How PII Data is Used in Businesses and Its Benefits
Although there has been a lot of talk recently about data privacy, personally identifiable information (PII), it is important to understand what PII data actually is.
Initiation of the General Data Protection Regulation, (GDPR), made sure that PII data was a major topic in media coverage. It also caused businesses to scramble to understand how and when they are collecting it.
It is changing all the time in terms of privacy and data practices on the internet. Businesses and consumers are both changing how they view personal information. Businesses must now understand what PII data means and how they can be used.
What is PII?
PII (personally identifiable information) is any data that can be used either alone or in combination with another piece to identify a physical individual.
Simply stated, PII data can be any information you use to identify an individual. You can think of it as a puzzle. Even though you cannot see the picture with just one piece, this piece can be used to complete the image. The same applies to personal information.
Whether data is legal considered PII or not will depend on the country where you live and your nationality. As the definition of PII differs from region to region, it will be determined whether data is legally considered PII. Some data that is commonly considered PII are:
Names
Social security numbers
Driver’s licence or ID numbers
Addresses
Phone numbers
Emails
Medical records
Birthdays
Biometric data
DNA
Birthplaces
Numbers for license plates
Although this is a simple list, it’s important to remember that the definition of PII can change as new laws and regulations adapt to digital realities. With the passage of the EU GDPR on May 25, 2018, an IP address has been considered PII information.
The country where you reside and your nationality will determine whether data is legal PII data. However, the definition of PII information varies from one region or the other.
Do You Collect Personally Identifiable information?
Knowing what PII data means, you can now determine if your company collects, stores and uses it. Signup forms, checkout, and other data sources are obvious. However, it’s possible your business or third-party service providers may collect more PII data.
It’s important to understand and know how you collect PII from your users. This will allow you to describe your practices in a comprehensive privacy statement.
Here are some key PII data security points to remember as you scan your website looking for PII sources.
Direct collection by forms: Signup pages are the most obvious source of data collection. Users will be prompted to enter their personal information. Any form that allows users to enter their personal information will likely collect and store PII data. It doesn’t matter if the user submits this information, but it could be stored on your website and servers.
Website cookies: Website owners can use similar tracking technologies and website cookies to collect information about individual users. This allows them to understand how they interact with your website, and other online properties. Cookies can store everything from user behaviour to passwords and payment details. These practices must be stated in both your privacy policies and the template for your cookie policy.
Analytics tools: Website analysis are crucial to the success of any online company. Analytics tools like Crazy Egg and Google Analytics allow you to gain a better understanding of user behavior and intent. Although these solutions tend to concentrate on aggregate data, rather than individual users, when creating reports they might still collect information about user locations such as IP addresses.
Geotargeting: The Geotargeting technology might collect the exact location of a user based on their mobile device. Or, it could obtain a wider location, such as their entire city or state. This data could be used for more relevant content, but if it is combined with other data, it could be used in order to identify a specific person.
Point of Sale (POS) – Modern POS systems are digital and can be viewed at the checkout page on an ecommerce website or SaaS site. These systems store customer information, such as names, email addresses, and telephone numbers. POS systems will have access to credit card information and other payment information.
Customer relationship management software: CRM compliance under GDPR can be a great tool for any new online business. This helps to establish a closer relationship between your users and you. Through a CRM, your sales and marketing teams or the person who manages your CRM will gather and store information about current and potential customers.
Customer service: If a user contacts you, or your customer support staff, you’ll most likely receive their email address or telephone number, their name and sometimes their personal address. This information is stored and kept on file by many companies that use contact center software.
This list isn’t exhaustive, but it’s fairly extensive. Each way that you collect PII information will require some discussion with your IT department or your own time.
The next section will show you that failing to account for even one data collection point could expose your entire business.
PII (personally identifiable information) is any piece that can be used either alone or in combination with another piece to identify a specific person.
Is your business at risk from PII data?
If you have a website that collects personal data and don’t at least make it clear in your privacy policy, then your business could be at great risk. Depending on your location and the locations of your users, you may face huge fines if your online business fails to comply with the laws and regulations governing PII data.
When it comes to regulations that apply to PII data specifically, you will need to address three areas: consent, handling, and collection.
There are new laws and regulations due to be enacted very soon — like the ePrivacy Regulation. But there are three major regulations that your information practices can have on your business’ financial future.
GDPR
The General Data Protection Regulation, which became effective in May 2018, applies to all businesses located in the European Union (EU) and that collect PII of EU data subjects.
Even though GDPR compliance is complex and involves many disciplines, in order for you to comply with the regulation regarding data collection, you must establish a lawful basis (e.g. consent, provision of contract or legitimate interests) for each point at which data is collected.
You should include information about the types of data that you collect and the sharing with whom you share them in your privacy policies.
This information must be protected by data handlers (that is, you), and PII owners (your users), must have the opportunity to review and request deletion of the data you hold.
Offering a Data Subject Access Request Form (DSAR), which allows users to request data access, editing, transfer, deletion, and other data-control rights, is one of the best ways to let users exercise their rights.
You have 72 hours to notify authorities in the event that there is a data breach.
Failure to follow GDPR requirements could lead to fines of up 20 million euros, which is four percent of your company’s global annual revenue.
Conclusion
PII data is a complicated topic to deal with, especially as more states and countries implement data privacy and protection laws online. As we move towards a data-centric society, regulations are rapidly catching up with us. This could require significant changes to the way you work and the systems that you use to access information.
Although privacy laws can be complicated due to the many aspects that relate to different situations or types of data collection and are complex, the goal is still transparency. The data world is shifting away from its Wild West past and towards a new horizon in which data collection practices are transparent, conspicuous, and consented by all users.
You now know what PII data looks like and how you collect it. Make sure to handle this data carefully and follow the legal guidelines for keeping your data safe.
The Little Red Journal Business Pages