Types of PII
The CCPA uses the term personal information instead of personally identifiable information to refer to “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual.” In these definitions, the CCPA’s personal information encompasses PII, while the GDPR’s personal data does not quite cover all types of information that may be considered PII. So, what is PII and which types of information does it include?
How Can My Organization Improve PII Data Protection and Simplify PII Compliance?
The key to PII data protection for your organization is, first and foremost, recognizing what PII is. Once that is established, you can look to identify it within your organization’s environment and continue with the following PII compliance checklist to ensure your customers’ data is protected.
STEP NO. 1: IDENTIFY YOUR PERSONALLY IDENTIFIABLE INFORMATION
Before you can move forward with PII data security, you need to know which types of your data are PII. This can vary depending on factors such as what elements of data are included in a given data set and whether those elements could independently or collectively be used to potentially identify an individual. Things like the country you’re located or doing business in and what industry you are a part of can determine what PII security controls and standards you’re subject to as a result of any applicable regulations. Once you have a firm understanding of what PII is, you can match it to the relevant data types in your possession and move forward with your plan for PII security.
STEP NO. 2: DISCOVER WHERE THIS INFORMATION IS STORED
As with the implementation of a data governance program or other technology, one of the first steps for how to protect personally identifiable information is to perform a data discovery, or mapping, exercise. This allows you to locate PII within your network and other environments and see where it travels throughout your organization. Once you have mapped the flow of data, you should know where your PII resides and how to isolate or segment those systems from the rest of your environment
STEP NO. 3: MINIMIZE YOUR PII
This practice is not specific to PII protection, but it’s just as effective with PII as it is with any other type of data. Data minimization is nothing new for security practitioners and with good reason—you don’t have to worry about protecting data you don’t process or store. Simply minimizing the amount of PII in your systems can be an easy and effective way to reduce the security controls and compliance scope of your data environment.
STEP NO. 4: MONITOR YOUR ACCOUNTS
Another effective method for protecting PII is the use of access control measures to limit access to the data to only the specific individuals within your organization whose roles require them to view or interact with that data. This reduces the risk of data exposure by preventing unnecessary access to sensitive data. Only those with a business-need-to-know should be authorized, and even then, that access should be restricted and monitored. Monitoring access also makes it easier to determine how a breach occurred in the instance that data does become exposed.
STEP NO. 5: SECURE YOUR DATA WITH TOKENIZATION VIA THE TOKENEX PLATFORM
One of the most effective solutions for how to protect personally identifiable information is tokenization. This security technology obfuscates data by exchanging the original sensitive information for a randomized, nonsensitive placeholder value known as a token. The token is irreversible and has no direct relationship to the original data, which is stored outside of the tokenized environment. Because tokenization removes the sensitive data and stores it off-site, it virtually eliminates the risk of data theft. Even if breaches were to occur, no sensitive data would be exposed—only the nonsensitive placeholder tokens.