Understanding And Protecting Personally Identifiable Information

Personally Identifiable Information

Data is a commodity in this digital age. As an individual, you are sharing data about yourself and your browsing habits every time you visit a website. You provide your name and your email address in return for resources that can help you to improve yourself and the way you work. You accept cookies, you share posts on social media, and you think little of it because that is simply the way things are. As businesses, we use this information gathered from website visitors, prospects and clients to guide our decision making processes – to decide what product or enhancements we should launch next, to nurture prospects and ensure that they become customers, and to understand our markets and better target our solutions towards them.

But in the wrong hands, personally identifiable information can be incredibly dangerous. Let’s look at just a few reasons why.

What is Personally Identifiable Information And How Is It Different Than Personal Data?

Personal Identifiable Information (PII) is defined as:

Any information that can be used to find out who a person is. This information is sensitive and could be used for bad things like identity theft, so it is important to keep it from being accessed, used, or shared by people who shouldn’t be able to.

Let’s start with the basics. We talk about personal data all the time, but we rarely discuss personally identifiable information. Because the terms are similar, they are easily confused, or bundled together. But in reality, Personally Identifiable Information, or PII, is a specific type of personal data.

All PII is personal data, but not all personal data is personally identifiable.

When we are looking at a PII definition, we are talking about the kind of information that can be associated with a specific individual. We’re not talking about your browsing history or your demographics – these kinds of information may count as personal data, but cannot be used to identify who you are. Rather, we are talking about specific information directly related to you as a person – your name, ID number, financial details and more.

If you’re based in South Africa or in the UK, you are likely to hear the term personally identifiable information pretty rarely, but our friends and readers in the US are far more likely to have come across it. PII is referred to often in legislation around the Unites States, while South Africa’s POPI Act and the EU’s GDPR are all about protecting personal data rather than PII specifically.

What Is Considered Personally Identifiable Information?

Just as PII is a subsect of personal data, personally identifiable information can also be broken down further – specifically into what’s know as “linked” and “linkable” data.

Linked data is information that can be used to single out an individual. This includes data that is specific to only one person. Some linked PII examples include:

  • Personal email address
  • Home address
  • ID number
  • Passport number
  • Driver’s license
  • Cellphone number
  • Bank account details

A person’s full name can also often be classified as ‘linked’, particularly if the name is unique. But if, for example, your name is John Smith, that information on its own would not necessarily be linked to you as an individual, since both the first name and surname are common around the world.

Linkable data, on the other hand, is information which, on it’s own, could not be used to identify one particular person. Some linkable Personally Identifiable Information examples include a person’s:

  • General location (such as a city or country)
  • Sex or gender
  • Race
  • Religion
  • Workplace
  • Job title

In the example above, the name John Smith would be linkable data, rather than linked. This is because both the first name and the surname are common, and there are plenty of John Smiths out there which the data could be referring to.

However, just because linkable information cannot identify an individual on its own, when combined with other personal data, it is possible to link it to a specific person. Say, for example, you knew that John Smith was a middle-aged man who owned a Nandos in Surrey. While each of these pieces of information on their own would be linkable, rather than linked, information, together they can be used to identify a specific John Smith, rather than one of the 44,935 John Smiths based in the US.

How Can Attackers Use PII?

I mentioned earlier that personally identifiable information can be dangerous in the wrong hands, and when looking at what constitutes PII, you may be starting to understand why. If an attacker knows exactly who you are and what your email address is, it makes it easier for them to plan a social engineering attack, for example. Then there’s the risk of identity theft if an attacker gains access to your ID or passport number, providing them with the opportunity to use them to their own advantage in applying for a credit card, for example, that they would then have access to.

The more information an attacker has about who you are, the more opportunities they have to compromise you or your business using cybersecurity attacks.

How Can You Protect Your Company's PII Under POPIA Or GDPR?

So far, I have been looking at the meaning of PII and what the risks to you as an individual if your Personally Identifiable Information becomes compromised. But it’s not just your own data that you need to be protecting. As a business, you collect, process, store and manage personal data about people every single day. And you have a duty to keep that information protected.

