
2 Major Obstacles Privacy Newbies Face (and How to Overcome Them)
Martial artists use a colored belt system to denote their expertise....
Read NowPersonal information (PI) is any detail linked to an individual, even if it doesn’t identify them on its own. This includes PII as well as details like their first name, the state in which they live, their favorite color, gender, age range, and even their internet browsing data.
As you can see, not all PI necessarily gives away the person’s identity. PII, on the other hand, is information that can be linked to the owner, either by itself or combined with other details.
So, your first name is your personal information, but on its own, it’s not really an identifier in a large enough group. Unless you have a very unique first name, there are bound to be other people with that name.
But what happens if we add your surname into the mix? Suddenly, the information becomes a bit more specific, even though it still might not identify you conclusively. Now, add your home address to this list, and that becomes personally identifiable information.
As you can see, PII can be made of PI, but not all personal data can definitively identify a person.
You might argue that since PII is information that can be combined with other details to reveal a person’s identity, all personal information is potentially PII. Here’s why that’s not true.
Laws like the GDPR and the CCPA are not prescriptive about how many pieces of PI must be combined to make it PII. It doesn’t matter if it’s two pieces or more. As long as “reasonable effort” could disclose the identity of the data subject when one or more bits of information were disclosed, those bits count as PII.
These laws take into account the likelihood of identifying someone with one or more pieces of PI. This can change with context. The smaller the group, the more likely it is for someone to be identified based on generic data.
It would take much more than “reasonable effort” to pinpoint someone’s identity based on the fact that they love green, have read Catcher in the Rye more than a dozen times, and are between 30 and 40 years old if the sample set is the population of a country. Even if you were to add in their gender, race, and religion, you still can’t find out who they are. As such, even though such information is PI, it doesn’t count as PII.
However, if the sample set was people in a department within a business, these details might be enough to identify them. As such, you must take context into account when determining what constitutes PII. That will tell you how well you must protect it.
As a business, you have a legal and ethical obligation to protect your consumers’ PII. If you don’t adequately protect their identity, they could face:
As a responsible business, you would want to protect your patrons from these consequences. If you don’t, there will be repercussions for you as well.
PII is protected under data privacy laws. If a business fails to protect this information, it could face penalties and fines. For example, the CCPA can impose fines of $2,500 per violation and $7,500 per intentional violation.
It’s important to note that “per violation” usually means “per consumer per incident.” In certain circumstances, it might even mean each category of PII exposed per individual counts as separate violations.
Under the CCPA, if 1,000 people were affected, the fine would be $2,500 times 1,000, or $2,500,000, or $7,500,000 in case of intentional violation. If the situation warranted counting each category of PII exposed, and there were three categories, those amounts would be tripled. This fine structure is similar to other state privacy laws, as well.
Similarly, the GDPR can fine a business up to €20 million or 4% of its global annual turnover. These aren’t the only privacy laws, as several US states and other countries are coming up with their own regulations, with hefty fines and penalties for not complying.
In addition to the fines imposed by the regulatory bodies, these regulations also allow the affected parties to take the business to court.
The CCPA, for example, allows consumers whose personal information has been exposed to file lawsuits if the business doesn’t make reasonable attempts to mitigate the damage within 30 days. If they win, the business could be asked to pay between $100 and $750 per consumer, or the cost of the actual damages, whichever is greater.
The GDPR also allows affected consumers to sue a business for damages if it hasn’t adequately protected their information. One such notable case was when 16,000 claimants filed a group action litigation against British Airways. These consumers were among the 420,000 customers and employees whose personal data was leaked. The airline had to pay £2,000 per claimant on top of the £20 million (reduced from £183 million) in fines.
As a business, you need some personal information from your customers. You might process it internally and use it to develop better offerings or identify other business opportunities. You might even sell or share it with partners to get additional context about your consumers and the market.
If you do a good job of preserving the privacy rights of your consumers, you will earn their trust. That means they’ll be more likely to share their personal information with you and promote you to the people in their lives.
Conversely, if you develop a reputation for failing to uphold the privacy rights of your consumers, they won’t want to share their personal information, and they’ll discourage others from sharing theirs with you.
