Country/Region
Data Protection and Privacy

7 Steps to Protect Personally Identifiable Information (PII) at the Workplace

June 12th, 2024

Contributor: Anagha Anilkumar, Filip Dimitrov, Anup Narayanan

7 Steps to Protect Personally Identifiable Information (PII) at the Workplace

Personally identifiable information (PII) is any data that can be used to identify an individual, either on its own or when combined with other information. This includes names, addresses, Social Security numbers, email addresses, phone numbers, and other data that can be linked to a specific person.

Organizations have a legal and ethical obligation to protect PII, as its exposure can have severe consequences for affected individuals, such as identity theft or financial loss. The organization itself will also face serious repercussions, such as regulatory fines and a negative impact on its reputation.

This article aims to prepare organizations for handling personally identifiable information in seven steps:

Step 1: Identify and Classify Personally Identifiable Information

Modern organizations handle a lot of data. To protect it, you must first be able to identify and classify it based on its sensitivity. PII, such as names, credit card and social security numbers, and addresses, is highly sensitive and requires strong protection.

So, before we start implementing the appropriate security measures, the first step is to determine the security level required for each piece of information. Once the data is classified, it’s much easier to protect as we will know the criticality of each type of data and can allocate our efforts accordingly.

Step 2: Implement Access Controls and Permissions

Once data is classified, it’s time to implement security measures. The first one that comes to mind is limiting access to sensitive data via strict access controls. Access should be granted on a need-to-know basis, with strong verification and authentication measures to ensure only authorized users can access PII.

Two concepts you should be familiar with regarding access control are the principle of least privilege and role-based access control (RBAC).

Least privilege is a security concept in which users are granted the minimum access necessary to perform their job functions. RBAC is part of least privilege, where you define roles within the organization and assign permissions based on these roles. This ensures that users only have access to the data and systems required for their specific job responsibilities.

Step 3: Encrypt Sensitive Data

Data encryption is the process of converting data into an unreadable format to make it inaccessible to unauthorized users. Encryption helps protect PII, both at rest and in transit. Several encryption methods are available. To ensure high security, it’s best to choose a robust encryption algorithm, such as the Advanced Encryption Standard (AES) with 256-bit keys.

Encrypting data takes time and storage, so it’s best to do it after classifying your data and identifying the PII that’s most critical to protect.

Step 4: Secure Data Storage and Disposal

Where and how you store data has huge implications for its security. Inadequate storage can leave sensitive information vulnerable to breaches, while improper disposal can lead to data being retrieved and exploited by malicious actors. Here are some pointers:

  • Store PII on devices that use strong encryption to protect data from unauthorized access.
  • Establish backup and recovery procedures to prevent data loss and quickly restore data in case of an incident.
  • Physically secure storage locations, such as filing cabinets and server rooms, to ensure they are locked and restricted to authorized personnel only.

Proper disposal procedures are also necessary once you no longer need some PII.

When PII in paper form is no longer needed, shred the documents using a cross-cut or micro-cut shredder. When it comes to electronic data, you can use data-wiping software or hardware-based methods to securely erase data from hard drives, USB drives, and other storage devices.

Step 5: Train Employees on PII Handling Procedures

Employee training and awareness play a critical role in protecting personally identifiable information, as employees handle this data on a daily basis. Proper training ensures that employees understand the importance of PII protection and are equipped with the knowledge and skills to handle it securely.

Here are some essential topics to cover in PII handling training:

  • Identifying PII: Teach employees to recognize PII and understand the types of data that fall under this category. This includes names, addresses, Social Security numbers, email addresses, and phone numbers.
  • Legal and regulatory requirements: Educate employees about the legal and PII compliance obligations related to PII protection, such as GDPR, HIPAA, and other relevant laws.
  • Secure data handling: Collect only the PII that’s absolutely necessary and avoid retaining it longer than necessary. Store it securely with encryption and implement strong access controls.

Step 6: Implement Incident Response and Breach Notification Procedures

Security breaches happen all the time, even to organizations with robust cyber security programs. Your PII protection efforts should also include an incident response plan and breach notification procedures to detect, investigate, and mitigate breaches involving PII promptly.

An effective incident response plan has several components:

  • Roles and responsibilities: Clearly define the roles and responsibilities of team members involved in incident response. Each member should understand their specific duties and the chain of command.
  • Communication protocols: Establish protocols for internal and external communication during an incident. Internal communication ensures that all relevant stakeholders are informed and coordinated. External communication involves notifying affected individuals, regulatory authorities, and possibly the public.
  • Recovery strategies: These are the procedures for handling the incident, including containing and eradicating the threat and getting the systems back to normal.

Step 7: Regularly Monitor and Audit PII Handling Practices

Cyber Security is an ongoing process. The personally identifiable information you handle will change over time, and so will regulations and best practices for protecting it. Staying informed and adapting to these changes is crucial for maintaining the security of your sensitive data.

You should also continuously monitor and audit the state of your PII practices. There are several tools that can help in that process:

  • Data loss prevention (DLP) solutions: Automatically detect and classify PII across your network, endpoints, and storage systems, and Implement data security policies to protect it.
  • Security information and event management (SIEM) systems: These systems provide centralized log management for collecting and storing logs from various sources within your organization. SIEM systems also enable real-time monitoring and analysis of security events, helping identify and quickly respond to potential threats.

With these tools, you can review access and transfer logs for your sensitive data and identify potential misuse or weak points in your PII handling practices.

Ensuring PII Protection is a Shared Responsibility

Protecting personally identifiable information (PII) is essential for an organization’s security and integrity. It requires a comprehensive and proactive approach that can adapt to changing regulations, threats, and best practices. The need to protect PII is a shared responsibility among all employees and requires ongoing vigilance and commitment.

Book a Demo

See How We Reduce Human Cyber Risk

Get a guided demo of our courses, anti-phishing training, behavior assessments and managed services.

We offer slots to support US/ Canada and European time zones.
Book a demo in your working hours.