I’m not just talking about a moral obligation, though doing everything you can to protect your clients, prospects and website visitors from potential attacks is certainly the right thing to do. I’m talking about the legislation that regulates the ways that personal data can be processed by businesses.

Europe’s GDPR and South Africa’s POPI Act contain very clear guidelines on how information about individuals can be collected, processed, stored and deleted, and contravening these regulations can have a huge impact on your finances and on your reputation. And while these laws may seem like a burden for businesses, they can also act as an incentive to keep your data as protected as possible.

Some best practices that a business can follow to stay compliant include:

1. Putting Data Collection, Identification And Deletion Policies In Place 

Knowing how your business is generating data, where it’s being stored, classifying personal or Personally Identifiable information and deleting it when it’s no longer needed is part of remaining POPIA and GDPR compliant. By putting policies in place for the collection, tagging and deletion of data, you can make sure that your company isn’t only reviewing your processes once-off, but is regularly monitoring, updating and deleting irrelevant data to protect both existing customers and past clients and prospects.

2. Ensuring That Your Data Is Securely Backed Up 

Part of storing your data securely, whether on-premises or in the cloud, is making sure that you have backups of relevant information to protect it against human error and data corruption. Just as Personally Identifiable Information can be used by attackers, Incorrect and inaccurate personal data can be just as dangerous to your business, particularly if you don’t realise that the data has been tampered with by an attacker. Having backups in place to restore personal data if it does become corrupted or compromised is part of effectively managing your data according to regulations.

3. Managing Access & Permissions 

You want to make sure that the right people have access to the information and tools that they need to do their jobs effectively. But not everyone within a company needs access to your clients’ PII. Your Accounts team may need access to customers’ financial details, but your IT team doesn’t, and neither does your Marketing team. Your IT team may need to use ID numbers and the like to confirm your client’s identities, making sure that they’re speaking to the right people who are authorised to make decisions under an account, but that doesn’t mean that these details should be accessible to every employee.

Making sure that you’re effectively managing the access that your team members have to Personally Identifiable Information will protect both your customers and your business, as it reduces the risk of human error and ensures better data security for your business as a whole.

How Does Microsoft 365 Help You To Protect Personally Identifiable Information?

I’m always amazed at how few people realise the full potential that Microsoft solutions have to protect your business, help you work smarter rather than harder, and see you securing your data. There are plenty of Microsoft features that help you to protect the PII in your company’s possession. These include (but are hardly limited to):

  •  Data Loss Prevention 

Data Loss Prevention, or DLP, is a critical tool in helping businesses to tag sensitive data, manage access to it, and ensure that it is safe from human error. One common way for data to be leaked is through your employees sharing it over email. It’s a simple mistake to make – sending an email to the wrong recipient happens all the time! But when that mail contains confidential or sensitive information, it can be a costly one. Businesses can use Microsoft’s DLP feature to ensure that any data which has been tagged as sensitive, confidential or PII, is blocked from outgoing emails, and prevent it from being shared through Microsoft OneDrive or SharePoint.

  • Azure Active Directory And Information Protection 

Microsoft 365 may be the company’s flagship offering, but businesses shouldn’t forget about Azure and the value that it can hold.

Take Azure Active Directory, or AAD, for example. It provides you with the identity and access management (IAM) tools to control who has access to your business information, and boosts the security of that access through multi-factor authentication. You can even use AAD to setup policies based on where in the world your teams are trying to access data from or the software status of the device that they’re using.

Then there’s Azure Information Protection, or AIP, which offers data classification tools to help you keep track of and protect PII and other personal data. Its integration with other Microsoft 365 apps makes the management of sensitive information seamless, and makes it easy to track data as it moves between cloud apps and solutions.

  • Cloud Service Security

Whether you’re using Microsoft Cloud App Security, or have set up Defender for Microsoft 365 to act as a Cloud Access Security Broker, you will have a great understanding of the apps that your teams are using in their day-to-day roles, and can manage the data that is being transferred to and from those apps. Not only can you encrypt sensitive information while it’s in transfer, but you can also prevent PII from being transformed onto different apps and platforms, allowing you to better control the flow and storage of personal data.

