It’s no surprise that all organizations store Personally Identifiable Information (PII). However, its importance is increasing as well as its vulnerability.
The real challenge is to understand what we can do to protect it while complying with all regulations. If you are wondering how here’s what you need to know.
What is Personally Identifiable Information?
Personally Identifiable Information (PII) is the data that can be used to identify a specific individual.
This information includes name, email address, social security number, or phone number. It can also comprise IP addresses, login IDs, or digital images. However, there isn’t a common definition for PII as it can differ across organizations.
PII can be divided into linked/sensitive PII or linkable/non-sensitive information.
Linked/sensitive Personally Identifiable Information is any data that can be used to track an individual directly (passport information, social security number or bank details).
By its turn, Linkable/non-sensitive information can be found openly and can include a date of birth or gender. This means that it can be transmitted unencrypted. The problem with non-sensitive data is that it can be combined with sensitive data, thereby revealing a person’s identity.
Collecting PII: what should we know
Every time we visit a website, use social media, or use our mobile phone, a myriad of information is analyzed, processed, and shared.
In an article published by Wired, they examined Amazon to understand how it tracks its users. According to their privacy policy, “broadly, the information that Amazon collects about you comes from three sources. These are: the data you give it when you use Amazon (and its other services, such as reading Kindle books), the data it can collect automatically (information about your phone and your location), and, finally, information it gets from third parties (credit checks to find out if your account is fraudulent, for example)”.
This is just an example of how our data is obtained. But what if we don’t accept this? The truth is that there is very little that can be done.
Websites usually mention some steps to control the information they collect. Another option would be to make changes in the settings of the browser. Nevertheless, information will always flow.
Google and Personally Identifiable Information
Google is working on its Privacy Sandbox and is making it very clear that PII must be protected.
When using Google Analytics (GA) for example, users occasionally give information. This can be linked to a person’s identity. One common way of seeing it is at the end of a URL, when there is an e-mail address. If this is the case and Google detects it, the account will be closed, the data destroyed, and fines imposed.
Therefore, it is necessary to revise the way a website collects PII to guarantee it is not sent to GA.
How to protect PII?
The importance of PII is unquestionable. With the end of tracking cookies, companies are exploiting new ways to gather information about their audiences.
Due to it, first-party data is worthing its weight in gold. PII violations such as theft or sale pose serious threats to organizations and users. Thus, protecting it is mandatory.
As a user
When it comes to the user, it is important to assure them that there is security software to avoid virus and attacks.
Using a Virtual Private Network (VPN) to encrypt internet connections and keep online activity private is an option worth considering. It goes without saying that dubious e-mails mustn’t be opened.
One final piece of advice would be to look for HTTPS at the start of a website or a lock icon. Before sharing PII in a domain, verify if these secure elements are present.
As an organization
Numbers from the Identity Theft Resource Center (ITRC) showed an increase of 17 % in the amount of data breaches in 2021 compared to 2020.
It might sound difficult to protect PII, but there are a few steps that will facilitate the job. Understanding what PII is and how it is collected is the first stage.
After locating and discovering the data, it is time for classifying and minimizing its amount. In order to prevent sharing sensitive data, organizations must limit access to it.
Software and Artificial Intelligence tools play a major role in this field. Data Loss Prevention (DLP) is a valuable help guaranteeing sensitive data is protected. DLP software is ready to organize the data according to legislation, such as the General Data Protection Regulation (GDPR).
What if PII is accessed or shared by unauthorized entities? In this case, organizations should have a plan to recover and remediate the error immediately. For example, under GDPR, companies only have a maximum of 72 hours after data breaches to report them. As a result, the value of crisis management grows.
Personally Identifiable Information and GDPR
Around the globe, many governments and organizations are actively working towards privacy and security. The California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) are two examples of legislation that have come to light.
Aiming at protecting personal data, GDPR states that companies must be transparent about the information they collect and how it is processed. According to it, personal data is “any information that relates to an individual who can be directly or indirectly identified”.
But what is the difference between personal data and Personally Identifiable Information? GDPR is very clear about it: personal data includes all information, from sensitive to non-sensitive data. Furthermore, it defines all individual rights in terms of data use. On the other hand, PII is not a legal term. It may or may not include non-sensitive information, depending on the regulations of the organization.
According to GDPR, consumers must consent to being tracked (“opt-in” model of consent). However, a finding from Ebiquity mentioned on Digiday, showed that most websites trace users prior to their approval. Furthermore, “the report suggests that many of the biggest publishers are potentially violating their readers’ privacy and data protection rights by giving them a false notion of control”.
Due to its multitude of regulations, GDPR requires organizations to invest more time in analyzing the data. Encryption and anonymization of information are excellent practices. Not only will they benefit users but also the organizations themselves.
It’s time to take it personally
Protecting Personally Identifiable Information is crucial for privacy and security. With it, criminals can operate under someone else’s identity, causing multiple damages.
By better securing PII, corporations can also better interact with their consumers. The result: increasing confidence and transparency. In an era where information is priceless, we should pay attention to all the details. The lesson to learn is simple: prioritize security over all other aspects.
