How Organizations Can Protect Personally Identifiable Information (PII) (2023)

Every organization stores and uses personally identifiable information (PII), whether on its employees or customers. As enterprises collect, process, and store PII, they also inherit responsibility for protecting it. Doing so ensures the integrity of individuals’ identities while protecting your company’s reputation.

PII can be compromised in a variety of ways. Digital files can be hacked and accessed by criminals, while physical files can be exposed to threats if not properly secured. Without safeguards and a PII protection policy, organizations and their customers are at risk of identity theft. In 2020, identity theft was the most common consequence of a data breach, occurring 65% of the time.

(Video) Personally Identifiable Information (PII) - Cybersecurity Awareness Training

So, what can organizations do to make sure all of this PII is protected? Here, we’ll take a closer look at what information is considered PII and the steps your business can take to protect it.

What is PII?

With the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) setting the standard for regulatory compliance for personal data and information privacy, it is important to note that not all personal data and information forms are the same. There are also different personal data and information types. The requirements for collecting, storing, and securing information can change depending on their respective definitions under regulations such as GDPR and CCPA.

Two commonly misinterpreted terms in this space are personally identifiable information (PII) and personal data. Personally identifiable information (PII) is any information that can be used to identify one individual from another. On the other hand, personal data is any information that relates to an identifiable, living individual.

Types of PII

Traditionally, PII included contact information, location data, or identification information like Social Security Numbers and birth dates. The definition has expanded to include digital information such as IP addresses and login IDs.

While protecting PII as an organization has always been challenging, this broadened definition creates even more things to consider when determining how to protect PII.

According to the NIST PII Guide, the following information types qualify as PII because they can identify a human being:

  • Name
  • Social Security Number (SSN), passport number, driver’s license number, financial account number, credit card, or any other personal identification numbers (PINs)
  • Street or email address
  • Phone number
  • IP addresses
  • Unique Identifier

Best Practices for Protecting PII

Once you have a firm understanding of what PII is, you can continue with the following PII compliance checklist to ensure the protection of your employee and customers’ information:

(Video) How to Protect Personally Identifiable Information (PII) From Search Engines | The Journey

1. Discover Where PII is Collected and Stored

The first step in protecting PII is to perform a data discovery or mapping exercise. Identify your most sensitive assets, whether those are employee records, intellectual property, or customer data.

This exercise enables you to locate PII within your network and other environments and get an idea of where it travels throughout your organization. Once you have mapped the data flow, you should have a better picture of where PII resides and how to isolate those systems from the rest of your environment.

Some questions you may want to ask during your discovery are:

  • What is the most critical information that we need to protect? Customer data? Intellectual property? Employee records?
  • Where is PII located within your network and other environments?
  • What security measures are being taken when this data is collected?

2. Identify PII Compliance Regulations

Every industry must comply with specific compliance laws and regulations governing collecting, storing, handling, and transmitting PII.

With a deeper understanding of these regulations, you will be more likely to ensure proper data protection and mitigate PII risk.

Examples of federal statutes protecting PII include:

3. Conduct a PII Risk Assessment

Conducting a risk assessment is the best way to identify any vulnerabilities and gaps in your data security strategy.

(Video) Personally Identifiable Information (PII)

The knowledge and facts you uncover in this step will shape the expectations for your data protection plan, identify threat opportunities, and ways to minimize their impact should they occur.

Here are a few things to consider during your assessment:

  • Decide who will be harmed and how?
  • What PII is regulated and what is currently being done to ensure regulatory compliance.
  • For unregulated PII, are there any existing reputational, security, or operational risks?
  • Rank the threats determining their risk magnitude, which is the combination of likelihood and consequence.
  • Make a comprehensive list of your findings.

4. Safely Store and Destroy Unnecessary PII

Another effective way to protect PII is to limit information risk as much as possible.

Only collect the information you deem absolutely necessary and store hard copies and electronic records in a highly-secure location, such as records storage facilities with advanced security controls. Properly destroy physical and digital records and outdated electronics, as they can leave a trace for high-tech thieves.

Data types that you should consider destroying are:

  • Customers you no longer do business with
  • Outdated employee records
  • PII found on unused devices

5. Classify Your PII in Terms of Sensitivity

Once you know what PII is being collected and stored, create a data classification policy to sort it based on sensitivity. This is an integral part of PII protection.

