Sensitive PII is data that, if exposed, could put an individual at risk of harm. Examples include:
This type of data isn’t publicly available and requires extra security measures due to its potential impact for misuse. For example, criminals can use personal details and bank records to commit identity theft. Some privacy laws apply additional restrictions to certain types of sensitive PII.
Non-sensitive PII is data that, on its own, wouldn’t necessarily harm an individual if exposed. Some examples include:
Unlike sensitive PII, this type of data is often available via public sources like social networking sites, corporate directories, phone books, and public records. Non-sensitive PII has fewer privacy requirements, but companies should still implement data restrictions to prevent unauthorized access. This is because non-sensitive PII can become sensitive PII depending on the context (e.g., names of people who visited a medical facility).
Securing PII is a shared responsibility across multiple stakeholders.
Individuals are responsible for protecting their own PII, which means using strong passwords, securing their devices, and exercising caution in the data they share. They should also monitor their accounts and personal records for any signs of unauthorized access.
At the organizational level, protecting PII is a company-wide effort that involves various roles and responsibilities:
With these responsibilities in mind, let’s look at why securing PII is so important for an organization.
Canada has several laws and regulatory bodies that protect the privacy of its citizens’ data. Two key pieces of legislation include:
The General Data Protection Regulation (GDPR) is Europe’s main privacy and security law. It contains 99 articles across 11 chapters describing the data rights granted to EU/UK residents. The risks of non-compliance include fines of up to €20 million or 4% of global annual revenue.
The GDPR’s definition of PII, or “personal data”, is the most comprehensive among PII regulations. Personal data includes:
Protection requirements are another key distinction. Directly identifiable data, which can identify an individual without additional information (e.g., full names, passport numbers), is protected under the GDPR. However, the GDPR mandates the protection of all data regardless of its sensitivity level, meaning sensitive and non-sensitive PII are both protected.
Read more: GDPR Compliance Made Easy
The United States has multiple state laws and one federal law for PII. These include:
Other notable privacy laws include:
Read more: How to Achieve Global Data Privacy Compliance
Compliance with privacy regulations is critical for businesses managing sensitive customer data. In addition to regional privacy laws, some industries have their own unique requirements for handling personal data.
Certain US industries have their own data privacy regulations. Each has different requirements for how organizations should collect, store, and handle PII
The Health Insurance Portability and Accountability Act (HIPAA) was established to set comprehensive regulatory standards for healthcare organizations to safeguard protected health information (PHI). Non-compliance with HIPAA can result in heavy penalties. One medical center was hit with a $4.75 million penalty after an investigation revealed an employee unlawfully accessed and sold the PHI of over 12,000 patients.
Companies ranging from direct-to-consumer healthcare providers to healthcare technology solutions must ensure the privacy and security of any PHI they collect.
Read more: How to Guide: Four PII Protection Best Practices in Healthcare
The Gramm-Leach-Bliley Act (GLBA) is a financial privacy law that requires financial institutions to safeguard and ensure the confidentiality of their customers’ financial data. Penalties for non-compliance include fines of up to $100,000 for each violation or imprisonment for up to five years.
In this case, “financial institutions” refer to more than just banks—the law also applies to mortgage brokers, tax preparers, and fintech companies. The Federal Trade Commission (FTC) recently strengthened a key component of GLBA called the Safeguards Rule. It requires financial institutions to regularly test the effectiveness of their data security safeguards.
Read more: Avoiding the Five Cardinal Sins of Fintech Data Privacy
The Payment Card Industry Data Security Standard (PCI DSS) sets standards for companies that store and process cardholder data. With the exception of cash-based businesses, companies must adhere to the PCI DSS. Penalties for non-compliance can range from $5,000 to $100,000 per month and may result in Termination of Merchant Account or Card Network Blacklisting.
Read more: A Guide to the 4 Levels of PCI Compliance
These are just a few PII regulations that apply to specific industries. As privacy laws continue to change and new legislation passes, staying up to date with compliance requirements is critical.
Organizations often struggle to protect PII because they don’t realize the extent to which the data has proliferated throughout their systems. Understanding how data proliferates is essential to securing and governing access.
For example, a company using a CRM system might copy customer data into a data warehouse for analysis. The development team could then move this data into a testing environment, while sales and product teams share it across systems to streamline workflows. In some cases, employees may even inadvertently expose data to AI models, as Samsung discovered with ChatGPT.
