Most companies nowadays collect, use, and store Personally Identifiable Information (PII). All companies need to do it for employees as part of legal requirements and, depending on the sector, they also collect PII for customers, residents, students, or patients. Due to the sensitive nature of PII, it is often targeted by malicious outsiders, and organizations are required to protect it from loss, theft, and unauthorized access. Failure to do so comes at a high cost: a loss of reputation and heavy fines as, in many countries, PII protection is now a legal obligation.
In data protection legislation like the EU’s General Data Protection Regulation (GDPR) personal data is defined broadly as any information relating to an identified or identifiable natural person. The California Consumer Privacy Act (CCPA) meanwhile specifies that personal data is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Personal data, therefore, includes everything from names, addresses, and phone numbers to social security numbers, passport numbers, and bank account details. All information that can be used to identify an individual. Data protection regulations across the world, whether generally-applied or sector-specific, rarely stray from this basic definition.
To protect PII, companies must develop data protection strategies in line with the latest international standards and the requirements of their country’s data protection legislation. First, however, they need to know where it is.
The Need for Data Transparency
Many organizations may believe they know exactly where their data is going after it is collected, but in fact, they have very little control as to how personal data circulates within their own company networks. This is mainly due to the collaborative nature of office work and the unexpected situations that can arise on a day to day basis and the way they are resolved by employees on the spot.
What this essentially means is that companies may not always be aware of the movements of PII within their own networks and outside them. To meet the requirements of data protection regulations, organizations must first identify the types of PII they collect and then track them to ensure they know where they are at all times. Tools like Data Loss Prevention (DLP) solutions can help monitor and control PII in motion, allowing companies to block or limit its transfer, but scanning for PII is equally important.
The Role of PII Scanning
Many times, employees tend to download and store files they are working on or that they use to address a specific issue on their computers. Once they are no longer of any use, they are more likely to be forgotten in a folder than deleted.
When these files contain PII, they become dangerous for two reasons. Firstly, it means that the company is not aware of the PII stored on that endpoint and therefore cannot take adequate measures to protect it. Secondly, should a data subject exercise their rights under the new data protection regulations and request the deletion of their personal information, the company would not be fully compliant if copies of that data continued to exist on employees’ computers.
PII scanning allows companies to search for data at rest across their entire company networks and identify where PII is being stored locally. Once discovered, remediation actions such as deletion or encryption can be taken directly by an administrator. Many PII scanners come with predefined search parameters that include the most commonly protected PII, but custom policies can also be created to search for particular data as in the case of data deletion requests.
Regular PII scans help companies not only determine where PII is being stored but also help them identify patterns in how data is being used and saved by employees. This can help them discover weak links in the flow of PII within their company networks, to build more efficient data protection strategies, and to better educate employees about data protection best practices.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.