Why is it important to understand personally identifiable information?
Organizations have been collecting information about people for as long as anyone can remember.
Consumers and businesses have provided information to receive services, process orders, and conduct payments and rarely thought twice.
However, in the past decade, the amount of Personally Identifiable Information (PII) being collected and the number of organizations collecting it has significantly increased.
To conduct business today, organizations are collecting and storing consumer and vendor PII across various systems and departments.
Meanwhile, hackers, internet scams, and security breaches are becoming ever more prevalent in the news and people’s daily lives.
While individuals are often targeted, organizations are a much more desirable target for PII breaches. You may think that this doesn’t apply to your department, or that it’s someone else’s responsibility.
But as more data is being collected and used across the organization, the more it becomes every leader’s responsibility to understand PII and the regulations in place to protect it.
What is personally identifiable information?
While at times this answer is black and white, technology innovations have started to make this area a little less clear.
The National Institute of Standards and Technology (NIST) Guide to Protecting Confidentiality of Personally Identifiable Information defines PII as any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual’s identity, and any information that is linked or linkable to an individual with additional information.
This data is considered to be PII:
- Name, maiden name, mother’s maiden name, alias
- Passport #, Social Security #, Drivers License #, Taxpayer Identification #
- Address (personal or business)
- Email address
- Internet Protocol (IP) address or Media Access Control (MAC) address
- Telephone numbers
- Vehicle registration number, vehicle title number, or Vehicle Identification Number
- Financial Account Numbers, Credit Card Numbers
- Personal Health Information (PHI), Patient Identification Number
- Biometric Records – Personal characteristics, including a photographic image of faces or other distinguishing characteristics, x-rays, fingerprints, or other biometric image or template data (retina scan, voice signature, facial geometry)
Other information can also become personally identifiable information when combined with publicly available information used to identify an individual. This data is considered linked or linkable to one of the examples above.
Non-PII that can become PII:
- Date of Birth
- Place of Birth
- Religion
- Weight
- Activities
- Geographical Indicators
- Employment or Educational Information, such as where someone works, worked in the past, or where they attended school
- Financial Information
Additionally, organizations may collect information about a data subject that’s not mentioned above. This is where that gray area appears.
What about usernames or social media handles? Are those considered PII? Are ‘likes’ and posts and lists of friends considered PII? Will information collected from IoT devices be treated as PII?
There are still many unknowns, and it’s wise to seek expert legal advice. It’s also worth mentioning that the various regulations across the globe define personally identifiable information and personal data differently.
Therefore, organizations have much to consider when it comes to classifying and protecting PII.
What responsibilities do businesses have to protect PII?
Healthcare and financial services organizations are no strangers to responsibilities when it comes to protecting Personally Identifiable Information.
However, for many organizations and industries, laws and regulations governing PII have more recently come into play.
One of the most significant laws governing PII is the General Data Protection Regulation (GDPR). Although the GDPR is a European law, it requires any organization that collects information on European consumers to be in compliance.
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) ensures that organizations must obtain an individual’s consent to collect, use or disclose PII.
In the United States, there are various state laws governing privacy and data security within specific industries. To date, California and Massachusetts have adopted the most stringent state data privacy laws in the country.
Since 2010, Massachusetts General Law Chapter 93H requires every business that licenses or owns personally identifiable information of Massachusetts residents to comply with the minimum security standards set forth in the regulation.
The California Consumer Protection Act (CCPA) and California Privacy Rights Act (CPRA) place the decision to share or sell data in the hands of consumers, instead of the organization.
Businesses must provide California residents with access to their data and a way to decline data collection, and remove their personal information from the database.
Other U.S. laws governing personally identifiable information or personal data include:
- Nevada SB220 Privacy Law
- Colorado Privacy Act (CPA)
- Virginia Consumer Data Protection Act (VCDPA)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Gramm-Leach-Bliley Act (GLBA)
- Confidential Information Protection and Statistical Efficiency Act (CIPSEA)
While this list is not exhaustive, you get an idea of the number of laws and regulations businesses must comply with when handling PII.
Violations of these laws can result in civil or criminal penalties, skyrocketing fines, and loss of consumer trust.
Consumers are rapidly becoming more wary of companies collecting their personal data. 2019 PEW research reveals that 81% of Americans feel as if they have very little or no control over the data companies collect.
Furthermore, 81% don’t think the potential benefits outweigh the risks of collecting their data, and 79% are somewhat or very concerned about how companies are using the data they collect.
These consumer attitudes about businesses are concerning. However, organizations can see this as an opportunity to improve relationships with customers and differentiate themselves from the competition.
You have a responsibility to help consumers understand why and how their personal data is being collected – and how to prevent it from being collected.
These tips can help you get started.
Tips for protecting personally identifiable information:
- Have a clear why for collecting PII
- Only collect what you need
- Purge what you don’t need regularly
- Create data inventory maps to identify how and where data is being collected, used, and shared
- Have a process in place for auditing and updating data inventory maps
- Conduct Privacy Impact Assessments (PIA) to determine the potential security risks for each type of PII
- Be transparent with consumers about PII you are collecting and using and obtain their consent
- Train employees consistently on the policies and procedures in place to protect PII
- Adopt software designed for data privacy management to gain clear understanding of your privacy program and practices
Bonus business benefits
Understanding the personal data your organization collects isn’t just a compliance exercise. You can leverage your data inventory to manage risk, respond to data subject access requests (DSAR), manage international data flows, and govern your privacy program.
This information helps improve processes and collaboration across the organization.
Data privacy is too important to operate in a silo.
Consumers are demanding less invasion of their personally identifiable information, and more transparency from organizations. Companies that are taking these demands seriously benefit from strong customer loyalty and repeat purchase opportunities.
Even more so, privacy officers can feel confident their organization is not at risk of penalties and fines.