For years, individuals have trusted companies with their data. After many instances of data breaches reaching the mainstream news, the public’s negative perceptions of data misuse are increasing. Data producers have become more suspicious of how organizations are using their data. It has never been more critical for your organization to develop a personally identifiable information policy, and this article will show you how.
Do I Need A Personally Identifiable Information Policy?
Unlike data mapping and privacy policies, it is not a regulatory requirement for an organization to have a PII policy. It will make life much easier regarding personal data protection, employee security awareness training, and compliance strategy for your organization to go through the process of constructing a PII policy.
Let’s find out what makes a good PII policy.
What Is PII
Before jumping into policy creation, you will need to understand what constitutes personally identifiable information. A few regulations cover PII protection, and most of them share a similar definition of PII.
Essentially, PII is any form of data that, if exposed, allows another entity to identify that data’s producer.
Below you will find some personally identifiable information examples:
- Names and addresses
- Gender or sexual orientation
- Religious or political affiliations
- Identification numbers like SSN
- Financial information: bank numbers, credit card info
- Telephone numbers
- Government records: criminal, tax, etc.
You should note that this is not a complete list of PII. Any data that you think could identify a person is PII. For example, in some more advanced cases of attackers can use metadata to steal people’s identity. Like knowing buying habits and hobbies allows the more creative fraudster to spoof identification verification processes.
Regulations That Cover PII
As stated previously, there is a significant shift in the regulatory landscape where governments are pushing companies to adopt a more security and privacy-conscious PII attitude.
The big daddy of data protection law is the GDPR. It’s almost impossible to visit any website nowadays without being bombarded with cookies and privacy policies. Thanks to regulations like the GDPR, businesses need to pay more attention to the handling of individuals’ data.
The GDPR is not the only regulation, and it also only protects European data subjects. California has stepped forward as a proponent of privacy rights with the California Consumer Privacy Act (CCPA). Conversely, the CCPA only pertains to Californian residents.
More states and other countries will likely begin adopting data protection laws. The trend is not looking to slow down; it’s better to remain ahead of the curve.
If your organization is processing any Californian consumers or EU data subjects’ data, then a PII policy will help you in your compliance mapping strategy.
Privacy policies are for your customers to see. It gives them options on how you can use their data. It lays out how you use their data and how you are complying with regulations. The better privacy policies will also tell customers and data subjects how they can access the data you hold and the process of deleting the data.
However, a PII policy is an organizational policy meant for personnel. The policy dictates how the business’s internal mechanism will handle PII and how staff should conduct their job function if it requires PII processing.
In the coming sections, we will explore in more detail the ingredients that go into the making of a PII policy and, finally, the recipe to an acceptable PII policy.
PII Policy Ingredients
Before developing and implementing a PII policy, you will want to take some time to prepare. Knowing the data you hold, the processes used, the states of data, and understanding the regulatory requirements will help you develop the best policy for your business.
Some data protection regulations, namely the GDPR, call for your business to employ a data map. Thankfully, if you comply with the law, you will already have a developed data map.
The data map will significantly help in developing your PII policy. Essentially, a data map, as the name suggests, is a map of all the personal data on your information system. It tracks the journey data takes across the information systems from collection to deletion. We have a wealth of information about data mapping on our blog, which you can check out here.
But let’s briefly go over the basics of data mapping, later we will see how this will help develop a PII policy.
A data map is relatively simple to conduct; here is a quick step guide to data mapping:
- Taking Inventory: assess the kind of PII you are processing and see where it is stored.
- Understand its format: on hard drives, in the cloud, on a piece of paper?
- Source: where is the personal data being collected? Is it coming from a website portal? A call center?
- Process: How is the data being used? Is it for sales purposes? Is the organization offering services that require it? Who is allowed access?
- Destination: where does the data end up? Is the process streamlined? The destination element is different from inventory because the inventory is just to get you started. The destination will end up forming part of the map.
- Destruction: How is the data being destroyed? Is it being disposed of properly? Does it have a defined life cycle? What happens to the data of inactive users?
Once you have answered these questions, you can begin to build the data map. The completed plan will then help in developing a policy. With it, you have a visual aid and a bird’s eye view of who has access.
The data map is a significant part of the PII policy; you only want authorized personnel to have access and control.
States of Data
The “states of data” is the next thing you will need to consider when creating a PII policy. Data can be in three different “states”:
- Data in use: this is any personal data currently being processed, providing a service, or facilitating an employee’s job function.
- Data at rest: refers to any data stored at the end-points of an information system.
- Data in motion: this is any data currently in transit, either over internal or external networks.