Here are some things to consider when segmenting your PII:

(Video) Privacy and Personally Identifiable Information (PII)

  • Restricted: Highly sensitive PII that can cause significant damage if it falls into the wrong hands. Data access is strictly controlled on a “need-to-know” basis.
  • Private: Not as sensitive as restricted data. However, it can cause moderate damage to the individuals or company if it is compromised. Only users who interact with this data as part of their role should have access to it.
  • Public: Non-sensitive, low-risk data with little or no access restrictions in place.

6. Create Safeguards for PII Protection

Not all PII requires the same level of protection. For example, a public directory lists phone numbers with individuals’ permission making its protection less critical. Thus, companies need to implement a variety of safeguards that address the different risk levels.

A few methods to protect PII include:

  • Creating policies and procedures – Organizations should have policies for collecting, using, retaining, disclosing, and destroying PII adopted entity-wide and communicated to employees.
  • Encryption – Data-centric encryption will protect your organization’s PII from internal and external risks and put your customers at ease when you request their most sensitive data.
  • Training – Training staff on proper cybersecurity protocols can go a long way to prevent breaches. While one careless employee can share PII with unauthorized recipients, the responsibility of protecting it falls on the organization ultimately. Continually train employees on both technology updates and new, evolving threats to prevent the risk of a breach.

7. Data Privacy Program and Policy Review

With the rollout of enhanced data privacy laws, your policies may need a review—schedule time to update your framework for protecting PII regularly.

While conducting audits may be time-consuming, they will help maximize the effectiveness of controls and identify any weaknesses.

Here are a few things to consider during your policy review:

  • Are all of our controls practical and efficient?
  • Are there any lessons from recent risk events, including near-misses, changes, trends, successes, and failures that we should consider?
  • Can any changes in the external and internal risk criteria be detected?
  • What emerging threats do we need to be aware of?

Outsourcing Your Data Protection

When it comes to PII protection, the best defense is a good offense. Make it a priority to safeguard your confidential information by trusting an expert to ensure your employees, customers, and business’s long-term protection.

At Vital Records Control, we understand the importance of protecting your critical assets. That’s why we’ve designed a suite of high-quality solutions to keep your organization’s sensitive information secure, from physical document storage, cloud-based document storage to secure destruction. Learn more about Vital Records Control’s commitment to protecting the information assets that matter to you the most.

(Video) Tech Minute: Protect your Sensitive Personal Identifiable Information (PII) - 6’ Networks, LLC


What is PII and how do you protect it? ›

Personal Identifiable Information (PII) is defined as: Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.

What are the top 3 action items to protect PII? ›

Three Steps to Protecting PII in the Government
  • Identify your PII through marking and metadata tagging.
  • Educate and build awareness of the organization's PII among employees, contractors, and partners.
  • Select the appropriate controls to protect PII.

How do companies protect their customer's data and PII information of their customers? ›

Encryption is a common way to protect customer data from bad actors, and organizations have different types of encryption they can choose among. File-level encryption, which can protect data in transit and make it harder for hackers to access cloud-based software or resources. Providers include McAfee and Microsoft.

What is the first step in protecting PII? ›

The first step to protecting PII is centralized control. Centralized control ensures that the data is accessed only by authorized people and not shared with unauthorized parties. Additionally, it helps you track who has access to the data and where it's being stored.

What PII must be protected? ›

NIST PII standards

Personal identification number, such as social security number (SSN), passport number, driver's license number, taxpayer identification number, or financial account or credit card number. Address information, such as street address or email address.

Why is it important for our organization to protect personal information? ›

Protecting privacy mitigates risks of costly incidents, reputational harm, regulatory penalties, and other harms. Protecting privacy also is essential to people's trust in an organization.

What is the purpose of protecting PII data? ›

Every business is responsible for keeping sensitive customer information private. Personally identifiable information (PII) is not only precious to your customers, but treating it carefully is important to ensure your company's reputation as a safe place to do business.

What are 3 ways that you can protect your information? ›

6 Ways to Protect Your Personal Information Online
  • Create strong passwords. ...
  • Don't overshare on social media. ...
  • Use free Wi-Fi with caution. ...
  • Watch out for links and attachments. ...
  • Check to see if the site is secure. ...
  • Consider additional protection.

What are the three types of information protection? ›

When we discuss data and information, we must consider the CIA triad. The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability.

What are 5 examples of PII? ›

Personal identification numbers: social security number (SSN), passport number, driver's license number, taxpayer identification number, patient identification number, financial account number, or credit card number. Personal address information: street address, or email address. Personal telephone numbers.

