Challenges of Managing Personally Identifiable Information
Effectively Managing PII is Crucial to Ensure Compliance with Privacy Laws and Maintaining Customer Trust.
One acronym that is popular today is TMI, too much information. It comes into play when the narrator includes information that is too personal, too revealing for comfort. What happens though, when the personal information is not under the control of the owner, but is out there, in public, and the information is personally identifiable? This PII (Personally Identifiable Information) can lead to identity theft, fraud and other damaging acts. For your business, to comply with privacy laws and ensure customer trust, managing PII is crucial.
The Office of Management and Budget (OMB) defines personally identifiable information as: “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”
To do business though, often you need this information. For example, Know Your Customer laws require financial companies to accurately identify people for account opening purposes and ongoing record keeping. By carefully analyzing data handling procedures, establishing ongoing policies and building a data-safe culture, your company can safely handle PII and keep in good standing with both regulators and consumers.
Minimize Data Risk
What is the minimum amount of PII that you need to collect? Every extra piece of data beyond that increases your risk and, often, is just another hurdle for your customers to provide. Many times data collection requirements haven’t been examined in years and are simply there as a legacy. Re-examine your present data requirements and make sure that matches your data requests.
What is the minimum amount of time that you need to store the PII? For every type of PII, consider your legal requirements to retain that data and practical requirements to ensure your business runs smoothly. In many cases, you need to only use the data once, so hold it for a limited time (to ensure accuracy or retry a procedure) but temporary data doesn’t need to go into long-term storage. Establish data purge rules for all the PII you collect and that there’s a system in place to follow those rules.
Maximize Data Safety
What barriers are preventing you from implementing the highest data safety and security standards? On the digital side, you need to keep pace with the technology: secure passwords to restrict access to valid users; encryption to keep sensitive data in a protected format; limiting data transfer to absolutely essential uses and only over secure networks with firewall protection; use up-to-date software with the latest security patches and virus/malware detection.
Physical security is just as important as digital security and includes: secured building access, locks on data file cabinets and storerooms, and a paper destruction policy to get rid of old documents securely.
- Thorough screening before they become employees, weeds out criminals and other security risks.
- Each employee needs training on the specific policies and should have clear guidance on how to handle sensitive data.
- Set up data use policies restricting employee access to only the data they need to do their jobs.
- Even with restrictions in place, ongoing monitoring is necessary to deter unwarranted access.
PII Best Practices
Here at Trulioo, our business revolves around PII and it is mission-critical that we follow these and other best practices for PII handling. Our customers and data partners, and the customers they serve, trust that we do everything possible to ensure privacy and security.
One significant distinction that we offer is that we do not retain the data. By default, Trulioo does not store customer data; vendors within GlobalGateway are prohibited from using or retaining customer data for any purpose other than providing identity verification services.
The increasing power of organizations to aggregate, collect and store personal information requires an increase in the power of the individual over their PII. Either companies start taking this responsibility extremely seriously, or there will be a legal backlash, such as Europe’s Right to be Forgotten Law. Each company needs to ensure they presently have the policies and tools in place to comply with the law and consumer demand. Just as important, companies need to develop systems and values that respect personal information as we proceed into the connected future of big data.
The purposes, requirements, and technology affecting identity verification have changed dramatically. Organizations relying on implied authorization or other legal constructs for the ability to process consumer’s personal information are taking risks that could be avoided by incorporating consumer consent into their verification and business processes.
Find out why consumer consent is not only fundamental, but both feasible and beneficial as a business solution.