A review of key questions to ask and determine whether you are dealing with personally identifiable information (PII).
As a digital governance consultant focusing on policies, I interact regularly with digital marketing professionals and corporate counsels who appreciate the risk of data breach and recognize that someone within the organization should be thinking about privacy protection. Often there is a privacy officer involved in the discussion, but not always. Large multinationals tend to disseminate that accountability across the globe and smaller organizations don’t have enough work to hire a privacy specialist, so it becomes collateral duty for a security specialist or human resource individual.
All of these individuals struggle with answering the following questions surrounding personally identifiable information (PII):
- What is PII?
- At what point in the customer journey does PII surface?
- Who “owns” PII and how must it be stored?
There is no universal answer to these three questions, and the solution will differ depending on the industry in which you operate, the geographical area of your customer base, and your organization’s tolerance for security exposure. However, here are good starting points for the conversation:
1. What is PII?
A person’s first initial or first name and last name, plus one or more of the following:
- Unique citizen ID (for example, Social Security number in the U.S.A.)
- User name or email address
- Driver’s license or government-issued identification card number, such as a passport or national ID card
- Bank account, electronic identifier, routing code or credit card number
- Unique biometric data (fingerprint, retina or digital representation of biometric data)
- Medical or health insurance information
2. At what point in the customer journey does PII surface?
Because organizations have disparate systems, it is easy to collect a single piece of the above information, which standing alone doesn’t constitute PII. But when the information is aggregated in a database or surfaced to a user through their account information, it is PII. Therefore those tasked with PII protection within the organization and creating the customer contract, must consider all points at which data is collected, stored, and surfaced.
3. Who “owns” PII and how must it be stored?
Once you decide what information in the organization is PII, storage becomes a larger discussion in the context of regulations stating where you can store the data, how it must be managed, and especially by what means you are allowed to backup and dispose of PII. However, the key point to remember is that you do not “own” PII, as it belongs to your customer. You merely are using and storing it for a purpose. Therefore, looking at the data from a lifecycle perspective — ensuring there are proper digital policies and standards to support it throughout that process — is key.