With the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) leading the way for regulatory compliance regarding personal data and information privacy standards, it is important to understand that not all personal data or personal information are the same. Not only are there different types of personal data and information, but the requirements for collecting, storing, and securing this data can vary depending on their respective definitions under regulations such as GDPR and CCPA.
One of the more commonly misinterpreted terms in this space is personally identifiable information (PII). Understanding what is PII and the types of information it consists of, as well as the different forms of protection it has, can help you better understand data regulation requirements. This can help ensure that you’re properly protecting the correct data and avoiding costly mistakes that can occur when attempting to maintain regulatory compliance.
What is PII?
Per the Privacy Act of 1974, PII is defined as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.” This is commonly confused with personal data, which the GDPR defines as any information “related to an identified or identifiable natural person.” The distinction between the two definitions might seem subtle, but fully understanding it is crucial. Not all data related to a person has the capacity to identify an individual, so only data from which a person’s identity can be derived falls under the umbrella of PII.
The CCPA uses the term personal information instead of personally identifiable information to refer to “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual.” In some cases, this can even include information shared on social media. In these definitions, the CCPA’s personal information encompasses PII, while the GDPR’s personal data does not quite cover all types of information that may be considered PII. So, what is PII and which types of information does it include?
What is PII: Types of Personally Identifiable Information
What Should My Organization Do to Protect PII?
The key to your organization protecting PII is recognizing what it is. With that understanding, you can look to identify it within your organization’s environment and continue with the following steps to protect it.
STEP NO. 1: IDENTIFY YOUR PERSONALLY IDENTIFIABLE INFORMATION
Before you can protect your personally identifiable information, you need to know which types of your data are PII. This can vary depending on factors such as which country you’re located or doing business in and what industry standards and regulations you’re subject to as a result. Once you have a firm understanding of what is PII, you can match it to the relevant data types in your possession.
STEP NO. 2: DISCOVER WHERE THIS INFORMATION IS STORED
As with the implementation of a data governance program or other technology, one of the first steps for how to protect personally identifiable information is to perform a data discovery, or mapping, exercise. This allows you to locate PII within your network and other environments and see where it travels throughout your organization. Once you have mapped the flow of data, you should know where your PII resides and how to isolate or segment those systems from the rest of your environment.
STEP NO. 3: MINIMIZE YOUR PII
This practice is not specific to protecting PII, but it’s just as effective with PII as it is with any other type of data. Data minimization is nothing new for security practitioners and with good reason—you don’t have to worry about protecting data you don’t process or store. Simply minimizing the amount of PII in your systems can be an easy and effective way to reduce the security controls and compliance scope of your data environment.
STEP NO. 4: MONITOR YOUR ACCOUNTS
Another effective method for protecting PII is the use of access control measures to limit access to the data to only the specific individuals within your organization whose roles require them to view or interact with that data. This reduces the risk of data exposure by preventing unnecessary access to sensitive data. Only those with a business-need-to-know should be authorized, and even then, that access should be restricted and monitored. Monitoring access also makes it easier to determine how a breach occurred in the instance that data does become exposed.
STEP NO. 5: SECURE YOUR DATA WITH TOKENIZATION VIA THE TOKENEX PLATFORM
One of the most effective solutions for how to protect personally identifiable information is tokenization. This security technology obfuscates data by exchanging the original sensitive information for a randomized, nonsensitive placeholder value known as a token. The token is irreversible and has no direct relationship to the original data, which is stored outside of the tokenized environment. Because tokenization removes the sensitive data and stores it off-site, it virtually eliminates the risk of data theft. Even if a breach were to occur, no sensitive data would be exposed—only the nonsensitive placeholder tokens.
Why the TokenEx Platform Is a Solution for My Organization?
Securing your data with tokenization helps your organization in more ways than one. Not only does it protect the data as mentioned in step five, but it also makes compliance with regulations like GDPR and CCPA much simpler. This is because although the data is no longer part of your organization’s environment, it is still accessible by your organization when needed. Tokenization offers security by removing PII from the scope of compliance obligations while maintaining the business utility of the data.
Now that you have an understanding of what PII is and how to protect it, you’ll want to find a provider that can meet your organization’s unique business needs and accommodate its technical processes. TokenEx can address your security and compliance concerns while providing the flexibility and simplicity required to preserve your existing operations and implement improved ones.