Does this title make you feel like responding ‘how long is a ball of string?’ You aren’t alone. After all, personal identifiable information (PII) is more than email addresses. And, if it is more than that; how much do you actually have, where is it, how did you get it and what can or can’t you do with it? So, coming back to the root of the point…
What is PII?
PII is anything and everything that can identify an individual, group or business. It can be digital or paper based. These are four typical forms of PII, you might find your business holds some if not all of these.
Sensitive personal information (SPI). This form of PII can include a person’s racial or ethnic origin, political opinions, religious or other beliefs, trade union memberships, physical or mental health, sexual preferences and convictions, proceedings and criminal acts.
Personal financial information (PFI). Typically assumed to be more crucial data, PFI can include bank account details, transactions where sender or beneficiary details identify a person and cardholder payment data.
Personal health information (PHI). Also known as protected health information, PHI data can include; demographics, medical history, laboratory/test results, insurance information and other data that relates to an individual’s medical state of health.
General PII (GPII). This is data such as names, email and postal addresses, taxpayer ID/NI numbers and other ID details such as driver’s licence and passport numbers.
How will you know how much you have?
Despite all of these different forms, if the same client data is on multiple systems, it still counts as one record. Having said that, don’t forget that data in spreadsheets and other documents counts as a record. This includes data in emails on your employee’s workstations.
It is simple enough to calculate how much PII your business has. Simply add together SPI, PFI, PHI and GPII for clients and your employees. When you know the scale of PII data that you have, as well as the types, you can make sure your business has the right measures to keep it safe.
Why should you care?
With the General Data Protection Regulations (GDPR) currently under review and due to be enforced May 2018, businesses duty of care to client data is changing. The responsibility of collecting, using, storing and disposing of any PII detail is increasing. The onus is on businesses to meet key responsibilities or face a fine of 4% global turnover or £20,000,000. Now that’s enough money to make your data responsibilities feel a lot more real.
Too many records to contemplate? How can you keep it safe?
There are various ways you can protect your business’ data. A combination of robust IT security measures and employee awareness, including best practices, policies and procedures can all help protect your data. However, should there be a data incident or breach; you need to ensure your business knows how to respond. Why not read our 12 steps on preparing your business for GDPR or for more information get in touch.
Zywave: Data Breach Response Policy
STORM: PII Determinator