x

Glossary

Our Criblpedia glossary pages provide explanations to technical and industry-specific terms, offering valuable high-level introduction to these concepts.

Table of Contents

Related Terms

Return to Glossary

Personally Identifiable Information (PII)

Consumers expect their personal information to be kept safe when they use your apps, services, and stores. This is similar to how in-person retailers protect customer data for loyalty programs and purchase history. This expectation of data security extends to regulators, auditors, investors, board members, and partners. Let’s look at the what, why and hows of PII.

What is PII?

Personally Identifiable Information (PII) refers to data that, either independently or when combined with other relevant information, can identify an individual. Various data elements are universally recognized as PII. Additionally, PII is categorized into two types: sensitive and non-sensitive.

Sensitive PII is information that can lead to harm or fraud if revealed. Non-sensitive PII, on the other hand, poses less risk even if it becomes exposed.

Some of the most common forms of Personally Identifiable Information (PII) include:

Sensitive PII
This includes details such as your full name, Social Security Number, driver’s license information, financial data, credit card numbers, passport details, medical records, and more.

Non-sensitive PII
Includes publicly accessible information like your zip code, race, gender, birthplace, date of birth, and religion.

It’s important to note that social media profiles are generally classified as non-sensitive PII. However, this classification depends on the nature of the information shared on these platforms.

According to the General Data Protection Regulation (GDPR), ‘Personal data’ is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”

Securing PII

In the past, securing PII data wasn’t a significant priority. However, the landscape changed dramatically when multiple companies faced multi-million dollar fines due to their mishandling of customer data. Beyond financial penalties, organizations also confront reputational risks that can lead to severe repercussions. Picture your company making headlines for not protecting customer data, with ongoing news coverage as your executives get dragged through all kinds of legal proceedings.

This shift led to a transformation in data protection protocols, posing a significant challenge for companies striving to comply with the evolving rules for properly storing and processing PII.

Given that the GDPR is considered the gold standard for PII protection, it offers comprehensive guidelines on how PII should be managed.

  • All organizations should err on the side of caution when it comes to processing personal data.
  • As per GDPR guidelines, the processing of personal information should be confined to what is essential.
  • Organizations should keep such data only for the duration necessary to serve its intended purpose. Additionally, they are encouraged to employ strategies like pseudonymization and/or encryption, particularly for data categorized as sensitive data.

And to help ensure appropriate actions are taken to secure the data, GDPR adds the following: Violating the EU’s GDPR means maximum fines of $23 million (20 million Euros) or 4% of the company’s annual global turnover – whichever is higher.

PII Security Standards Organizations

While the EU’s GDPR is frequently cited in PII security discussions, there are many state, federal, and international laws and regulations governing security and privacy that define permissible practices.

CSO-Online has a guide that summarizes and provides additional resources on security or privacy law and regulation.

PII security tips and best practices

  • Educate employees, administrators, and third-party contractors on the consequences of mishandling data and establish clear accountability for data handling.
  • Implement AI and predictive analytics to review large data sets and ensure compliance with PII regulations in stored data.
  • Develop and enforce access control policies to prevent unauthorized PII disclosure.
  • Utilize strong encryption methods for data protection, implement secure passwords, and use two-factor authentication (2FA) and multifactor authentication (MFA).
  • Encourage regular and secure data backup procedures among employees.
  • Ensure safe destruction or removal of media containing sensitive data.
  • Promptly install updates for software, applications, and mobile devices.
  • Advise against the use of public Wi-Fi for business purposes and promote the use of secure wireless networks.
  • Encourage the use of Virtual Private Networks (VPNs) for enhanced security.
PII Best Practices
  • Know Regulatory Requirements: Depending on the geographical location, jurisdiction and local authority requirements and consequences vary greatly.
  • Minimize Collection / Retention Data: Collect only the data absolutely required, this will minimizes risk and simplify compliance.
  • Secure All Retained Data: Via masking, pseudonymization and/or encryption at level that meets regulatory requirements.
Want to learn more?

Learn more about how Cribl is committed to keeping customer data safe and secure.

Learn More

Resources

So you're rockin' Internet Explorer!

Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari

Got one of those handy?