How PII Data Works In Businesses And Its Advantages
There has been a lot said recently about data privacy and personally identifiable information (PII), but to understand what all the fuss is about, you have to know what PII data really is.
Earlier this year, the institution of the General Data Protection Regulation (GDPR) and the Singapore Consumer Privacy Act of 2018 ensured that talk of PII data dominated the headlines and had businesses scrambling to better understand what it is, when they collect it, and how they use it.
The ever-changing world of internet privacy and data practices is evolving, and businesses and consumers alike are changing the way they look at personal information. It’s now more important than ever for businesses to understand what PII data is and how they can use it.
What is PII data?
Personally identifiable information, or PII data, is any piece of data that can be used on its own or in conjunction with another piece of information to identify a physical person.
Put simply, if you can use a piece of information to identify an individual, that information is considered PII data. Think of it like a puzzle – even if you can’t make out the picture with one piece, that piece can be used along with others to form the complete image. The same concept applies to personal information.
Whether data is legally considered PII data or not depends on the country in which you’re located and your own nationality, as the definition of PII data varies from region to region. Some data commonly considered to be PII data are:
- Social security numbers
- Driver’s license or ID numbers
- Phone numbers
- Medical records
- Biometric data
- Birth locations
- License plate numbers
While this is just a basic list, be aware that the definition of PII data can change as laws and regulations catch up to today’s digital reality. For example, as of May 25, 2018 — with the enactment of the GDPR in Europe — an IP address is now considered PII data.
Do You Collect Personally Identifiable Information?
Now that you know what PII data is, you need to determine whether your business collects, stores, and uses it. Of course, signup forms and checkout processes are obvious sources of data collection, but it’s possible that you – or the third-party services you use – collect even more PII data than you realize.
When scouring your website for all the places and ways in which you collect PII data, there are a few key areas to keep mind:
- Direct collection through forms: Signup forms are the most obvious culprits for data collection, as users are prompted to manually enter their own information. Any form or data field in which users can enter their information is likely to gather and store PII data. Depending on how your website and servers are set up, you may be collecting this data regardless of whether or not the user submits it.
- Analytics tools: Website analytics are integral to the continued and growing success of any online business. Analytics tools like Google Analytics and Crazy Egg make it easy to better understand user intent and behavior. While these types of solutions tend to look at aggregate data – as opposed to individual users – when they create reports, they may still collect user information such as geographic locations and IP addresses.
- Geotargeting: Geotargeting technology may collect a user’s exact location based off a person’s unique mobile device, or obtain a broader location, such as their city or state. This information can be used to serve up more relevant content to the user, but if the data collected is coupled with another piece of data, it could be used to identify a physical person.
- Point of Sale systems (POS): Modern POS systems are often digital and are seen at the checkout page of an ecommerce or SaaS website. These systems collect customer information such as names, telephone numbers, and email addresses. POS solutions will also have access to credit card data and other payment information.
- Customer relationship management software (CRM): GDPR CRM compliance can be an invaluable tool for any burgeoning online business, as it helps to develop a closer relationship between you and your users. Your sales and marketing teams – or whoever runs your CRM – will collect and store information on potential and current customers through a CRM.
- Customer support: Whenever a user contacts you or your customer support team, you will most likely get their email address or phone number, their name, and sometimes personal address and more. Many businesses employ contact center software to store this information and keep it on file.
While this list is fairly comprehensive, it’s by no means exhaustive. You’ll need to spend some time with your IT department – or on your own if necessary – to determine each and every way you might collect PII data.
As you’ll find in the next section, not accounting for even a single data collection point could put your entire business at risk.
Does PII Data Put Your Business at Risk?
Regarding the regulations that pertain specifically to PII data, the three areas you typically need to address are collection, consent, and handling.
While new laws and regulations are due to be enacted in the near future — such as the ePrivacy Regulation — there are currently three prominent regulations that can have huge financial impacts on your business as a result of your information practices.
The General Data Protection Regulation became enforceable in May of 2018, and applies to any business that’s located in the European Union (EU) or collects PII from data subjects of the EU — even if you aren’t an EU-based business.
Although GDPR compliance is a complicated process which spans several disciplines, in order to comply with this regulation with regards to data collection, you need to establish a lawful basis (e.g., GDPR consent, provision of contract, or legitimate interest) for each data collection point before any data is collected.
Data handlers (that’s you) must protect this information against unauthorized usage during its storage and management, and PII data owners (your users) must be provided with the option to review the information you have about them and request deletion of that data.
One of the best ways to allow users to exercise their data-control rights is by offering a Data Subject Access Request (DSAR) form, which gives users the opportunity to request to access, edit, transfer, or delete their data.
Additionally, in the event of a data breach, you have 72 hours to notify the appropriate authorities of the breach.
Failure to adhere to GDPR requirements could result in fines of up to 20 million euros, or four percent of your business’s annual global revenue.
PII data can be a tricky subject to tackle — especially as more countries and states start to implement online privacy and data protection laws. Regulations are catching up to a data-centric world, and that can necessitate major changes in the way that you operate, and the systems you use to work with information.
And while privacy laws are inherently complicated, with many different facets pertaining to different situations and types of data collection, the underlying goal is clear: transparency. The world of data is moving far away from the Wild West it once was, and toward a new horizon where data collection practices are clear, conspicuous, and consented to by all users.
Now that you know more about what PII data is and the methods you use to collect it, make sure you handle this data with care and implement the appropriate methods for maintaining legal compliance.