Data storage by private organisations has always been a pressing concern, but with recent updates to privacy laws worldwide, improper data handling has come under increasing scrutiny. Consumers and lawmakers alike want to ensure private data is stored safely and cannot be accessed by bad actors.
This is why PII compliance has come into the public eye as a major issue. If your business interacts with the personal information of your customers, you need to ensure you comply with the relevant legislation, or risk facing serious consequences.
In this article, we’ll break down what you need to know about PII compliance, including a simple 7-step checklist to ensure you’re taking all the necessary steps.
What does PII stand for?
PII stands for Personally Identifiable Information. It is defined by the United States Department of Labour as “Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.”
What is included in PII?
Exact definitions of what is included in PII vary based on different pieces of legislation. The following is a non-exhaustive list of pieces of data that may be considered PII:
- Name
- Signature
- Address
- Phone number
- Date of birth
- Driver’s licence
- Passport information
- Credit information
- Photographs
- IP address
- Biometric data
- Location information
- Email address
- Social security number
What is PII compliance?
PII compliance simply means that an entity’s handling of personally identifiable information complies with relevant regulations. Fundamentally, PII compliance boils down to collecting and storing personally identifying data in a secure way that won’t allow it to fall into the wrong hands.
Why is PII compliance important?
PII compliance is important for legal and ethical reasons. Running afoul of data protection regulations around the world presents the risk of major fines and other punitive measures. Additionally, a failure to protect sensitive data can have dramatic impacts on the lives of your customers, who can fall victim to identity theft and other crimes.
This represents a moral responsibility for your organisation, as well as an opportunity to protect your reputation. This is especially true with rising levels of cybercrime in the world. It’s more important than ever to have stringent protocols in place to protect your organisation and your customers.
Regulations around PII
Personal data protection legislation and regulations are of extreme significance for business owners. These pieces of legislation apply to all websites which operate in the relevant jurisdiction. That means your website should comply with the regulations of any country or area in which you are doing business.
You should therefore familiarise yourself with PII regulations in all countries from which your website attracts visitors. A great starting point is the relevant regulations in the European Union and in California. The European Union applies regulations known as the General Data Protection Regulation and the ePrivacy Directive. Meanwhile, California operates the California Consumer Privacy Act.
These regulations are of particular interest to website owners because they are some of the most stringent in the world, and encompass jurisdictions with large populations. If your site complies with these laws, you are on the right track for comprehensive PII compliance.
Other significant pieces of legislation with regard to PII are:
- Lei Geral de Proteção de Dados (LGPD) – Brazil
- Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada
- Protection of Personal Information Act (POPIA) – South Africa
- Privacy Act – Australia
- Personal Data Protection Act – Singapore
On top of government legislation and regulations, other data protection standards exist and are relevant for PII compliance. Industry data standards are also in place in a range of areas. While these standards are typically not legally enforceable, it’s almost always in the interests of your organisation to operate within them.
Arguably the most notable example of an industry data standard is the Payment Card Industry Data Security Standard (PCI DSS). It was put in place by the world’s major card networks including Visa and MasterCard, and relates to the handling of credit card information. It has informed legislation around the world, and businesses that fail to meet its standards are subject to punishment from card networks.
Data subject access requests
A critical facet of data security regulations like GDPR and CCPA is data subject access requests (DSARs). This means that individuals have the right to find out what data is being collected about them, and for it to be corrected or deleted.
To position yourself to respond to a DSAR, you need to have an organised approach to collecting data so you can promptly take the necessary actions. You should respond to a DSAR as quickly as possible and aim to fulfil the request as best you can. Make sure you verify a subject’s identity before proceeding, and establish transparent communication with the individual throughout the process.
Sensitive vs non-sensitive PII
Sensitive PII is data that can directly reveal someone’s identity, such as a driver’s licence or passport. Non-sensitive PII includes information that is accessible in public records, including names, birthdays and addresses.
This distinction is important to understand before beginning a PII compliance checklist. Understanding the differences between these categories is crucial when it comes to classifying different forms of PII.
Sensitive PII must be kept encrypted for maximum security. You still need to take steps to safeguard non-sensitive PII, but regulations around its management are looser.