What are examples of an administrative safeguard that organizations use to protect PII? ›

PII should be stored in a locked desk, file cabinet, or office that is not accessible, etc. Password protect electronic files containing PII when maintained within the boundaries of the agency network. Report any suspicious activity to your Information Assurance Security Officer (IASO).

How should an organization protect the privacy and security of their customer information? ›

Organizations should use password protection, such as multifactor authentication and password managers, to secure confidential emails and data. Additionally, encryption -- such as file-level encryption -- can help protect data on computer hard drives, and 256-key bit length encryption can secure emails.

What is ultimately responsible for protecting PII at our company? ›

From a legal perspective, the responsibility for protecting PII may range from no responsibility to being the sole responsibility of an organization. Generally, the responsibility is shared with the organization holding the PII and the individual owner of the data. That said, while you might not be legally responsible.

How do companies keep customer data safe? ›

For protecting crucial data, big organizations use encryption for their computers, data in transit, data in the cloud, and stored data. Phones and USB devices should also use encryption if they have to take care of sensitive data.

What are 4 steps to protect patient information? ›

4 ways of protecting patient privacy
  • Build a security culture in your organization.
  • Perform a security risk assessment.
  • Create a PHI security improvement plan.
  • Encrypt all patient data.
Jun 23, 2022

What are the five steps to securing personal information? ›

Five Steps Towards Achieving Data Security
  • Take Stock.
  • Scale Down.
  • Lock It.
  • Pitch It.
  • Plan Ahead.
Dec 18, 2012

What is an example of a PII policy? ›

Examples of protected PII include, but are not limited to, social security numbers (SSNs), credit card numbers, bank account numbers, home telephone numbers, ages, birthdates, marital status, spouse names, educational history, biometric identifiers (fingerprints, voiceprints, iris scans, etc.), medical history, ...

What kind of PII is protected by HIPAA? ›

What Kinds of Information Constitute HIPAA PII? Personally identifiable information is data relating directly or indirectly to an individual, from which the identity of the individual can be determined. Examples of PII include patient names, addresses, phone numbers, Social Security numbers, and bank account numbers.

How do companies and organizations ensure that personal data is protected and used ethically? ›

Two-factor authentication, data file encryption, and virtual private network (VPN) access are all examples of data security measures that can help protect your customers' sensitive information and identities. Data security and data privacy work together to ensure your customers' safety and anonymity.

How can you protect information in the workplace? ›

Sharing and transferring personal data
  1. Carry out risk assessments of data systems and act on the results.
  2. Maintain up-to-date security systems (for example, using firewalls and encryption technology).
  3. Restrict access to personal data to those who need it.
  4. Train staff on data security.
  5. Review data security regularly.
Nov 4, 2022

How do you secure information in an Organisation? ›

Legal counsel play a critical role in developing and implementing these important data security measures.
  1. Implement a data security plan. ...
  2. Encrypt data. ...
  3. Communicate data securely. ...
  4. Use access controls and firewalls. ...
  5. Use external service providers carefully. ...
  6. Keep some data off the network. ...
  7. Final thoughts.

What are 8 ways you can protect personal data? ›

Tips to protect your privacy
  • Know your rights. ...
  • Read privacy policies and collection notices. ...
  • Always ask why, how and who. ...
  • Check your credit report. ...
  • Protect yourself online. ...
  • Be aware of your mobile security. ...
  • Use security software. ...
  • Be careful what you share on social media.

What are 4 or more specific steps ways that you can take to protect your data computer when surfing on publicly accessible networks? ›

5 Tips to Keep Your Data Safe on Public Wi-Fi
  1. Verify the Network; Configure and Turn off Sharing. Remember that hackers are very clever, so its better to surf and play smart. ...
  2. Use a VPN. A VPN (Virtual Private Network) is the most secure option to surf on public networks. ...
  3. Use HTTPS. ...
  4. Keep the Firewall Enabled. ...
  5. Use Antivirus.

What is the most effective method to protect data? ›

Encryption—alters data content according to an algorithm that can only be reversed with the right encryption key. Encryption protects your data from unauthorized access even if data is stolen by making it unreadable.

What are two methods that ensure confidentiality? ›

Here are some of the 7 effective ways to ensure data confidentiality in your organization.
  • Restrict access to data. ...
  • Encrypt your data. ...
  • Implement a confidentiality policy. ...
  • Implement a data retention policy. ...
  • Develop and implement a cybersecurity program. ...
  • Take physical security measures. ...
  • Non-disclosure agreements.

