How PII data works in businesses and its advantages
A lot has been said about data privacy and personally identifiable data (PII) in recent years. But, to fully understand the topic, you need to be able to identify what PII data is.
The establishment of the General Data Protection Regulation (GDPR), earlier this year, ensured that PII data was front and center in the news. This led to businesses scrambling for information on how, when, and why they were collecting it.
Read our uses cases on PII data security here: https://www.verygoodsecurity.com/use-cases/pii
Businesses and consumers are adapting to the ever-evolving world of internet privacy. Businesses need to be able to identify and use PII data.
What are PII data?
PII, also known as personally identifiable information, refers to any data that can be used alone or with another data source to identify a person.
Simply put, PII data is information that can be used to identify an individual. It’s like a puzzle. Even if one piece isn’t enough to make the whole picture, the other pieces can be combined to create the entire image. The same principle applies to personal data.
Whether data can legally be considered PII depends on where you are located and what your nationality is. The definition of PII information varies from one region to the next. Some data that are commonly considered PII data include:
Names
Social security numbers
Numbers of driver’s license or identification
Addresses
Telephone numbers
Emails
Medical records
Birthdays
Biometric data
DNA
Birth places
Numbers of license plates
This is a very basic list. However, laws and regulations will continue to evolve in order to reflect the digital world. An IP address, which is considered PII data, has been reclassified as such with the adoption of the GDPR in Europe on May 25, 2018.
The legal status of data as PII depends on where you are located and what your nationality is. As the definition of PII differs from one region to the next,
Do you collect Personally Identifiable Data?
Once you have a basic understanding of PII, it is time to find out if your business stores, collects and uses it. Signup forms and checkout are obvious sources of data, but it is possible that your business, or third-party services, collects more PII information than you realize.
It is crucial that you understand the various ways you collect PII information from your users in order to create a comprehensive privacy policy. A website privacy policy template can make this easier.
There are a few things to remember when you search your website for PII data collection locations and methods.
Direct collection via forms: Signup forms are the most common source of data collection. Users are asked to enter their information manually. Any data field or form where users can input their data is likely to collect and store PII information. This data could be collected regardless of whether the user submits it, depending on how your website or servers are set up.
Website cookies: Website cookie and similar tracking technologies allow website owners to gather information about users and their interactions with your website. Cookies can store everything, from user behavior to payment information and passwords. These practices should be described in your privacy policy as well as the cookie policy template.
Analytics tools: Website analytics are essential to any online business’ continued growth. Analytics tools such as Crazy Egg and Google Analytics make it easier to understand the user’s intent and behavior. These types of solutions tend not to focus on individual users, but they can still gather user information like IP addresses and geographic locations when creating reports.
Geotargeting: This technology can be used to determine a user’s precise location using their unique mobile device or obtain a more general location such as their state or city. This data can be used to provide more relevant content to users, but it can also be combined with other data to allow for the identification of a person.
Point of sale systems (POS): These systems can be found at checkout pages of ecommerce and SaaS websites. These systems can collect information about customers such as email addresses, telephone numbers, and names. POS solutions can also access credit card data and other payment information.
Customer relationship management software (CRM), GDPR compliance: This tool can be a valuable tool for any online business. It helps you to build a stronger relationship with your customers. The CRM will allow you to store and retrieve information about potential and existing customers.
Customer support: When a user contacts your or your customer service team, they will most likely give you their email address, phone number, name, and sometimes even their personal address. Contact center software is used by many businesses to keep this information on file.
Although this list is quite comprehensive, it is not exhaustive. To determine how PII data might be collected, you will need to talk to your IT department (or yourself if necessary).
You’ll see that not accounting for even one data collection point can put your entire business at stake.
PII, also known as personally identifiable information, refers to any data that can be used alone or with another data source to identify a person.
Are PII data putting your business at risk?
Your website could be at serious risk if you collect personal information or fail to provide a detailed privacy policy. Depending on where your business is located and the location your users are located, you could be subject to severe fines for not adhering to laws and regulations pertaining to PII data.
Concerning regulations that specifically pertain to PII data: The three areas you usually need to address include consent, collection, and handling.
New laws and regulations will be enacted soon, such as the ePrivacy Regulation. However, there are three important regulations that could have significant financial consequences for your business if you are not careful with your information practices.
GDPR
In May 2018, the General Data Protection Regulation was made effective. It applies to all businesses that are located in the European Union (EU), or collect PII from EU data subjects, even if they’re not EU-based.
While GDPR compliance can be a complex process that spans many disciplines, it is necessary to establish a legal basis (e.g. GDPR consent, provision or contract or legitimate interest) before any data collection is done.
Make sure you include in your privacy policy the data types you have collected, as well as the methods you use it and who you share it with.
Data handlers, that is you, must safeguard this information from unauthorized use during storage and management. PII data owners (your Users) must have the option to review the information and request deletion.
A Data Subject Access Request form (DSAR) is one of the best ways for users to exercise their data control rights. This allows users to request access to, edit, transmit, delete or transfer their data.
In the event of data breaches, you have 72 hours in which to notify the authorities.
Failure to comply with GDPR requirements can result in fines up to 20,000,000 euros or four percent of your annual global revenue.
Conclusion
PII data can be a difficult topic to address, especially with more countries and states implementing online privacy and data protection laws. The data-centric world is evolving rapidly and regulations are becoming more important. This can require major changes in how you work and how you handle information.
While privacy laws can be complex due to many facets that apply to different types and situations of data collection, the ultimate goal is transparency. Data is no longer the Wild West that it was once, but is now moving towards transparency. Data collection practices will be clear, conspicuous and consented to by all users.
Now that you are more familiar with PII data and the methods used to collect it, you can make sure you treat this data with care.