checklist
Because PII compliance regulations vary worldwide, you should check with an IT security expert or an attorney to find out if your security measures adhere to regulations. Nevertheless, taking these PII compliance steps will help you meet most minimum PII compliance requirements.
Step 1: Identify and classify PII
First, establish what PII your organization collects and where it is stored. Determine what definition of PII applies to your particular industry or location. For instance, if you are operating in California, you will need to use the PII definition in the CCPA.
Once you have a clear picture of the types of PII you will need to protect, find out where that data is stored. This includes gaining visibility into your data at rest, data in motion, and data in use. What security protocols are already in place to secure data in each of these phases?
Step 2: Create a PII policy
Next, create a PII policy that governs working with personal data. The GDPR offers six core principles for data processing. Even if you aren’t governed by the GDPR regulation, these principles offer a good foundation for building your own PII policy. These principles say that processing PII should:
- Be lawful, transparent, and fair
- Be for essential business purposes only
- Use as little personal information as possible
- Be accurate and timely
- Complete within a reasonable timeframe
- Guarantee integrity and confidentiality
Make sure your PII policy sets forth who can access PII, as well as the (limited) acceptable ways in which PII can be used for business purposes. This policy should provide the framework for implementing tools to reinforce user access.
Step 3: Implement data security tools
Securing PII takes a layered approach to security, which is detailed in the final section. Your data security tools should aim to reduce the risk of data leaks and unauthorized individuals accessing sensitive and non-sensitive PII. This includes using encryption, endpoint security, and cloud data loss protection.
Step 4: Practice IAM
Identity and access management (IAM) the practice of defining and managing user roles and access for individuals within an organization, ensuring that the right people have the right level of access to the right information. IAM requires creating and proactively managing role-based access controls. This practice ensures that only those who need to have it can access PII, lowering the risk of an insider threat or accidental leak.
[Read more: 5 Identity and Access Management Best Practices]
Step 5: Monitor + respond
Finally, part of your PII compliance checklist should include a business continuity and recovery plan. This plan outlines how to recover from a data leak and how to protect the business in the event of an attack.
Likewise, include a schedule and system for regularly monitoring your PII. “Most PII breaches happen without anyone noticing. It takes an average of 207 days for most companies to identify and repair a breach, which gives cyber criminals plenty of time to exploit the stolen data,” wrote the experts at XPlenty.
How to protect PII
Tools like Nightfall can take on the monitoring responsibility, automating some of the more time-consuming tasks of PII compliance. Nightfall is a cloud-native DLP platform that helps maintain data security. Nightfall specifically uses machine learning detectors that are capable of object character recognition (OCR) and natural language processing (NLP) to classify strings, files, and images that contain PII, PHI, and a wide variety of sensitive data. From there. we implement rules that let you monitor who has access to this data and control when to redact or remove it.
In addition to Nightfall, organizations should implement to following tools to achieve PII security compliance.
- Endpoint management: Endpoint protection is a broad category that includes everything from managing device firmware and monitoring hardware activity to providing on-device security in the form of antivirus protection.
- 2FA or MFA: 2FA and MFA are part of IAM, and can help verify that a user logging in is who they say they are.
- Encryption: Encryption is key for working with data in motion and data at rest (e.g., data that’s being transferred via email as well as any PII that’s being stored securely). Find an encryption tool that also allows you to decrypt data as needed.
- Storage: Secure storage could come in the form of an offsite server, encrypted hard drive, or any cloud storage system that uses cloud DLP software.
[Read more: DLP helps organizations stay compliant and protected]
Protecting PII isn’t just a matter of compliance; it’s good for building trust with your clients and customers. Learn more about PII compliance in their 2021 security guide.