Handling PII Data: Best Practices

Handling PII Data: Best Practices

Handling personally identifiable information (PII) is a big responsibility for any organisation. Ensuring the security and privacy of this data is essential, not only for maintaining trust but also to comply with legal regulations. 


What is PII Data?

Personally identifiable information (PII) refers to any data that can be used to identify an individual uniquely. This includes direct identifiers, such as names, phone numbers, email addresses, as well as indirect identifiers that, when combined with other information, can reveal an individual's identity. For example, a person's date of birth, zip code, and gender might not be identifiable on their own, but together they could pinpoint an individual. PII encompasses a wide range of data types, such as home addresses, phone numbers, IP addresses, and even biometric data like fingerprints. Proper handling and protection of PII are essential to prevent identity theft and ensure privacy.


What Are The Consequences?

While it is hard to quantify the negative impact to brand perception, loss of trust and loss of long-term customers, from a GDPR fining perspective the amount can be up to 20 million euros, or in the case of an undertaking, up to 4 % of the companies’ total global turnover of the preceding fiscal year, whichever is higher. There have been a number of high-profile cases in recent history including a $700 million settlement from Equifax in 2017, A $26 million fine to British Airways in 2018 and many of us will recall the Cambridge Analytica scandal, which led to Facebook facing a $5 billion fine from the FTC in 2019.

While these are of course, big, headline-hitting examples, more than 2086 fines have been administered due to GDPR violations in the UK, so do not assume it couldn’t happen to your company! So how can you ensure that you do not fall foul of the rules when it comes to PII and your data…


Avoid Extracting PII

The most effective way to mitigate risks associated with PII is to avoid extracting it whenever possible. The primary objective of analytics is to derive insights from data at scale, not at the individual level. By excluding PII from the extraction process, organisations can significantly reduce the risk of unauthorised access or data breaches. Use anonymised or aggregated data to perform analytics tasks, ensuring individual identities are protected. Regularly evaluate whether PII is genuinely required for analytics or if alternative, non-identifiable data can be used instead.


Hashing PII for Analytics

When PII is essential for certain types of analytics, data activation, or AI models, applying hashing algorithms to PII fields is recommended. Hashing is a process that transforms data into a fixed-size string of characters, which is nearly impossible to reverse-engineer, thus protecting the original information.

For example, if your CRM system uses email addresses to identify users, you can hash these emails before storing or processing them. This ensures that even in the event of a data breach, the hashed values are not useful to an attacker. Ensure the use of robust hashing algorithms such as SHA-256 to enhance security or add a unique value (salt) to each PII field before hashing to prevent attackers from using precomputed hash tables (rainbow tables) to crack the hashes.


Isolate and Encrypt PII Data

If storing PII data is unavoidable, isolating and encrypting the data are critical steps to safeguard it. Encrypting sensitive data points ensures that even if unauthorised individuals gain access to the data, they cannot read it without the decryption keys. Use strong encryption methods, such as AES-256, to secure PII data both in transit and at rest. Limit access to decryption keys to a select group of trusted individuals within the organisation. Implement role-based access control (RBAC) to enforce these restrictions. Conduct regular audits to ensure compliance with data protection policies and to identify any potential vulnerabilities.


Training and Awareness

Providing regular training and awareness programmes for employees is essential to ensure they understand the importance of protecting PII, and any considerations that have gone into your current analytics set up.


Conclusion

Trust is everything in business and data breaches can heavily impact your relationship with customers. As such, wherever possible you should not extract PII data into your analytics backend but where this is unavoidable be sure to take the necessary steps to protect your business. 

If you are looking to get closer to your customers, but are concerned about protecting their PII data, then why not get in touch with the friendly team here at 173tech. With a wide range of clients from children’s apps to banking, we have plenty of experience in this field and can guide you as to best practices.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics