What is PII, and Why Is It Your Responsibility?

While there are numerous legal definitions of PII, consider it any data that can be used by itself or in combination with other data to identify, contact, or locate a specific person.

Given the global attention on individual privacy rights and security breaches involving personal data, it’s essential to understand the drastic differences. Also, understanding the general idea of PII can help your company understand how to store, process properly, and manage PII data using information security.

PII exists in a majority of countries and organizations:

United States: The Guide to Protecting the Confidentiality of Personally Identifiable Information from the National Institute of Standards and Technology (NIST) defines information that is “personally identifiable” as things such as a person’s name, social security number, or biometric records that can be used to distinguish or trace an individual’s identity.

European Union: Personal data is defined under Directive 95/46/EC as information that can be used to identify a person, like an ID number or attributes related to physical, physiological, mental, economic, cultural, or social identity.

Australia: The Information Privacy Principles are a set of privacy protections established by the Privacy Act of 1988. (IPPs). These principles govern how the Australian government and businesses can collect PII. It also stipulates that Australians have the right to know why personal data is gathered and who will have access to it.

New Zealand: The Privacy Act regulates how businesses collect, utilize, disclose, keep, and provide access to personal data. PII, according to their definition, is information about living people who can be identified.

Canada: Organizations must seek an individual’s consent to collect, use, or disclose PII under the Personal Information Protection and Electronic Documents Act (PIPEDA).

It’s worth noting that the guidelines frequently provide generalities rather than specifics. When necessary, appropriate, commensurate, properly, trusted, consider are all phrases that might be interpreted in various ways. That highlights the need to analyze the requirements that apply to your organization carefully. Your approach to PII will be influenced by various industries, information uses, vendors, and locations.

WHO IS RESPONSIBLE FOR GUARDING PII?

From a legal standpoint, an organization’s obligation for securing PII might range from no responsibility to total responsibility. In most cases, the obligation is split between the entity that holds the PII and the individual who owns the data.

However, although you may not be legally responsible, as an organization, most customers believe it is your responsibility to guard their personal data. This means that even if your company is not legally liable, you may incur reputational harm. As a result, it’s considered best practice to safeguard PII in addition to being the most ethical choice.

Data breaches containing PII are becoming more common, resulting in billions of dollars in shareholder losses, millions of dollars in regulatory fines, and an increased risk of identity theft for those whose sensitive data was exposed. Individuals and companies are both at risk from data breaches:

• Individual harms: identity theft, humiliation, and blackmail
• Organizational harms: loss of public trust, legal responsibility, firm shutdown, diminished enterprise value, or remediation costs

Organizations must utilize cybersecurity risk assessments, third-party risk management, vendor risk management, and information risk management to ensure the confidentiality of PII. We will expose less public information and more sensitive data if we protect both public and sensitive information with similar intensity. Therefore, organizations must use a risk-based strategy to preserve the confidentiality, integrity, and accessibility (CIA trinity) of its and its customers’ PII.

HOW TO MINIMIZE USE, COLLECTION, AND RETENTION OF PII

When companies use, collect, and maintain the least amount of PII possible, the risk of a data breach involving PII is lowered. Therefore, your company should limit its requests for PII to those that are absolutely necessary. It should also assess what personal information it has on hand on a regular basis to see if it is still relevant and essential.

Generally, you should:

• Examine current PII holdings to verify they are accurate, relevant, timely, and complete
• Reduce PII holdings to the bare minimum required to run the business
• Review PII holdings regularly
• Make a plan to eliminate any needless PII collection and use

HOW TO PROTECT PII

Not all information should be safeguarded in the same way. Organizations must implement suitable protections to maintain PII confidentiality based on how it categorizes PII in its confidentiality effect levels.

Some PII isn’t even required to be safeguarded. For example, assume your company has a public phone directory where plumbers can share their phone numbers. Because your organization has the authority to distribute the PII (phone number) publicly, it does not need to be secured in this circumstance.

You should apply operational, privacy-specific, and cybersecurity measures to secure sensitive PII, such as:

• Rules and Procedures: Develop thorough procedures and regulations to preserve the confidentiality of PII
• Train Employees: Reduce the risk of illegal access, use, or disclosure of PII by requiring all workers to complete appropriate training before being given access to information technology containing PII

We understand the world of PII and protecting it can be confusing given the varying definitions and open-to-interpretation words, but that is no excuse. As an organization, you need to make protecting your customers a number one priority. Unfortunately, there is no right answer for every company. Protecting PII necessitates a series of measures; what you do for PII protection will differ depending on your industry, the sort of data you have, the geographies you work in, your risk tolerance, your resources, among other considerations.