Here’s what sensitive data sprawl can look like in traditional infrastructures:
Even if the data is secure in its original location, replication across multiple systems introduces significant security risks and leads to sensitive data sprawl. When PII is duplicated and scattered across systems, it creates new access points for cybercriminals and complicates compliance with privacy laws like GDPR, which require the deletion of personal data on request.
Read more: What Is Sensitive Data Sprawl and How Can You Prevent It?
To address these challenges and minimize the risks of sensitive data sprawl, organizations need a focused approach to PII data security.
Data is often called “the new oil” for its value in unlocking insights. But it can also become a massive liability when it’s not handled correctly.
Here’s how to protect and safeguard PII data:
Follow the principle of “data minimization” by only collecting and retaining the PII needed for specific tasks. A retailer, for example, should only collect the data needed to process transactions, such as names and addresses.
Additionally, audit logs must be maintained to track and monitor how sensitive data is accessed and used. Monitor all data access activities regularly to detect malicious misuse or potential security incidents.
Unprotected data is an easy target for cybercriminals. Consider the 2017 Equifax data breach, one of the largest breaches involving over 143 million people’s personal data. Attackers successfully located and transferred unencrypted PII out of the company’s network. In this case, stronger encryption protocols could have reduced the impact of the breach.
Encryption scrambles readable text into ciphertext, rendering it unreadable without the decryption key. Implement strong encryption for PII when it’s stored (at rest) and when it’s being transmitted (in transit) to protect against unauthorized access.
A data privacy vault with polymorphic encryption allows encrypted data to remain easily usable without first being decrypted.
Read more: What is Polymorphic Encryption?
In 2021, a security researcher discovered that a non-password-protected database owned by DreamHost exposed 814 million records. The incident is a good reminder that organizations need to enforce strong passwords. Of course, even passwords can be compromised through breaches or phishing attacks—which is why MFA has become the done thing.
Logging PII with certain application events can give engineering teams insights into their systems, helping them identify issues and optimize performance. However, doing so presents security and compliance risks.
Avoid logging PII in its original form to prevent sensitive data from falling into the wrong hands. Tokenization swaps sensitive data with randomized strings, a process that can only be reversed by users authorized to access the tokenization system. This allows teams to write sensitive data safely to a log without risking exposure.
Read more: Keep Sensitive Data Out of Your Logs: 9 Best Practices
In 2024, 68% of data breaches involved human error, such as falling victim to social engineering attacks. Human error also includes privilege misuse, which occurs when users abuse their access privileges to gain unauthorized access to sensitive data. With fine-grained access control, companies can restrict data access at granular levels and ensure certain roles only see the minimum necessary data for their jobs.
Read more: What is Fine-Grained Access Control for Sensitive Data?
Sensitive PII gets copied and replicated across various applications and services in traditional system infrastructures, making it difficult to secure PII and meet compliance requirements.
A data privacy vault addresses these challenges by isolating sensitive data from other systems. Solutions like Skyflow’s Data Privacy Vault provide a centralized, secure vault for sensitive data and maintain its usability for applications and analytics.
Read more: What Is a Data Privacy Vault?
Without a data protection strategy, organizations risk exposing customers’ PII and incurring penalties for non-compliance.
A data privacy vault secures customer data and enables compliance with privacy laws. It eliminates sensitive data sprawl by isolating and securing PII at its source.
Unlike fragmented security tools, a data privacy vault should provide:
Whether companies operate in fintech, healthcare, or retail, a data privacy vault offers a comprehensive solution for protecting sensitive data and achieving global compliance.
Common PII violations include unauthorized access or disclosure of PII, improper storage, and failure to obtain consent.
Examples of misusing personal data include sharing PII without consent, selling data to third parties without permission, failing to properly secure data, as well as using information in a manner inconsistent with its original purpose (see: Twitter uses your 2fa number for advertising).
PII is often difficult to identify, but it can be linkable or unlinkable data. If it can be used to identify an individual, it’s PII. Even unlinkable data, like names and genders, can be PII.
Common data classification categories include:
Classifying data can help companies implement the proper controls.
Collecting data can unlock valuable insights. However, companies must tread carefully when collecting and processing personal data, especially given the scope of privacy laws like the GDPR and CCPA. PII violations can result in massive penalties and erode customer trust. A data privacy vault enables organizations to secure sensitive data, comply with regulations, and maintain business agility.
Learn how you can build a secure and best-in-class infrastructure that safeguards PII and simplifies compliance.