7 Steps to Protect PII and Achieve Compliance in Your Company

Posted on July 23, 2020 - by Laird Wilton - in Building Your InfoSec Program

7 Steps to PII Compliance at Your Company

Is your company taking adequate steps to protect your employee and customers’ personally identifiable information (PII)? If not, you need to be.

Enterprise businesses are pressuring their vendors on security measures, seeking to prevent a breach and protect customer information they store or process. If there is a breach companies learn remediation and noncompliance fines are costly, plus notifying customers about a breach is a big hit to a company’s reputation. Security breaches are one of the biggest causes of identity theft in 2020, resulting in harm to many individuals who had information stolen during a breach.

However, businesses that take action to protect PII can avoid a costly breach, while also winning new deals with security-conscious enterprises.  

How to Protect PII in 7 Steps

Personally Identifiable Information is any type of information from which a specific individual may be identified. That includes things like names, social security numbers, passport numbers, or physical addresses. It also includes less obvious things like emails and phone numbers. To protect PII: 

1. Identify What PII You Collect and Where It Is Stored

Begin by performing an inventory of what PII you’re collecting and where it’s being stored. You’ll need to examine whether you’re collecting data correctly and if the storage method contains adequate security measures.

2. Identify What Compliance Regulations You Must Follow

Depending on your industry, you may be subject to legal compliance requirements. These are laws that govern how you collect, handle, store, and transmit certain types of sensitive information. These may vary based on where or who your customers are, rather than your industry or business location. The most common compliance mandates include:

3. Perform a PII Risk Assessment

A risk assessment will help you identify possible vulnerabilities or weak points in your security strategy before criminals do. You should identify:

  • What PII is regulated and what actions you’re taking to ensure compliance.
  • What unregulated PII poses risks to reputation, competition, security, etc.
  • Possible sources of threats from most to least likely.
  • Possible risk management strategies, including control procedures and safeguards that you can implement.

4. Securely Delete PII That’s Not Necessary to Business

Are you holding onto PII that you no longer need? While you might think it’s best to hoard as much data as you can, PII can be a security risk when it hangs around forgotten. Comb through your organization and identify information that can be deleted. This includes:

  • Customers who have moved away, died, or ended the relationship.
  • Records of employees who left the company more than a year ago.
  • PII located on disused devices or in abandoned accounts.
  • Instances where individuals have requested that you delete their information.

PII accumulates over time, so “cleaning house” can reduce your storage costs as well as your risk.

5. Classify PII by Confidentiality and Privacy Impacts

Not all PII is of the same level of sensitivity. For example, email lists must still be protected, but they have a much lower level of confidentiality than customer records containing credit card numbers. By classifying data according to confidentiality and impact if their privacy is compromised, you can gain a sense of what your security program needs.

6. Review and Update Safeguards That Protect PII

Review your overall security program to see what safeguards you need to update. Likewise, make sure you’re using up-to-date tools and solutions to protect PII. This includes your:

7. Update Your Security Policies

With the rollout of enhanced data privacy laws, your policies may need a review. Take a moment to review the foundation for protecting PII: your internal security policies. Policies that include best-practice security controls, from trusted frameworks like SOC 2 or CIS, help ensure that the information you store and process stays say. These policies also create a structure for your employee awareness training around the collection, storage, encryption, de-identification, and deletion of PII.

Keep Your Data Protected No Matter What

Protecting PII should be central to your infosec program. Your customers expect you to protect their PII no matter what. With these seven steps, you can build a solid security strategy that meets or exceeds their expectation. 

Do you need a strategy to protect PII at your company?

Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing your cybersecurity plan.

Try Securicy Free

About the author

Laird Wilton is a tech entrepreneur, Techstars alumni, board member, and the COO and Co-Founder of Securicy. Securicy’s SaaS offering guides businesses through creating, implementing, and managing their information security and privacy compliance program.

Laird lives in Cape Breton, Nova Scotia with his wife and young family. When not working, he spends his time traveling with his family, coaching minor football, playing hockey and volunteering at his community’s recreation center.