What is Personally Identifiable Information?

But depending on your business, the list of personally identifiable information is nearly endless. Think about the school system. It has unique information about their students, like test scores or family status. Consider the DMV. It knows your address, vehicle identification information and whether or not you wear glasses. Online shopping sites process information on one’s buying habits, payment details, address and more.

As a business it’s important to think through all the categories of information you process to determine which could be traced back to an individual. Consider:

• Forms of someone’s name
• Identification numbers of any type
• Address information
• Asset details
• Telephone numbers and IP addresses
• Physical characteristics
• Details about property owned
• Important dates and work history
• Family history
• Who and what interests the person

Any information that falls into one of these categories could be used as-is or in combination to identify an individual.

There are three key steps businesses can take to protect PII: evaluate and document processes, educate workers and invest in technical tools.

• Processes. Creating processes helps businesses break down their actions into small, easy-to-examine steps. This makes it clear what type of information might be handled at any point in a workflow, highlighting areas of concern and helping to identify when precautions should be taken. As work is done on developing processes, it is important to document these, so they are transparent to everyone involved. The next step is to automate the processes so data handling efforts are moved from one step in the process to another with as little human intervention as possible. This reduces the chance of error and speeds up work.
• Education. While technology-related issues can certainly arise, it is equally possible that human error could put personally identifiable information at risk. From passwords being left out on desks, to software updates not happening as frequently as needed, to doors being inappropriately propped open, people put data at risk. It is imperative that businesses talk to everyone within their organization – not just the IT team – on a regular basis to keep awareness about PII and its safety top-of-mind. And don’t simply reinforce preventative measures; also talk about how critical it is to report possible breaches quickly.
• Investment. Of course, despite processes and people, the actual acts of storing and processing data will happen through technology. All industry-standard tools and techniques must be applied: encryption tools, firewalls, anti-virus systems, intrusion detection systems, etc.

After putting processes and mechanisms in place, it’s important for organizations to continuously demonstrate that these are being followed. This is where documentation becomes critical. If you implement a data handling policy, gather signed copies of the policy from employees stating they understand it. If a data removal request is originated, document the steps taken to rid your systems of this data. Whether you use old-fashioned paper files or modern ticketing systems to accomplish this, be sure to write down everything!