Those controls must include a set of robust data anonymization policies and procedures.Ī crucial component of protecting any sensitive information is to develop an enterprise-wide awareness program. One of the outputs should be a documented a set of technology-agnostic controls that have universal application across the organization. The program should be a joint business and IT initiative with both departments playing equally important roles. The inputs are standard IT community data anonymization best practices as well as corporate, industry-specific and governmental regulatory framework specifications and controls. The program's goal is to provide a blueprint of controls that ensures the effective management of PII data at the enterprise level. To properly protect PII data, businesses must develop a strategic program that defines the roles, rules, processes and best practices the organization will follow to ensure the safety, quality and proper use of its PII data. There is a fine line between anonymizing data and destroying its ability to provide meaningful business insights. The ultimate goal of anonymization is to remove the chances of PII exposing an individual while retaining the value of the information to the organization. Anonymization reduces the risk of accidental disclosure of PII data, and if a data breach does occur, the stolen information will be of no use to attackers.Īs far as meeting regulations, anonymized data is considered non-personal data as individuals cannot be identified by it. Personally identifiable data covers a wide range of possible data elements.įrom a PII perspective, data anonymization is the process of obscuring information in a manner that prevents it from uniquely identifying an individual. Because each of the regulatory frameworks may provide different interpretations of PII, it is best to consult an expert in that specific set of privacy controls. In addition, government websites like the GDPR's information portal that provide PII data descriptions and examples use language that is intentionally vague as to not limit data elements to a predefined set. The challenge with identifying PII is that dozens of data elements are potential personal identifiers. The GDPR levied over $126 million in financial penalties from its inception to January 2020, and CCPA fines range from $2,500 to $7,500 per record. Infringement fines from both governmental agencies can be extensive. Two examples of well-publicized governmental regulatory frameworks that have defined a set of privacy policies for PII are the European Commission's GDPR framework and the California Consumer Privacy Act (CCPA). The goal of governmental and industry PII regulations is to define and enforce policies to keep that information private. What is PII?Īt a high level, PII is data that can be used on its own or combined with other information to uniquely identify a person. One of the top ways organizations can ensure security and privacy for personally identifiable information (PII) is following data anonymization best practices.
0 kommentar(er)
