Data breaches can happen to any company, regardless of size or technical resources. In April 2021, Facebook’s reputation took a massive hit when a data breach impacted more than half a billion users.

The worst kind of data breach involves personally identifiable information (PII). PII is essentially any data that contains sensitive details about real people, such as customers and employees. Unauthorized disclosure of this information can cause real pain for affected individuals, as well as severe reputational damage to an organization.

What can you do to prevent a security incident on your network? Here’s a seven-step checklist to help you prevent a breach of PII.

Table of Contents

  1. Identify and Classify PII
  2. Map Your Data Flows
  3. Build a PII Policy
  4. Implement Secure Data Infrastructure
  5. Restrict User Access to PII
  6. Prepare a Breach Response
  7. Monitor and Respond
  8. How Can Help Protect PII

1. Identify and Classify PII

Personally, Identifiable Information is anything that can identify a specific individual. The exact legal definition varies, depending on relevant legislation. For instance, PII under CCPA includes:

Direct identifiers: details like name, address, date of birth, phone number, driver's license details, or social security number (SSN)

Indirect identifiers: information that can track back to a person, like a username, ID number, or vehicle registration

Financial information: credit card numbers, bank details, or information that grants access, such as a mother’s maiden name or SSN

Biometric data: this can include fingerprints, facial and voice ID, or typing recognition

Internet data: website and app logs may contain information that identifies individual users, and GPS apps may contain geolocation data

Protected class data: Anti-discrimination covers some PII data, such as details of the race, gender, or sexual orientation

It's also worth being aware of Protected Health Information (PHI), which is covered by a law called HIPAA.

When identifying PII, the most important question is, “does this data point to a specific person?” If so, it’s best to treat such information as PII.

2. Map Your Data Flows

Data is most vulnerable when it’s in motion, so it’s important to know when PII moves from one location to another. Examine your data integrations and ask these questions:

  • Is this data movement essential for business purposes?
  • Have we implemented all possible safeguards?
  • Are we using a trusted third party when working with cloud services?
  • Where is the physical location of data? Will it cross state or national borders?

If you control the flow of data, you’ll avoid loss of control and have a better chance of preventing data breaches.

3. Build a PII Policy

Ideally, you should have a data governance framework in place to help manage PII. If you don't, the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) should implement one as soon as possible. Data governance is the platform for your privacy program.

Your PII policy should cover the key aspects of working with personally identifiable information. The EU’s GDPR directive lists six core principles for data processing, offering a solid base for any PII policy. They state that PII processing should:

  • Be lawful, transparent, and fair
  • Be for essential business purposes only
  • Use as little personal information as possible
  • Be accurate and timely
  • Complete within a reasonable timeframe
  • Guarantee integrity and confidentiality

These principles are a good place to start, even if GDPR doesn’t apply to your organization.

4. Implement Secure Data Infrastructure

The right infrastructure can drastically reduce your risk of unauthorized access to PII. When designing your network, you’ll need to think about:

Cybersecurity: Your core network needs enterprise-grade cybersecurity tools. If your team works remotely, their devices will require their own cybersecurity protection.

Encryption: You need to encrypt PII while it’s in transit. You will also require the capacity to decrypt data on the receiving end.

Storage: You might centralize your data in a warehouse or lake, in which case you’ll need to think about whether to remove PII or store it securely.

Data pipeline: A secure pipeline will allow you to move data between systems. Cloud-based ETL (Extract, Transform, Load) makes it easy to create a secure and compliant data pipeline.

It’s a good idea to consult with an experienced data architect about building a reliable infrastructure.

5. Restrict User Access to PII

Who counts as an authorized user? Often, it depends on the nature of the data. For instance, salespeople might not need access to existing customer data, while service operatives may have no reason to see data on potential leads.

Role-based access controls help ensure that people only access relevant data. When defining these roles, ask questions like:

  • Who needs this data?
  • Why do they need this data?
  • Can we automate the process related to this data?
  • Can we mask or obfuscate some of the personal information?

The fewer people with access to PII, the lower the risk of a data breach.

6. Prepare a Breach Response Plan

Breaches can happen, so it’s essential to be ready with your incident response plan. The FTC recommends a three-step plan:

  • Secure: Take immediate action to prevent further unauthorized access
  • Repair: Address any vulnerabilities and fix all structural weaknesses
  • Notify: Issue a breach notification letter to any affected parties so they know they’ve been the victim of a breach. Notify law enforcement if necessary.

The final step is critical. Data breaches can lead to identity theft, which is a source of genuine misery for many. By issuing a prompt notification, you can help people take immediate corrective action. Look for a sample breach notification letter to send to affected individuals on the FTC website.

7. Monitor and Respond

Most PII breaches happen without anyone noticing. It takes an average of 207 days for most companies to identify and repair a breach, which gives cyber criminals plenty of time to exploit the stolen data.

Every company should have an active monitoring team that watches for potential breaches. Ask questions like:

  • Who is responsible for PII security monitoring? Do we have a dedicated privacy officer?
  • Does everyone know how to complete an incident report?
  • Do we have clear reporting requirements for a potential breach of PII?
  • Are we logging and checking data access requests?
  • How do we test our network for vulnerabilities?

If you have a monitoring team in place, they can get breach notifications sooner rather than later. This could reduce the total time to repair a breach and minimize the number of individuals involved — plus the team can help prevent breaches from happening in the first place.

How Can Help Protect PII

Infrastructure is the key to safeguarding PII. With the right data pipeline in place, your organization can enjoy secure data transactions. can help you build your data pipeline. We fully comply with all major privacy regulations. Whether you’re worried about a privacy act like GDPR or CCPA, you can relax, knowing that your data is in safe hands.

Want to see how it works for yourself? Check out all the features of when you sign up for our 14-day demo.