What is PII Compliance

PII stands for Personally Identifiable Information. In many countries, this type of information is protected by legislation. Therefore, the legislation itself is not a direct threat

However, these acts empower private individuals to sue companies that hold data on them but do not adequately maintain or protect it. These stipulations are also laid out in data privacy standards. These standards ensure that businesses that follow them will keep within the law and avoid legal action.

When people talk about PII compliance, they are talking about being within the requirements of these data standards. There are many PII protection standards. These fall into two categories:

  • Industry data protection standards
  • Geographical data protection standards

While the industry standards dictate how PII should be treated, the geographical criteria add additional requirements about where the data is stored and where those accessing the data are located.

PII standards not only dictate levels of security to prevent data disclosure, but they also ban practices such as the sale of PII or the use of PII collected for one specific purpose being used to launch a particular product.

Related post: Best PII Scanning Tools

What counts as PII?

PII standards only relate to the information held in digital format that can identify a private individual. Therefore, the rules do not apply to anonymized aggregate data or information about people in their workplace, such as the contact details of sales representatives.

If you don’t hold any information about private individuals, you don’t have to worry about PII. However, as a heads up, the information you own in your HR records counts as PII, so there is only a very slim chance that you don’t hold any PII at all.

Some of the significant data privacy standards

The most widely encountered industry-based data privacy standards in the USA are:

  • Payment Card Industry Data Security Standards (PCI DSS) This applies to all stores of payment card details, not just those held by banks and payment processors, so if you keep the credit card details of private consumers in the USA on file, you need to comply with this standard.
  • Health Insurance Portability and Accountability Act (HIPAA) This standard also applies only to data about people in the USA. However, its application extends to wherever health insurance data is held, not just within health insurer providers. This is because HIPAA deals with a variation of PII called protected health information (PHI).

The EU began the trend towards legislation over the use of data within an area of the world. This is a package of recommendations that are implemented in the legislation of each member state.

The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) These rules specify that PII can only be held for specific purposes. The subjects of those data instances have the right to request a copy of that information and correct mistakes. Furthermore, PII on EU citizens cannot be taken outside the EU without the subject’s consent. This applies to all businesses that do business in the EU, even if their headquarters are elsewhere. A breach can incur a fine of up to €20 million-plus the subjects of inaccurate or leaked data have the right to sue.

This list of rules has now been emulated in several other locations.

  • California Consumer Privacy Act (CCPA) in California, USA
  • California Privacy Rights Act (CPRA) in California, USA, extending CCPA
  • Virginia Consumer Data Protection Act (VCDPA) in Virginia, USA
  • Lei Geral de Proteção de Dados (LGPD) in Brazil
  • Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada
  • Protection of Personal Information Act (POPIA) in South Africa

In all of these cases, it doesn’t matter where your business is located; the control of data applies to the residence of the data subject. So, if you operate a global business on the World Wide Web, you will need to adapt to each of these standards according to where each of your customers is located. Fortunately, the requirements for all of these standards are very similar.

You can read more about PII standards and how to comply with them in Guide to Data Privacy Management and the Best Tools.

Implementing PII compliance

The shortlist of existing standards in the previous section is just a start. Many other countries in the world have recently passed their versions of GDPR or are currently doing so.

Failure to comply will lose your business in the case of industry data privacy standards because these standards are often sewn into the contracts for suppliers that operate within those sectors. In the case of geographical data privacy standards, non-compliance will get your company fined and sued.

Managing compliance to these standards could end up being a nightmare. Your business might be caught up in several of these standards simultaneously. The only solution is to get an automated tool that manages PII compliance for you. Fortunately, there are such tools available on the market.

Types of PII compliance tools

There are several different packages that you need to fully comply with all of the requirements of data privacy standards. In addition, there are standards to satisfy the requirements of data privacy standards entirely are several issues that you need to deal with.

  • Governance, Risk, and Compliance
  • Protection of data from loss or tampering
  • The ability to respond to data subject access requests
  • The processing and storage of logs for compliance auditing
  • Cookie consent

We deal with each of these topics in the following sections, explaining the type of tools you should look out for to satisfy data privacy standards fully.

Governance, Risk, and Compliance (GRC)

This category of software sounds like it supplies everything you would need for PII compliance. These tools cover a lot of what you need for PII compliance, but they don’t provide all of the functions you will need to acquire.

GRC manages working practices as well as system automation that provides a complete PII compliance strategy. This category of tool can also protect other types of data covered by privacy standards, such as the financial information that needs to be saved for the Sarbanes-Oxley Act (SOX). You can read more about Governance, Risk, and Compliance in the 9 Best GRC Tools for 2021.

