Achieving regulatory compliance through PII discovery
By Khushboo Suri | November 27, 2018
3 minute read
A steady stream of new regulations combined with a year-over-year increase in the number of customer records lost or stolen in data breaches mean that protecting personally identifiable information (PII) has never been as important as it is now for businesses across the globe. Accordingly, the imperative is on businesses to achieve regulatory compliance by taking swift steps to initiate PII discovery within their data stores and handle this sensitive information appropriately.
But when one considers that the vast majority of organizational data is unstructured – meaning it is disorganized and not easily searchable – many businesses can’t even begin to diagnose the scope of their risk, let alone take steps to fix it.
The potential risks of PII
Across industries and sectors, unaddressed PII is a growing business risk. In the first six months since the European Union’s sweeping regulations to protect consumer data, GDPR, came into effect, things have been a little quiet. Up to this point, regulators have given businesses a fair amount of leeway to get their PII houses in order. But in an interview with Reuters, European Data Protection Supervisor Giovanni Buttarelli said he expects that the first fines against businesses for GDPR violations will be levied before the end of 2018. Under GDPR, regulators may apply fines of up to four percent of global revenue or 20 million euros, whichever is higher, for breaches.
Though these fines are steep, they could be quite widespread.According to Gartner, by the end of this year, more than half of companies affected by GDPR will still not be in full compliance; by 2020, 40 percent of organizations will still be in violation.
And GDPR isn’t the only law putting pressure on businesses to protect customer data. Starting in 2020, California joins the states and nations with new rules for handling and retaining PII when the California Consumer Privacy Act comes into effect.
Importantly, even if it wasn’t increasingly mandated by law, it would still be in businesses’ best interest to take steps to identify and contain sensitive data. According to the 2018 Cost of Data Breach Study: Global Overview the average cost of a data breach is $3.86 million, a 6.4 percent increase over last year. Increases in the average cost-per-record-lost and size of data breaches were also reported. Hard numbers aside, consumer data breaches can also cause major reputational damage that can take years to overcome.
Mitigating the PII risk
The annual data breach study also reported that companies’ ability to identify and contain a breach is a key factor in mitigating costs when a data breach does occur. The best way for companies to mitigate cost, though, is to work hard to reduce the risk of a breach – and of regulatory compliance fines – by implementing a PII discovery plan to identify all sources of PII within their data stores and applying enhanced security measures to that sensitive information.
The challenge, of course, is that you can’t protect data that you don’t even know you have. Whether it’s paper documents, text that has been scanned into simple image format, nested email threads or one of countless other sources, most businesses are sitting on a minefield of unstructured PII and data.
A 4-step plan to PII discovery
How, then, can businesses begin to get a handle on the data encompassed by privacy regulations?
- The first step is identifying the business’s PII footprint, which is best done by conducting a PII audit.
- Next, files containing PII must be categorized and tagged so that businesses can isolate PII and ensure it is stored, accessed and utilized according to regulations.
- Companies should seek to minimize their PII footprints by deleting redundant information and redacting PII wherever possible.
- Lastly, and only once the full scope of organizational PII has been determined, companies need to take the appropriate steps to cordon off their PII and encrypt the data and/or employ other security measures.
Given the high volume of data in most businesses’ possession, implementing these steps on a manual basis would be restrictive, if not impossible. Instead, businesses should seek to automate the process as much as possible, using technology to digitize and scan documents, converting them to a unified format – ideally pdf – before analysis.
The proliferation of PII is a massive business risk for organizations. To prevent costly regulatory compliance infractions and other problems, businesses must take immediate steps to identify PII within their data stores and take steps to protect that sensitive data.