BY Chet Metchalf | 14 July 2021
Understanding what personally identifiable information (PII) is and how to protect it is more important now than ever. With a global spotlight on the responsible handling of data and consequences for non-compliance at an all-time high, businesses are facing unprecedented pressure to get this information under control.
While definitions may vary slightly depending on the compliance laws and jurisdictions, PII is generally defined as any data that can be used to identify an individual. While this may seem straightforward enough, digitization efforts over the past decade have transformed the way businesses use consumer data. Not only is this information increasingly collected and stored, but it is used in a variety of new ways. For example, businesses today often leverage this data to enhance advertising efforts.
As PII compliance laws evolve and businesses continue to use personal information, understanding the risk that surrounds your data is critical and regulators should prioritize and look for new ways to safeguard the sensitive information companies collect about their consumers.
Compliance laws were created around the world to address this collection of PII. However, not all PII is as sensitive as others, and to better understand how to protect it, it’s important to know exactly what types of information hold the most risk.
Sensitive PII – Sensitive PII pertains to legal information and holds the highest compliance risk. This can include consumer full names, social security numbers, mailing addresses, driver’s licenses, credit card information and medical records, to name a few.
Non-sensitive PII – Non-sensitive PII is defined as any personal information that identifies, describes or is capable of being linked back to a particular consumer or household. This information is less direct than PII, therefore it holds less risk. Examples of this could include race, zip code, gender, religion and place of birth.
Every business holds both sensitive and non-sensitive PII, and under most compliance laws, this all needs to be accounted for. To best understand how to approach PII compliance and discovery, we also need to understand which compliance laws apply to your organization and how each of these define PII.
While GDPR and CCPA (with the addition of the CPRA in 2023) are similar, the two are not the same. The CCPA acts as the genesis for state-mandated U.S. compliance laws, and although it does borrow principles from the GDPR, the law distinguishes itself as a heavily consumer-oriented law, giving rights and privileges to individuals. On the other hand, organizations dealing with health-related information, will have little use in measuring PII against the above regulations and instead will need a thorough understanding of HIPAA.
However, it’s important to note these regulations only scratch the surface, and there exist many other compliance laws that organizations should familiarize themselves with — including CPRA, LGPD, PIPEDA, Australian Data Privacy, and the list goes on. No matter what compliance laws your company is subject to, you will need to start by identifying where the PII in your company resides. To learn more about what steps to take to effectively secure PII, check out our blog.
Luckily, data discovery tools exist to help you keep track of the various compliance laws that exist today and to help you account for both the sensitive and non-sensitive PII that your organization collects on consumers. Use Enterprise Recon to learn exactly what PII data your company has stored, how it is being used, and most importantly, how it is being protected.
If you are ready to start your data discovery journey, book a demo with a data expert today.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.