The three different states of data will play a role in shaping the PII policy. Each segment state will have additional personnel and business partners interacting with them. Understanding the data states will also allow the organization to apply the appropriate data protection measures.
Your industry might have specific regulations that you will need to factor in when developing a PII policy. Standard regulations are mentioned in this article, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), either or both of which are likely to apply. However, there are specific laws that pertain to specific industries. For example, if you work in the healthcare industry, you will need to include HIPAA and HITECH in your policy.
Finally, employee data is still PII. And even though consumers are at the forefront of data protection discussion, the critical infrastructure industry still requires PII protection.
Suppose a business that is part of the bulk energy supply (BES) infrastructure has a data leak, and employee information is leaked. This leak poses a threat to the individual’s privacy and could also be used to attack the energy infrastructure provider. The fallout could have catastrophic effects on thousands of lives.
The final piece of the puzzle is assessing what technical safeguards will need to be employed. This factor is vital to the policy because some personnel in the organization will not be technically capable.
This means that whatever safeguard you use, the staff will need to understand how to use it properly. For example, if you choose to install and use a PII scanner, anyone connected to the information system will need to train in PII scanning.
The same goes for all other safeguards, some of which may be:
- Password management tools
- Accounts and user policy tools
- Network security and connectivity software
- Cloud storage security
PII Policy, The Recipe
Continuing to use the cooking analogy, if the preparations were the ingredients, now it’s time to start cooking. The policy is the recipe that the organization will need to follow to make a perfect privacy protection meal. Essentially, these are the rules that the security management will have to implement and that staff will have to address.
The first part of the policy should discuss access controls. Access controls are the technical safeguards implemented on the information system that restricts access to authorized users. When it comes to PII, you will need to restrict access on a job function basis. Because the policy governs the internal mechanisms, some will need to access personal data to complete their job function.
If you use the “data states” as a basis of the policy, it will create access controls that are much more manageable; let’s explore.
- Data in rest: data in rest is generally of little use to any organization members actively engaged with customers. The data is static in a storage system; for this reason, it might make sense only to give access controls to the security team or the organization’s data custodians. It will be their job to ensure the secure execution of personal data to genuine users.
- Data in use: this data state is a bit trickier to control. It might be flying through various information systems on a busy day, accessed by both the producers (customer) and data processors. The information system must have an active SIEM tool to track the data’s movement and alert the organization if abnormal patterns are detected. As part of the policy, the members who require access for their job function should be the only ones who have access to “data in use,” and they will need training in SIEM detection.
- Data in motion: this state is another pretty straightforward one. Simply put, it’s for the network guys. “Access” is a strange word to use here because you don’t precisely access data in motion. But there are controls in place that govern movement, where network security specialists will have to take over.
Now that you have decided who gets access to what, it’s time to implement the how.
Establish Rules Of Access
The rules of access are how PII can be used and processed within the organization. Setting up access controls shows who can access the data, but you must also develop a policy on how it should be processed.
Some examples of rules within the policy may be:
- Time locked access: office hours are generally between 9-5 for most companies. It will make sense to enact a policy that allows authorized employees to access personal data during office hours. This rule will not only make it easier to detect possible breaches (if data access occurs outside office hours), but it will also limit access during remote work. As it encourages job completion, if working from home, to occur during standard office hours.
- Password management policy: all authorized accounts will need to follow a password management policy. An approach like this means passwords that access sensitive data will need to have a lifecycle, i.e., replaced every 30 to 90 days. Other rules go into password management, which you can read about here.
- Transferring personal data: network security plays a significant role in personal data. Many organizations will have some network system, whether local or on the cloud, that manages their data. The PII policy should dictate the rules of transfer. What kind of networks it safe to send it over, and what platforms are allowed (i.e., email or otherwise).
- Third-party Networks: it is likely, given the global business environment, that your business has an extensive third-party network. Within that network of third parties, personal data may be shared. It is paramount that you bring all business partners and service providers under one risk management umbrella. This requirement is slowly making its way into regulations. It will soon become a legal requirement for organizations, so it is best to be one step ahead and discuss PII management with your network today.
The rules should extend to fit the size and culture of the organization. You should also consider what the needs of your organization are and mold them to the policy.
Don’t let negative public perception hurt your business or reputation. Show your customers that their data and their privacy are your top priority. With a personally identifiable information policy, you can ensure that everyone in your organization instills a sense of privacy by design and default.
Let us help you design the best personally identifiable information policy for your business. RSI Security is the nation’s premier cybersecurity provider, and with the experience under our belt, you can ensure that we can meet your security needs. Get in contact and schedule a consultation today.