In this era of heightened data privacy, organizations, especially those in highly regulated industries, need to maintain a PII compliance checklist to protect private data in their possession.
What is PII compliance?
PII refers to personally identifiable information. Unlike other personal data, PII can be used to identify an individual uniquely. As its name suggests, PII compliance involves the standards organizations must maintain to fulfill PII regulations.
Since PII is at the center of PII compliance, it is essential to understand what constitutes PII. First, not all PII is created equal. PII can be split into sensitive and non-sensitive PII.
Understanding Sensitive and Non-sensitive PII Examples
Sensitive PII, such as someone’s full legal name, social security number, or driver’s license, can pinpoint an individual accurately. It also includes data that can be traced to an individual, like medical records, passports, credit cards, and bank account information.
With non-sensitive PII, a person’s identity can be inferred. Non-sensitive PII examples include a person’s information liable to be found in the public domain, like their birthday or business phone number.
Other examples of non-sensitive PII are email addresses, IP addresses, residential addresses, ethnicity, gender, and your mother’s maiden name.
However, non-sensitive PII can be combined with other relevant information to expose someone’s identity.
PII Compliance Standards
The pace and breadth of PII regulation is genuinely remarkable. Gartner reports that by 2025, as much as 65% of the global population will have their PII data covered by regulations.
One of the significant differences between PII and other sensitive private data like protected health information (PHI) is the broad array of regulations targeted at PII. On the other hand, HIPAA, which is a prime example of industry data protection standards, is exclusively regulated by PHI.
Data Privacy Regulations in the United States
Because of its sensitivity, many countries and government agencies protect PII data with legislation. One of the earliest data laws in the US was the Privacy Act of 1974. This law codified how federal agencies can collect, manage, and use personal information.
Apart from the Privacy Act of 1974, the US lacks an all-encompassing federal law that governs data privacy.
The Federal Trade Commission Act (FTC Act) allows the government agency to prevent deceptive trade with broad jurisdiction over commercial entities. However, it does have some role in enforcing privacy laws by imposing sanctions on companies for violating consumer data and failing to maintain appropriate data security measures.
Here are some of the other data privacy laws in the US:
- The Health Insurance Portability and Accounting Act (HIPAA)
- The Children’s Online Privacy Protection Act (COPPA)
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- New York SHIELD Act
Data Privacy Regulations in Europe
While the GDPR emanates from Europe, it is the most far-reaching and toughest data privacy law today. The power of GDPR is that its penalty violations are high, and it is written in such a way that it applies to you even if you’re not in the EU.
PII Compliance Checklists to Follow
To adhere to the growing number of data privacy laws, companies need to maintain a list of the PII requirements they need to satisfy under various data regulations. Here are some points to consider when creating a PII compliance checklist
1. Identify PII and Determine Where It Is Stored
This is the first step in ensuring PII is adequately safeguarded. By locating and identifying its PII, an organization can determine whether the type and quantity of private data it collects are necessary or justified in the first place.
Once you accurately identify the PII that needs protection, the next step is establishing its storage location. The challenge here is magnitude – with mobile and cloud computing, data can be stored in multiple files, file formats, devices, and endpoints.
However, without the ability to maintain visibility into private data, sensitive PII is bound to fall through the cracks, resulting in inadvertent data leakage.
After the location has been established, it is necessary to assess the risk to the PII due to where it is stored. One of the ways to mitigate these risks is by implementing the principle of least privilege.
This grants only the minimal required access to the data needed to execute jobs. This is implemented with role-based access control measures that ensure access to data is only granted to required users.
In addition to its storage location, identifying the states or lifecycle phase (data at rest, in use, or data in motion) in which the data exists is paramount to auditing its security protocols.
2. Classify and Categorize PII
After discovering the presence of PII, the next stage is to create a system to classify it. This categorization requires a taxonomy system to organize the data into relevant types of PII.
Most often than not, the best way to classify data is to qualify them based on the most harm and damage done if it is compromised or illegally exposed.
The typical PII classification used are the following:
- Public: This is the broadest and least restrictive category because it primarily consists of non-sensitive data already in the public domain.
- Private: This is a notch higher than public data. Private data is more sensitive, and organizations require only their employees to view and process it.
- Restricted: Utmost discretion is required with restricted data because of the potential damage caused if it is leaked or falls into the wrong hands.
3. Creating compliance-based policies
This phase involves the policies you must create to ensure PII compliance is followed. Organizations also need this framework for governance and risk mitigation strategies. There are many issues regarding proper data governance, but there are straightforward ways to start.
One of these is to create a data map that enables DevSecOp engineers and infosec staff to track data flow through the organization. Most data privacy regulations have severe mandates concerning breach notification, so organizations must have reporting policies enacted.
Periodically conduct vulnerability assessments and penetration tests to identify and plug security holes.
Nevertheless, some of the best compliance can be created just by following GDPR practices:
- Data minimization to limit the use of personal information as much as possible.
- Limiting the use of personal data only to business practices whenever possible.
- PII data processing should also be transparent, timely, accurate, and lawful.
- Integrity and confidentiality are upheld while private data is stored no longer than necessary.
- Private data processing should be completed within a defined time.
4. Adopting Data Security Measures and Tools
PII security requires adopting security best practices and implementing the right tools. This includes endpoint security with encryption for data at rest, in motion, and in use.
Organizations must implement top-notch antivirus, intrusion detection, and other malware prevention software.
5. Robust Identity Access Management (IAM)
To ensure PII isn’t exposed to unauthorized access, companies need clearly defined roles implemented throughout the organization.
IAM enables organizations to create a hierarchy of roles and responsibilities to protect PII.
Vera Can Help With Your PII Compliance
Vera provides maximum data security that helps you protect and manage access to critical files containing sensitive PII.
Our competencies in data loss prevention (DLP), digital rights management (DRM), and information rights management (IRM) protect sensitive information through all phases of the data lifecycle.
To learn more about protecting and securing PII, read our e-book, the Definitive Guide to Protecting Sensitive Healthcare Data – Vera.