PII Data and Compliance Solutions and Services | TrustArc
This page contains a cleaned, text-based version of publicly available content from TrustArc.com. It is provided to support knowledge retrieval and AI system understanding while preserving canonical attribution to the original source page on TrustArc.com.
Source URL: https://trustarc.com/resource/personally-identifiable-information/
Content Type: resource
Section 1
The growing importance of understanding and protecting PII data Organizations have been collecting personally identifiable information about people for as long as anyone can remember. Consumers and businesses have provided information to receive services, process orders, and conduct payments and rarely thought twice. in the past decade, the amount of Personally Identifiable Information (PII) being collected and the number of organizations collecting it has significantly increased. To conduct business today, organizations are collecting and storing consumer and vendor PII across various systems and departments. Meanwhile, hackers, internet scams, and security breaches are becoming ever more prevalent in the news and people’s daily lives. While individuals are often targeted, organizations are a much more desirable target for PII breaches. You may
Section 2
think that this doesn’t apply to your department, or that it’s someone else’s responsibility. But as more data is being collected and used across the organization, the more it becomes every leader’s responsibility to understand PII and the regulations in place to protect it. What is personally identifiable information? While at times this answer is black and white, technology innovations have started to make this area a little less clear. The National Institute of Standards and Technology (NIST) Guide to Protecting Confidentiality of Personally Identifiable Information any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual’s identity, and any information that is linked or linkable to an individual
Section 3
with additional information. Examples of PII data: Name, maiden name, mother’s maiden name, alias Passport #, Social Security #, drivers license #, taxpayer identification # Address (personal or business) Internet Protocol (IP) address or Media Access Control (MAC) address Vehicle registration number, vehicle title number, or vehicle identification number Financial account numbers, credit card numbers Personal Health Information (PHI), patient identification number Biometric records – Personal characteristics, including a photographic image of faces or other distinguishing characteristics, x-rays, fingerprints, or other biometric image or template data (retina scan, voice signature, facial geometry) Other information can also become personally identifiable information when combined with publicly available information used to identify an individual. This data is considered linked or linkable to one
Section 4
of the examples above. When does non-PII become PII? Demographic data: Date of birth, place of birth, religion, weight Behavioral data: Activities, geographical indicators Professional data: Employment/educational information Financial information Additionally, organizations may collect information about a data subject that’s not mentioned above. This is where that gray area appears. What about usernames or social media handles? Are those considered PII? Are ‘likes’ and posts and lists of friends considered PII? Will information collected from IoT devices be treated as PII? There are still many unknowns, and it’s wise to seek expert legal advice. It’s also worth mentioning that the various regulations across the globe define personally identifiable information and personal data differently. organizations have much to consider when it
Section 5
comes to classifying and protecting PII. TrustArc solutions Key PII data compliance responsibilities for businesses Healthcare and financial services organizations are no strangers to responsibilities when it comes to protecting Personally Identifiable Information. However, for many organizations and industries, laws and regulations governing PII have more recently come into play. General Data Protection Regulation ( ): Requires compliance for organizations processing data of EU residents. Personal Information Protection and Electronic Documents Act (PIPEDA): Requires consent for data collection, use, and disclosure in Canada. California Consumer Privacy Act ( ) & California Privacy Rights Act (CPRA): Grants California residents control over their personal data. Massachusetts General Law Chapter 93H : Sets minimum security standards for PII of Massachusetts residents. The growing
Section 6
landscape of PII regulations While this list is not exhaustive, you get an idea of the number of laws and regulations businesses must comply with when handling PII. Violations of these laws can result in civil or criminal penalties, skyrocketing fines, and loss of consumer trust making PII data compliance a critical priority for businesses. Consumers are rapidly becoming more wary of companies collecting their personal data. reveals that 81% of Americans feel as if they have very little or no control over the data companies collect. Furthermore, 81% don’t think the potential benefits outweigh the risks of collecting their data, and 79% are somewhat or very concerned about how companies are using the data they collect These consumer attitudes
Section 7
about businesses are concerning. However, organizations can see this as an opportunity to improve relationships with customers and differentiate themselves from the competition. You have a responsibility to help consumers understand why and how their PII data is being collected – and how to prevent it from being collected. Proactive steps for protecting PII data Beyond compliance: The business advantages of strong PII data management Understanding the personal data your organization collects isn’t just a compliance exercise. You can leverage your data inventory to manage risk, respond to data subject access requests (DSAR), manage international data flows, and govern your privacy program. This information helps improve processes and collaboration across the organization. Data privacy is too important to operate in
Section 8
a silo. Consumers are demanding less invasion of their personally identifiable information, and more transparency from organizations. Companies that are taking these demands seriously benefit from strong customer loyalty and repeat purchase opportunities. Even more so, privacy officers can feel confident their organization is not at risk of penalties and fines. Privacy PowerUp Series Are you a compliance pro, lawyer, or just curious about privacy? The Privacy PowerUp series is the perfect launchpad for mastering all of the privacy essentials. Sick of your current privacy vendor? Learn why migrating to TrustArc is an upgrade over your current provider and gain insights into the successful, proven, customer migration process.