Keeping your consumers’ PII safe requires more than just the willingness to do the right thing. To help guide you, we’ve created a PII compliance checklist. Following this will get you closer to keeping any PII held by your organization safer.
In order to effectively protect your sensitive information, you need to know where all your business data is located, how it’s stored, processed, and used, and to whom it’s sent. This’ll help you classify it into restricted, private, and public, which in turn, will help you determine the level of protection it needs.
You also need to know what jurisdiction your data comes under. If your data subjects are in the European Union (EU), even as visitors, their data would be governed by the GDPR. If they’re residents of California, you might have to follow the CCPA guidelines.
An automated privacy data mapping tool could help you gain real-time visibility into your data at rest, data in motion, and data in use, allowing you to understand how data flows in your organization. This knowledge will help you determine what you need to protect, how you should do it, and the proper response if the data is exposed.
A PII policy is a part of your organization’s privacy policy. It focuses on the personally identifiable information of consumers, employees, partners, and other stakeholders, and how that is processed, used, shared, and safeguarded.
Your PII policy should elaborate on:
If you need help developing a PII policy for your business, you could look to the GDPR. The most well-known and stringent of all data privacy laws, the GDPR offers six principles to keep PII safe. It says that PII processing should be:
In general, your PII-handling practices should follow these principles.
Data is an important resource, but it resides in and moves through a vast web of connected networks. As such, it faces several threats to its integrity and confidentiality. While it’s important to have internal processes designed for privacy, you also need security measures to protect your data from external threat actors.
Some security measures protect your PII directly, like encryption and secure storage. Others, like endpoint management and multi-factor authentication, secure access to the devices and systems. Data subject access request (DSAR) and cookie consent management help you reduce the risk of unauthorized data sharing and misuse.
You could also invest in solutions for governance, risk, and compliance (GRC); data loss prevention (DLP); and security incident and event management (SIEM).
Implementing identity and access management (IAM) can help you reduce instances where data is made available to those who don’t need to see it.
When your privacy policy isn’t robust enough to keep consumers’ personal information private, it could lead to inadvertent exposure. This may not even be a data breach. Private data should only be accessible to those who need it or are authorized to see it. This applies to people within your organization as well.
Just because your sales team needs the names and email addresses of consumers doesn’t mean your technical team should be able to access them as well. Protecting consumer PII isn’t just keeping it safe from outsiders; you must have a culture of privacy to keep it just as safe from mishandling by people within your organization (whether intentional or unintentional).
IAM deals with internal threats to PII privacy by creating a strictly role-based access routine. It allows you to restrict who can view your organization’s PII depending on whether they require it for their roles or not.
In the world of cybersecurity, mean time to detect (MTTD) and mean time to respond (MTTR) are important metrics. That’s because the quicker you detect an incident and respond to mitigate it, the more likely you are to keep it contained and minimize the damage.
This applies to data privacy as well.
If you can discover a PII breach early, you can take measures to plug the leak, so to speak. You can also inform the consumers about what’s been exposed, so they can take action on their end. If it’s their passwords that have been stolen, the users can be asked to change them. If it’s leaked financial information, they can lock down their credit.
The data requirements of your business can change over time. So can the regulations governing them. By assessing your PII policy regularly, you’ll identify any potential gaps that you might have missed or new laws that you need to comply with. Similarly, privacy impact assessments (PIA) and data protection impact assessments can help you update your privacy and security measures.
As we mentioned earlier, your PII policy is part of the greater privacy policy, which is a compliance-focused, informational public-facing document. The policy lays out a set of guidelines and business practices your organization uses to keep your data private. It informs readers about:
Again, as with the PII policy, the privacy policy deals with the data of not just the consumers but also employees, partners, and other stakeholders. Keeping this policy updated can help communication with consumers, providing them with clear expectations of how their information will be treated.
A comprehensive privacy policy will help you lay the groundwork for a clear, updated PII policy.
With a privacy management solution like Osano, you can make compliance a part of your operations. Our platform helps you manage DSAR processes with ease, conduct PIA and DPIA quicker with customizable templates, and keeps you updated with any changes in the relevant privacy laws.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download NowOsano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.