The protection of personally identifiable information (PII) is important both for individuals, whose privacy may be compromised, and for businesses that may have their reputation ruined or be liable if PII is wrongly accessed, used, or shared.
Due to hacking, data leaks or data thievery, PII acquired can be combined with other pieces of information to form a more complete picture of you. On an individual level, this puts you at risk of identity theft, credit card theft or other harm caused by the fraudulent use of your personal information.
On a business level, for companies who breach data privacy laws – like Cambridge Analytica’s harvesting of millions of FB profiles – the action leads to an erosion of trust. It can also impact your financial position as heavy fines can be imposed for the illegal use and processing of personally identifiable information.
So what can you do to ensure PII compliance?
On an individual level:
- Don’t give your data away so easily. Although long, it’s worthwhile to read through privacy policies to make sure you know what you’re getting yourself into.
- Don’t just click ‘agree’ when faced with consent screens, as consent screens are majorly flawed. Users mostly always opt in without reading and without being properly informed what they opt in to.
- Did you know you’re most likely being tracked from website to website? For example, Google can identify you across visits and websites. One of the things you can do is to disable third party cookies by default. Businesses can also use privacy friendly analytics which halt such tracking.
- Use strong passwords.
- Be wary of public wifi – hackers can easily access your PII or sensitive data. Use a VPN (virtual private network), which lets you create a secure connection to a server of your choosing. This allows you to browse the internet in a safe manner.
A PII compliance checklist for businesses/organisations:
- Identify where all PII exists and is stored – review and make sure this is in a safe environment.
- Identify laws that apply to you (GDPR, California privacy law, HIPAA) and follow your legal obligations.
- Create operational safeguards – policies and procedures for handling PII at an organisation level; and building awareness to focus on the protection of PII.
- Encrypt databases and repositories where such info is kept.
- Create privacy-specific safeguards in the way your organisation collects, maintains, uses, and disseminates data so you protect the confidentiality of the data.
- Minimise the use, collection, and retention of PII – only collect and keep PII if it’s necessary for you to perform your legal business function.
- Conduct privacy impact assessments (PIA) to find and prevent privacy risks (identify what and why it’s to be collected; how the information will be secured etc.).
- De-identify within the scope of your data collection and analytics tools.
- Anonymise data.
- A more comprehensive guide for businesses can be found here: https://iapp.org/media/pdf/knowledge_center/NIST_Protecting_PII.pdf