  • Compliance Manager

When you’re talking about legislation like GDPR and POPIA, making sure that your data is being managed in compliance with the acts can be a complicated scenario. But Microsoft is here to help with a compliance management tool that provides you with all the data and details that you need to protect the personal data in your possession. The analytics and reporting functionality that it offers can not only help you to put policies in place for the management of your data, but can help you to ensure that these policies are being followed, and regularly reviewed to ensure that they’re in accordance with the acts and regulations. Compliance Manager makes it far easier to get an overall view of your data in general, and your PII in particular, and ensure that it is being secured as well as possible.

How Can Solid Systems Help?

As an IT services company in South Africa, we are well acquainted with the POPI Act, not only from having implemented data security in our own business to make sure we are compliant, but from helping businesses around the company to secure their Personally Identifiable Information and stay POPIA compliant.

But we’re not just based in South Africa, either. Because we operate as an IT company in the UK as well, we are also well acquainted with the requirements for GDPR, and the similarities and differences between how the POPI Act works, and the EU’s requirements for protecting data.

Add to that the fact that we have been helping businesses to keep their information secure and embrace cloud solutions over two decades, and you can start to understand why we are the ideal partner for helping your business to adopt personal data protection policies, and put the right solutions in place to secure your information and see you growing as a business.

Whether you’re wanting to implement and train your teams on using Microsoft solutions, are wanting to conduct an IT and compliance audit to start your data protection journey on the right foot, you can trust in Solid Systems to provide you with the strategic technology planning and the human, helping hand guiding your business every step of the way. Get in touch with us today to enable your business.

Frequently Asked Questions (FAQs)

What types of data are considered PII?

Personally Identifiable Information can be split into two different types of data – linked and linkable. Linked data is information relating to a specific person, like your personal email address, home address, ID number, passport number or bank account details.

Linkable data is information which could be about any number of different people, but which, when used together with linked data, can provide further details about an individual. Linkable data includes a person’s city, country, sex, gender, race, religion, workplace or job title.

Why is protecting PII important?

Many businesses have started to take the protection of Personally Identifiable Information more seriously over the past few years, as legislation like the EU’s GDPR and South Africa’s POPI Act have come into effect. But in reality, protecting the personal data that your business collects and stores is the right thing for a business to do, regardless of whether laws tell that they should or not. By protecting your clients’ and prospects’ information, you are reducing their risk, and protecting your company’s reputation in turn.

How can organisations protect PII from cyber threats?

Many businesses don’t realise that Microsoft comes packed with features to help you protect your data in general, and your Personally Identifiable Data in particular, from cyber threats. Some of the tools available to businesses include:

  • Data Loss Prevention
  • Azure Active Directory (AAD) and Azure Information Protection (AIP)
  • Cloud Service Security
  • Compliance Manager
What are some best practices for collecting, storing and handling PII?

While GDPR and the POPI Act provide guidelines for protecting you data, there are plenty of ways that your business can go about securing the personal information in your possession. Best practices for the protection of Personally Identifiable Information include:

  • Putting data collection, identification and deletion policies in place
  • Ensuring that your data is securely backed up

Managing access and permissions

What are the consequences of a PII breach?

In the wrong hands, Personally Identifiable Information can be dangerous. Imagine an attacker who knows exactly who you are, where you live and how to reach you over email or telephone. It would make it far easier for them to plan a social engineering attack on you or your company, steal your identity, or defraud your bank into giving them a credit card in your name, which you are responsible for paying. Then imagine the impact for your business if your company was the source of a data leak that led to all of your clients’ details falling into the wrong hands. Your reputation would take a huge hit, not to mention the financial implications of falling foul of GDPR or the POPI Act.

Michael Claxton

Michael Claxton

Co-Founder and CEO of Solid Systems | I am a father of two, and a mentor of many. My calm focus makes me a natural leader, both in and out the office, and I have a unique skill in nurturing leadership qualities in others as well. But most of all, I understand the true value of time and the ways that technology can optimise efficiency within a business and see humans making the most of the time available to them, both in terms of productivity, and in terms of personal growth. 

Didn't find what you were looking for?