The growing importance of understanding and protecting PII data
Organizations have been collecting personally identifiable information about people for as long as anyone can remember. Consumers and businesses have provided information to receive services, process orders, and conduct payments and rarely thought twice.
However, in the past decade, the amount of Personally Identifiable Information (PII) being collected and the number of organizations collecting it has significantly increased.
To conduct business today, organizations are collecting and storing consumer and vendor PII across various systems and departments.
Meanwhile, hackers, internet scams, and security breaches are becoming ever more prevalent in the news and people’s daily lives.
While individuals are often targeted, organizations are a much more desirable target for PII breaches. You may think that this doesn’t apply to your department, or that it’s someone else’s responsibility.
But as more data is being collected and used across the organization, the more it becomes every leader’s responsibility to understand PII and the regulations in place to protect it.
What is personally identifiable information?
While at times this answer is black and white, technology innovations have started to make this area a little less clear.
The National Institute of Standards and Technology (NIST) Guide to Protecting Confidentiality of Personally Identifiable Information defines PII as any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual’s identity, and any information that is linked or linkable to an individual with additional information.
Examples of PII data:
- Name, maiden name, mother’s maiden name, alias
- Passport #, Social Security #, drivers license #, taxpayer identification #
- Address (personal or business)
- Email address
- Internet Protocol (IP) address or Media Access Control (MAC) address
- Telephone numbers
- Vehicle registration number, vehicle title number, or vehicle identification number
- Financial account numbers, credit card numbers
- Personal Health Information (PHI), patient identification number
- Biometric records – Personal characteristics, including a photographic image of faces or other distinguishing characteristics, x-rays, fingerprints, or other biometric image or template data (retina scan, voice signature, facial geometry)
Other information can also become personally identifiable information when combined with publicly available information used to identify an individual. This data is considered linked or linkable to one of the examples above.
When does non-PII become PII?
- Demographic data: Date of birth, place of birth, religion, weight
- Behavioral data: Activities, geographical indicators
- Professional data: Employment/educational information
- Financial information
Additionally, organizations may collect information about a data subject that’s not mentioned above. This is where that gray area appears.
What about usernames or social media handles? Are those considered PII? Are ‘likes’ and posts and lists of friends considered PII? Will information collected from IoT devices be treated as PII?
There are still many unknowns, and it’s wise to seek expert legal advice. It’s also worth mentioning that the various regulations across the globe define personally identifiable information and personal data differently.
Therefore, organizations have much to consider when it comes to classifying and protecting PII. This is where TrustArc solutions can help you!
Key PII data compliance responsibilities for businesses
Healthcare and financial services organizations are no strangers to responsibilities when it comes to protecting Personally Identifiable Information.
However, for many organizations and industries, laws and regulations governing PII have more recently come into play.
- General Data Protection Regulation (GDPR): Requires compliance for organizations processing data of EU residents.
- Personal Information Protection and Electronic Documents Act (PIPEDA): Requires consent for data collection, use, and disclosure in Canada.
- California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA): Grants California residents control over their personal data.
- Massachusetts General Law Chapter 93H: Sets minimum security standards for PII of Massachusetts residents.
The growing landscape of PII regulations
- Nevada SB220 Privacy Law
- Colorado Privacy Act (CPA)
- Virginia Consumer Data Protection Act (VCDPA)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Gramm-Leach-Bliley Act (GLBA)
- Confidential Information Protection and Statistical Efficiency Act (CIPSEA)
While this list is not exhaustive, you get an idea of the number of laws and regulations businesses must comply with when handling PII.
Violations of these laws can result in civil or criminal penalties, skyrocketing fines, and loss of consumer trust making PII data compliance a critical priority for businesses.
Consumers are rapidly becoming more wary of companies collecting their personal data. 2019 PEW research reveals that 81% of Americans feel as if they have very little or no control over the data companies collect.
Furthermore, 81% don’t think the potential benefits outweigh the risks of collecting their data, and 79% are somewhat or very concerned about how companies are using the data they collect.
These consumer attitudes about businesses are concerning. However, organizations can see this as an opportunity to improve relationships with customers and differentiate themselves from the competition.
You have a responsibility to help consumers understand why and how their PII data is being collected – and how to prevent it from being collected.
These tips can help you get started.
Proactive steps for protecting PII data
- Establish a clear purpose for data collection: Define a legitimate business reason for collecting PII.
- Minimize data collection: Only collect necessary PII.
- Implement regular data purging: Delete PII that is no longer needed.
- Develop data inventory maps: Track how and where PII is collected, used, and shared.
- Establish processes for auditing and updating data maps: Ensure data accuracy and compliance.
- Conduct Privacy Impact Assessments (PIAs): Identify and mitigate security risks.
- Be transparent and obtain consent: Clearly communicate data practices to consumers.
- Provide consistent employee training: Educate employees on PII protection policies.
- Implement data privacy management software: Gain visibility and control over your privacy program.
Beyond compliance: The business advantages of strong PII data management
Understanding the personal data your organization collects isn’t just a compliance exercise. You can leverage your data inventory to manage risk, respond to data subject access requests (DSAR), manage international data flows, and govern your privacy program.
This information helps improve processes and collaboration across the organization.
Data privacy is too important to operate in a silo.
Consumers are demanding less invasion of their personally identifiable information, and more transparency from organizations. Companies that are taking these demands seriously benefit from strong customer loyalty and repeat purchase opportunities.
Even more so, privacy officers can feel confident their organization is not at risk of penalties and fines.
Privacy PowerUp Series
Are you a compliance pro, lawyer, or just curious about privacy? The Privacy PowerUp series is the perfect launchpad for mastering all of the privacy essentials.
Go to series
Sick of your current privacy vendor?
Learn why migrating to TrustArc is an upgrade over your current provider and gain insights into the successful, proven, customer migration process.
Download the eBook
