When people share their personal information with an organization, they’re performing an act of trust. They trust you to keep their data safe from hackers, and they trust you to use their data only for legitimate purposes.
While many organizations honor this trust, others do not. As a result, governments worldwide are rushing to pass data protection legislation that puts the power back in the hands of people. Europe’s GDPR is the leader in this field, with stringent rules about personal information handling. By 2023, around 65% of the world’s population will have similar legal protection.
What are businesses to do? As with all compliance issues, the best advice is to see which way the wind blows and try to stay ahead.
The Unified Stack for Modern Data Teams
Get a personalized platform demo & 30-minute Q&A session with a Solution Engineer
What is Personally Identifiable Information (PII)?
The first step to compliance is to identify and categorize all personally identifiable information. But what counts as PII?
It’s a tricky question, as precise definitions can vary between jurisdictions. There are some obvious PII elements, such as name, date of birth, address, phone number, and social security number.
But many laws go further than this. California’s privacy law, CCPA’s definition of PII includes elements like account numbers, IP addresses, network logs, biometric data, and geolocation information.
Rather than trying to itemize all the things that count as PII, it’s perhaps easier to understand the spirit of most privacy laws, which is this:
Personally, identifiable information is any information that can identify an individual, either by itself or in conjunction with other data.
It’s also sometimes useful to think of a reverse definition: what data is not PII? If it’s impossible to link a data element to a specific person, then that data is not PII.
What is the Future of PII compliance?
Most countries either already have strict privacy laws or are working on legislation. Some of the primary laws that affect digital businesses are:
GDPR (European Union)
German Privacy Act (Germany)
Protective Security Act (Sweden)
CCPA (California)
PIPEDA (Canada)
Cyber Security Law (China)
Data Privacy Act (Japan)
Personal Data Protection Bill (India)
As it stands, these laws form a complicated patchwork. For instance, Germany and Sweden are both covered by GDPR, but their national laws add further conditions on data processing within those countries.
In the coming years, we’re likely to see two major trends in data privacy laws:
Extension: Many jurisdictions will either roll out new privacy laws or tighten up existing regulations. States like New York, Connecticut, Virginia, and Minnesota are all looking at launching privacy laws. Meanwhile, California recently passed the California Privacy Rights Act (CPRA), which enhances consumer data protection under the CCPA.
Harmonization: The piecemeal approach is a nightmare for businesses, which have to deal with dozens of confusing laws. Some even have an extraterritorial effect — you can be liable for a GDPR breach even if you don’t operate in Europe. It’s a global problem, so these laws are likely to align with each other, eventually.
Many businesses are already getting ahead of the curve by voluntarily harmonizing their approach to data privacy. For instance, you can choose to follow GDPR requirements for all visitors, regardless of their location. Doing this would mean that you’re ready for any new laws from anywhere in the world.
How Can Businesses Stay Compliant with Privacy Laws?
Predicting future compliance changes is always a guessing game. A lot depends on unpredictable factors, like who gets voted into power and whether digital privacy campaigners manage to capture the public's imagination.
That said, we do have some clues about the future of data privacy. Europe’s GDPR is a relatively happy compromise for business and consumers, as it offers very strict PII protections while giving companies enough freedom to make use of data.
If the world is moving towards something like GDPR, then there are some things that businesses need to do right now:
Understand Your PII
Every business has to be accountable for the PII they store. The first step towards this is to identify PII within your network. It’s a good idea to map out the processes that use PII and how systems share private data.
Give People Control Over Their PII
People should have as much control as possible over their own data. Provide users with a clear privacy policy and give them the chance to opt-out of analytics and tracking. If customers have a self-service portal, they can use this to make amendments and keep their PII up-to-date.
Only Use PII for Legitimate Purposes
People hand over PII for a particular purpose. For instance, an e-commerce customer will happily give you their address so you can deliver their order. But does that mean they consent to inclusion in locale-based cluster analysis? It’s a fine balance, but you should generally err on the side of personal privacy.
Prevent Unauthorized PII Access
Unauthorized access from within can be a serious threat to privacy. It’s your responsibility to implement role-based access rules that ensure employees and contractors can only view data relevant to their jobs.
Monitor Transactions Involving PII
PII is at its most vulnerable during transit. For instance, when you’re moving data from a production database to a data warehouse, there’s a chance that someone will intercept it with a man-in-the-middle attack. There’s also a chance that your transfer process will inadvertently create transaction logs that contain PII. Pay close attention to any process that involves moving private data.
Delete PII when You’re finished with It
Many privacy laws give the data subject the right to request deletion. Even if that doesn’t apply, it’s a good practice to delete any PII that's no longer required. Obsolete PII presents an ongoing privacy risk without adding any value.
How Integrate.io Helps with PII compliance
The Unified Stack for Modern Data Teams
Get a personalized platform demo & 30-minute Q&A session with a Solution Engineer
Why have privacy laws like GDPR been such a headache for some organizations? Often, it’s because they don't have the right infrastructure in place.
Privacy laws all make some big assumptions: that you know everything about the PII held in your database, and that you have full control over how you process it. But these aren't always the case.
A no-code data pipeline like Integrate.io creates a scalable, transparent connection between all of your data sources. It lets you track all the PII that moves within your network and stay compliant with any new privacy laws. Want to see for yourself? Get a 14-day demo of Integrate.io and find out how easy it is to manage your data.