Personally Identifiable Information, often referred to simply as PII, is the name given to any form of data that can be employed to identify a particular individual.
Some of the most well-known examples of PII include telephone numbers, postal and email addresses, and national insurance numbers, but our increased usage of technology has now expanded this list greatly. Today, PII can also count login IDs, digital pictures, IP addresses and even posts on social media. There are other forms of information considered in this category too, such as biometric, behavioural and geolocation data.
Due to the ever-expanding definition of what comprises PII, those charged with data security and safeguarding privacy are faced with increasingly demanding challenges. This is especially true in countries governed by rules and guidelines on how personal information is handled when shared like, the General Data Protection Regulation (GDPR) enforced across member states in the European Union.
Legislation like the GDPR is designed to safeguard an individual’s personally identifiable information by granting them rights that state how organisations and institutions must handle data. If companies fail to protect private and personal information by following these regulations, they can face heavy fines for their lack of compliance and exposure of sensitive data during a breach. These hefty costs can be equal to 4% of a business’s annual revenue. From informing individuals of third-party involvement, to reporting data leaks in a 72-hour window, the responsibility to protect personal data and alert authorities to breaches lies with those controlling confidential information.
What does personal identifiable information mean under GDPR?
The definition of what counts as PII under GDPR is much broader than other personal data protection rules presently used around the world. Regardless of whether the information is public, professional or private, data that pertains to a specific individual is classed under the GDPR as personal information. This means that along with names, telephone numbers, addresses and financial details such as bank account numbers, any data that can identify a person can be classed as PII. This might include video footage caught on a CCTV camera, a customer loyalty record or even information that reveals an individual’s geographic location.
Companies that need to store or share client and customer PII must ensure they do this securely, and if an individual makes a request regarding data containing their personal information, enterprises are obliged make certain they can grant access to it.
Businesses affected by data protection regulations must have a comprehensive understanding of what is considered to be personally identifiable information so they can assess what level of security it should be safeguarded with. On top of this, companies are facing the new challenge of identifying personal information that was not previously indexed or tracked, such as customer call recordings containing private data relating to a caller.
Understanding GDPR definitions
The GDPR outlines various roles involved in personal data assigning responsibilities and rules. The “data subject” refers to a person whose PII is collected. The organisation or institution collecting that information is referred to as the “data controller”. Any organisation that processes the collected data for the data controller is known as the “processor”.
It is the duty of the data controller and the processor to keep documented evidence of the nature of the data collected, for example if it is PII, how it was collected, what it was used for and information on when it was destroyed.
User rights regarding Personally Identifiable Information
Before data can be collected by organisations, documented consent must be obtained by the people it relates to, or by their legally appointed guardian if necessary. The consent form must explicitly state what data is being collected, how it is used and for what purpose, along with the length of time for which it will be retained. At any point in time they wish to, data subjects can make a request insisting that their PII is disposed of, providing they supply one of the regulation’s approved reasons.
The GDPR notes that people can also control other aspects of their personal information. On top of their right to request its destruction, data subjects can view what information on them is stored and insist any factual errors present are corrected. Individuals also have the right to export their personal information in order to review it or use it as they wish.
Whether it is customer account details or employee data bases, it is vital that any company handling PII maintains total control of all stored information at all times. To keep compliant, personally identifiable information must be labelled correctly so it can be stored securely, but also easily accessible in order to answer user requests to retrieve or delete it.
Personal information and cybercrime
Cybercriminals use a wide range of strategies to obtain PII from phishing emails tricking recipients into disclosing financial details, to bogus sign-in pages used to harvest login credentials. Compromised email accounts can also be used as part of wider campaigns sending messages impersonating their users, enhanced by unsecure PII to make them more believable.
If hackers manage to penetrate a company’s network, they can access servers full of personal information allowing them to potentially alter, destroy or steal it to ransom back for payment. Such data leaks can incur massive fines when companies are exposed to be non-compliant with regulations for data protection. If such a breach occurs, organisations are obliged to report incidents within 72 hours and if the data exposed has not been protected with encryption, they must inform the data subjects whose personal information has been leaked.
To help companies stay compliant with the multiple regulations and rules regarding protecting personally identifiable information, at Galaxkey, we have designed a robust security platform. Encrypting confidential data whether it is at rest or in transit, our system offers powerful protection from unauthorised access by hackers. It can be employed across multiple devices to ensure that wherever and whenever you need to handle data, you know you are operating securely and safeguarding PII in line with the latest legislation.