January 28 marks Data Protection Day (or Data Privacy Day), an international effort to create awareness about the importance of respecting privacy, safeguarding data, and enabling trust. For companies entrusted with personal data, this day is the opportunity to take stock and ensure everyone’s data remains safe and does not get into the hands of unauthorized people.
The privacy world has seen wholesale changes to privacy legislation across the world, and a huge shift in public awareness. One of the earliest data laws in the US was the Privacy Act of 1974. This law codified how federal agencies can collect, manage, and use personal information. With the introduction of the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada in 2000, countries codified efforts to seriously tackle the privacy of information in our digital world. The EU introduced GDPR (General Data Protection Regulation) in 2016 which levied punitive damages for violations. In the US, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) moved the conversation further into addressing potential data breaches of Personally Identifiable Information (PII).
What is Personally Identifiable Information (PII)?
Personally Identifiable Information (PII) is any data that permits the identification, by either direct or indirect means, of an individual to whom the information applies.
PII can directly identify a person (examples are name, address, phone number, social security number, any other ID number or code, and email address) or allow indirect identification in conjunction with other data elements. Such elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.
What is PII compliance?
As more of our world goes online, more of our data is subject to privacy legislation and compliance. PII compliance involves the standards organizations must maintain to fulfill PII regulations.
While a lot of data is in databases, the major risks are data that is in reports and documents or unstructured data. These have a tendency to move around from PCs to the cloud to mobile devices and are difficult to track. Becoming compliant is to discover, classify and protect these files while limiting access to only authorized people.
1. Discover all PII
The first step to safeguarding PII is to find it. You can’t protect what you can’t find. By locating and identifying PII, you can determine what to do with it. Once you accurately identify the PII that needs protection, the next step is establishing its storage location. In most cases, you shouldn’t store PII on mobile devices, user PCs, and general cloud storage. It’s better to find a secure repository, but in many cases, that’s not convenient or practical.
You also have a problem with file derivatives and copies. Every time someone saves files as a PDF or runs a report and downloads data to a spreadsheet, you have another copy of sensitive data. This leads to the question of whether you should be keeping PII in the first place. Is it necessary for your business? Having it can inevitably lead to a data breach.
2. Classify PII
After discovering PII, you need to classify or label it. This organizes the data into relevant data types which helps determine who should access it and how to protect it.
The easiest way to classify data is public versus non-public. This may seem oversimplified, but either the data should be available to anyone or it shouldn’t. If that is not granular enough, you can classify data by how much it will cost you if it is compromised or illegally exposed.
Below are standard classifications you can use:
- Public: This is the broadest category because it consists of data already in the public domain and is not sensitive.
- Confidential or Private: This is more sensitive, and organizations should allow only their employees to view and process it.
- Restricted: This is very sensitive data and could result in fines or litigation if it is leaked or gets into the wrong hands.
3. Protect PII
Once you organize your PII, you can protect it and ensure that only authorized people can access the data. This is critical for proper governance and risk mitigation strategies. The most effective protection is to encrypt the files and apply security policies that control who can access the data and what they can do with it.
A common protection approach is trying to track data flow through the organization. While that has value, trying to monitor where files go is time-consuming and ultimately not very important. The reason many do this is to limit access to file locations, whether in the cloud or in on-premise storage. Unfortunately, this is like playing whack-a-mole. Once you secure one location, another appears.
A better approach is to protect the files themselves and control them regardless of location. This allows the data to travel naturally from person to person in the course of business. Your data is always protected regardless of where it is and who is trying to access it.
To ensure PII isn’t exposed to unauthorized access, companies need clearly defined roles implemented throughout the organization. Once identified, you can apply security policies to sensitive files that limit a user’s action once opened. For example, someone in HR may have a legitimate reason to View and Edit a document with an employee’s PII, but that person’s manager should only be allowed to View it, or maybe not have access at all.
Access control and permissions should be dynamic to address changing roles in the organization. If the HR person changes departments and no longer needs access to PII, her access should change. A file she once opened should be inaccessible, regardless of where it is or even if she saved it to another format. This ensures no unauthorized people can access this sensitive data.
Protection rather than Litigation
According to privacy regulations and data breach notification laws, if data gets into the wrong hands but the files are not in human-readable form, there is no breach. If a computer or person can’t read the sensitive data, you have not violated any laws.
Rather than focusing on location-based protections and monitoring where data travels, encrypt it and assign a dynamic security policy that protects PII regardless of where it is. This ensures if (or when) your data gets out, it won’t cause any harm to your organization.
See how Fasoo can help meet your compliance requirements with a Zero Trust Data Security Platform.
Learn how Fasoo Data Radar can discover and classify PII
Learn how Fasoo Enterprise DRM can encrypt your PII with the highest level of security