A significant part of GRC is risk management. This expresses the assessment of both internal risk and external risk. Internal risk issues related to the identification of PII. You can read more about this task and the tools needed for it in the Best PII Discovery Tools. External risk is all about assessing the compliance profiles of your existing and potential associates. This is called third-party risk management or vendor risk assessment. Again, you can read more about suitable tools for this task in 5 Best Third-Party Risk Management Software.

Protection of data from loss or tampering

Data disclosure of PII is the biggest threat to your business, so you have to prevent data theft. There are now many different techniques that data thieves deploy, including ransomware. Data loss prevention (DLP) systems the discovery of PII and its protection.

A typical DLP system can trace instances of PII and then employ file integrity monitoring (FIM) to control access to it. This strategy encrypts the files containing PII and then manages access through seamlessly provided decryption for those with the proper access permissions.

FIM is great for PII compliance because not only does it protect sensitive data, but it also logs all access and change activities. A large part of data privacy standards compliance lies in logging everything on the system, storing those logs in files, and protecting log files from tampering.

DLP system also manages all channels for data exfiltration. This doesn’t block data movements but allows certain users to move certain types of PII.

You will find a comprehensive list of DLP systems in the 13 Best Data Loss Prevention Software Tools.

The ability to respond to data subject access requests

A data subject access request (DSAR) is a mechanism specified in GDPR and the other geographically based data protection standards it inspired. This is a requirement of the standard, and you need to comply with it.

A DSAR is a request by a public member to find out what data you hold about them. The system also provides opportunities for those subjects to have incorrect information modified and inappropriate data removed.

Part of the defense your company can put up against the likelihood of members of the public demanding you remove their data is to obtain consent to the storage and actions that you might want to perform on it. With this mechanism, you can simplify the complexities of dealing with the public. Take a look at 7 Best Consent Management Platforms to learn more about DSARs and deal with the public.

The processing and storage of logs for compliance auditing

PII compliance requires the documentation of all security events on a network and its endpoints. This is carried out by collecting log messages and storing them. The logs can be used by security event and information management (SIEM) systems to detect possible intrusion.

Logs also have to be made available to external compliance auditors. The purpose of these audits is to check that there has not been a data disclosure. Companies have many incentives to cover up data theft, so data privacy standards require this extensive record keeping. Gaps in log records or evidence of log tampering break the rules. When all logs are present, auditors can seek for undeclared data leaks.

Find out more about tools for the log management requirements of PII compliance by reading 15 Best Log Management Tools & Analysis Software.

Cookie consent

Websites use cookies for various mechanisms, including for marketing purposes. This requires tracking libraries that operate through cookies stored on the site visitor’s computer and a central advertisement server. In addition, this data can be used for marketing analysis.

Unfortunately, in some consumer privacy standards – notably GDPR and CCPA – certain cookies are considered PII.  This brings in all of the complicated requirements to service DSARs and restricts access to physically located employees within the geographical area covered by the legislation.

You can limit your exposure to these PII compliance requirements by getting extensive permission from the site visitor up-front. Cookie consent management systems take care of this task for you. The Best Cookie Consent Tools explains these issues and the tools to solve them.

Tool up for PII compliance

PII compliance is a complicated task, and it will take you away from your core business activity. However, you can’t afford to ignore these requirements because a failure to address these tasks could lead to a data loss event that destroys your business.

The many different tools that you need can take time to investigate. First, however, look at the guides on Comparitech linked to in the body of this article. Getting a brief understanding of each tool and a shortlist of tools to consider will speed up your journey to full PII compliance.

PII Compliance FAQs

What is PII Compliance?

PII stands for “personally identifiable information.” That term refers to information about a private individual that is part of that person’s identity. PII compliance means that an IT system complies with one of the many standards that are currently in circulation that dictate how private data should be protected. Examples of these standards are Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the EU’s General Data Protection Regulation (GDPR).

What are examples of PII?

PII is “personally identifiable information.” Types of information that need to be protected include social security numbers, credit card numbers, names, addresses, and email addresses. These identifying records only relate to private individuals. So, it doesn’t apply to business contacts. If you hold the names and business emails of corporate contacts, those records are not considered to be PII.

What is not PII information?

Personally identifiable information (PII) only relates to certain identifiers about private individuals. Business contact information is not included as PII. Also, race, religion, gender, and sexuality are not considered to be PII.