What are the 3 types of data information that needs to be protected under Data Privacy Act 0f 2012? ›

10173, otherwise known as the Data Privacy Act is a law that seeks to protect all forms of information, be it private, personal, or sensitive. It is meant to cover both natural and juridical persons involved in the processing of personal information.

What are the 3 classification of personal identifiable information PII? ›

At a minimum, Personally Identifiable Information (PII) must be treated as Internal Data, and elements of PII may be classified as Sensitive, Confidential, or High Risk Data.

What is a way to protect PII and sensitive data from office visitors? ›

10 steps to help your organization secure personally identifiable information against loss or compromise
  • Identify the PII your company stores.
  • Find all the places PII is stored.
  • Classify PII in terms of sensitivity.
  • Delete old PII you no longer need.
  • Establish an acceptable usage policy.
  • Encrypt PII.
Sep 12, 2018

What is considered PII information? ›

What is personally identifiable information (PII)? Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used to deanonymize previously anonymous data is considered PII.

What are the top three actions you need to follow to help protect PII? ›

Three Steps to Protecting PII in the Government
  • Identify your PII through marking and metadata tagging.
  • Educate and build awareness of the organization's PII among employees, contractors, and partners.
  • Select the appropriate controls to protect PII.

What security safeguards are necessary for protecting PII and PHI? ›

Safeguards include such actions and practices as securing locations and equipment; implementing technical solutions to mitigate risks; and workforce training. The Privacy Rule's safeguards standard is flexible and does not prescribe any specific practices or actions that must be taken by covered entities.

What are the three types of safeguards used to protect PHI? ›

The HIPAA Security Rule requires three kinds of safeguards: administrative, physical, and technical. Please visit the OCR for a full overview of security standards and required protections for e-PHI under the HIPAA Security Rule.

Do organizations have the legal responsibility to protect the PII of who? ›

Generally, the responsibility is shared with the organization holding the PII and the individual owner of the data. That said, while you might not be legally responsible. Most consumers believe that it is your responsibility to protect their personal data.

Which action requires an organization to carry out a privacy impact assessment PII? ›

Section 208 of the E-Government Act of 2002 requires all federal government agencies to conduct a Privacy Impact Assessment (PIA) for all new or substantially changed technology that collects, maintains, or disseminates personally identifiable information (PII).

Who is responsible for protecting data and information in our organization? ›

The role of the CISO in data security management

A company's CISO is the leader and face of data security in an organization. The person in this role is responsible for creating the policies and strategies to secure data from threats and vulnerabilities, as well as devising the response plan if the worst happens.

Does the organization have a due care responsibility to protect the privacy of data? ›

The company must practice due care both inside and outside its walls to protect its intellectual property from being compromised. Data protection is accomplished via the practices of privacy, confidentiality and information security. As indicated, critical data become an asset to the company.

What can an organization that fails to protect PII face? ›

If organizations don't have a plan in place for protecting PII, they could put their employees and their customers at risk of identity theft if there's a data breach. If organizations lose sensitive data, they could face legal penalties, financial losses and damaged reputations.

How PII data should be handled while working? ›

Encrypt PII

Encrypting your PII at rest and in transit is a non-negotiable component of PII protection. Use strong encryption and key management and always make sure you that PII is encrypted before it is shared over an untrusted network or uploaded to the cloud.


1. Personally Identifiable Information - CompTIA Security+ SY0-401: 2.6
(Professor Messer)
2. Personally Identifiable Information (PII) Facility & Data Center Compliance
(Critical Facilities Connect)
3. Day- 310: What can be considered personally identifiable information (PII)?
(Cybersecurity FOREVER)
4. Protecting Personal Identifiable Information (PII) in CA PPM for GDPR
(Pemari Consulting)
5. How to protect PII and share securely
(MarkLogic )
6. Personally Identifiable Information PII v4
(Credible papers)
Top Articles
Latest Posts
Article information

Author: Greg Kuvalis

Last Updated: 02/22/2023

Views: 6065

Rating: 4.4 / 5 (55 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Greg Kuvalis

Birthday: 1996-12-20

Address: 53157 Trantow Inlet, Townemouth, FL 92564-0267

Phone: +68218650356656

Job: IT Representative

Hobby: Knitting, Amateur radio, Skiing, Running, Mountain biking, Slacklining, Electronics

Introduction: My name is Greg Kuvalis, I am a witty, spotless, beautiful, charming, delightful, thankful, beautiful person who loves writing and wants to share my knowledge and understanding with you.