PII compliance checklist
With this background knowledge in hand, you’re ready to begin your PII checklist. Follow these steps to establish a process for long-term compliance with data regulation standards.
1. Discover and categorise PII
In order to understand your responsibilities with regard to PII compliance, you must understand what PII your website is accumulating. Investigate all forms of data collection and storage your business is partaking in, from digital files to hand-written notes.
One way your site is likely to be accumulating PII is in the form of cookies. Conduct a cookie audit alongside this checklist to uncover any cookies your site is using and properly secure the information they gather.
Next, you need to categorise your PII into sensitive and non-sensitive data. This will inform future steps in this checklist.
Rather than manually trawling through servers and hard drives, consider obtaining assistance from automated tool sets. For example, DataTrue helps ensure that your data collection procedures are accurate and secure with cookie policy audits.
2. Create a PII policy
Once you have accumulated the PII that is relevant to your business, you must develop a policy to establish how you will manage it. Your policy should align with the data processing principles as laid out in the GDPR. Fundamentally, these principles mean that data processing should be lawful, transparent, only done where necessary, accurate and confidential.
Your PII policy should include the following elements:
- Guidelines for what customer data needs to be collected, how it will be collected, and why.
- Guidelines for how customer data will be stored and secured.
- An acceptable data usage policy that outlines which organisations and individuals have a legitimate reason to access customer PII.
- The creation of records of all instances of access and modification of customer data.
- A data breach response plan.
- Workflows showing the management of data throughout the business and third parties.
You can share your PII policy with your users, or incorporate it into your general privacy policy.
3. Secure PII
Next, you need to begin the process of securing PII. Create appropriate data security measures for various levels of data in line with your PII policy. Some steps which may be appropriate for your business to take when it comes to classifying PII include:
- Store your customer data on secure first-party servers.
- Conduct an audit of any data which is being stored on third-party servers. Consider if this is a necessary or safe practice.
- Strongly reconsider the need to keep physical records of PII.
- Implement additional security measures for sensitive PII such as encryption.
4. Implement large-scale data security
By now, you’ve established and implemented security measures for the management of PII data. However, your work is far from over. You now need to work on comprehensive plans for the overall data security of your business.
A single failure in the data security of your organisation can have extremely wide-ranging consequences. For that reason, you must have a comprehensive strategy in place to maintain consistent levels of security throughout your enterprise.
Important steps for your organisation’s cyber security include:
- Encryption
- Multi-factor authentication
- Tag auditing and data loss prevention
- Password requirements
- Staff training on handling sensitive data
- Malware protection
- Data security tools
5. Identity and access management (IAM)
Identity and access management refers to systems used to ensure that tools and information within an organisation are accessible to appropriate users. A comprehensive IAM system is essential for data security within an organisation.
PII, especially sensitive PII, should be accessible to as few staff members as possible throughout an organisation. This mitigates the risk of data leakage.
Best practices for IAM include multi-factor authentication, zero-trust framework identification and the implementation of detailed guidelines which all staff members understand.
6. Report data breaches
A key component of PII regulations around the globe is procedures for reporting data breaches. For example, the GDPR lays out that personal data breaches must be reported to supervisory authorities within 72 hours of webmasters becoming aware of them.
Reports to supervisory authorities should include the following elements:
- The nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
- The name and contact information of the data protection officer.
- The likely consequences of the personal data breach.
- The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The GDPR also calls for documentation of personal data breaches, and for similar steps to be taken to notify individuals who have been subject to data breaches.
7. Craft a long-term strategy
When you have finished the process of becoming PII compliant, you must create long-term procedures to maintain your compliance. This means you will not need to reiterate this checklist over and over again, saving you time and effort.
Your long-term PII compliance strategy should include the following elements:
- Schedule frequent data audits.
- Stay abreast of developments in data protection regulation.
- Rigorously review your security protocols and privacy policies.
- Appoint a data protection officer to spearhead your PII compliance into the future.
- Implement a set of data security tools.
- Create a response plan for data subject access requests.
DataTrue can be instrumental in your organisation’s long-term PII compliance. Its comprehensive toolset includes sensitive data leak alerts and cookie policy audits, which help to ensure your practices are compliant with major regulations.
Book a demo with DataTrue today to find out how it can help your organisation manage data more effectively.