Regulations concerning the protection of personally identifiable information (PII) are gaining steam, and the penalties for compliance violations are immense. Khushboo Suri of Adlib Software discusses what companies can do to identify the PII in their data stores and sufficiently protect it.
A steady stream of new regulations combined with a year-over-year increase in the number of customer records lost or stolen in data breaches mean that protecting personally identifiable information (PII) has never been as important as it is now for businesses across the globe. Accordingly, the imperative is on businesses to achieve regulatory compliance by taking swift steps to initiate PII discovery within their data stores and handle this sensitive information appropriately.
But when one considers that the vast majority of organizational data is unstructured – meaning it is disorganized and not easily searchable – many businesses can’t even begin to diagnose the scope of their risk, let alone take steps to fix it.
The Potential Risks Of PII
Across industries and sectors, unaddressed PII is a growing business risk — one that’s been in the spotlight since the European Union introduced sweeping regulations to protect consumer data on May 25, 2018. Coined the General Data Protection Regulation (GDPR), it enables regulators to apply fines of up to 4 percent of global revenue for breaches.
While businesses were given a fair amount of leeway to get their PII in order after the initial rollout of GDPR, fines are now starting to trickle in. The largest penalty to date has seen Google slapped with a fine of €50 million for inadequately disclosing to users how their data was being gathered for more personalized advertising. To date, this fine represents only the fourth penalty issued against any company since GDPR came into effect.
Though These Fines Are Steep, They Could Be Quite Widespread
According to Gartner, 40 percent of organizations are predicted to still be in violation of GDPR by 2020. And this isn’t the only law putting pressure on businesses to protect customer data. Starting in 2020, California will join the states and nations with new rules for handling and retaining PII when the California Consumer Privacy Act comes into effect.
Importantly, even if it wasn’t increasingly mandated by law, it would still be in a businesses’ best interest to take steps to identify and contain sensitive data. According to the 2018 Cost of Data Breach Study: Global Overview, the average cost of a data breach is $3.86 million, a 6.4 percent increase over the previous year. Increases in the average cost-per-record loss and size of data breaches were also reported. Hard numbers aside, consumer data breaches can also cause major reputational damage that can take years to overcome.
Mitigating the PII Risk
The annual data breach study also reported that companies’ ability to identify and contain a breach is a key factor in mitigating costs when a data breach does occur. The best way for companies to mitigate cost, though, is to work hard to reduce the risk of a breach – and of regulatory compliance fines – by implementing a PII discovery plan to identify all sources of PII within their data stores and applying enhanced security measures to that sensitive information.
The challenge is that you can’t protect data you don’t even know you have. Whether it’s paper documents, text that has been scanned into simple image format, nested email threads or one of countless other sources, most businesses are sitting on a minefield of unstructured PII and data.
A 4-Step Plan to PII Discovery
How, then, can businesses begin to get a handle on the data encompassed by privacy regulations?
- Identifying the organization’s PII footprint, which is best done by conducting a PII audit.
- Categorizing and tagging files containing PII so that the organization can isolate PII and ensure it is stored, accessed and utilized according to regulations.
- Minimizing the organization’s PII footprint by deleting redundant information and redacting PII wherever possible.
- Lastly – and only once the full scope of organizational PII has been determined – taking the appropriate steps to cordon off PII and encrypt the data and/or employ other security measures.
Given the high volume of data in most organizations’ possession, implementing these steps on a manual basis would be restrictive, if not impossible. Instead, businesses should seek to automate the process as much as possible, using technology to digitize and scan documents, converting them to a unified format – ideally PDF – before analysis.
Preventing PII Issues
The proliferation of PII is a massive business risk for organizations – both in terms of regulation and reputation. With GDPR penalties rolling in and the enactment of additional regional regulations on the horizon, it’s critical for organizations to immediately identify any PII within their content stores. Following this stage of PII discovery, businesses can then apply the appropriate privacy and security measures to protect their sensitive content. Not only will this strategy for PII discovery prevent costly regulatory compliance infractions, it could also prevent a business from becoming headline news in the next data breach.