Data Privacy Day 2021: Top Tips to Protect Personally Identifiable Information (PII)
By Lucia Milică, Global Resident CISO for Proofpoint, Inc.
Safeguarding sensitive data should always be a top priority for companies—and in recognition of the National Cyber Security Alliance’s international Data Privacy Day, we are proud to serve as a Data Privacy Champion for 2021.
The government in the UAE has set in place legislations to protect the data and the privacy of the citizens and the companies. There are data protection laws in economic hubs such as Dubai International Financial Centre (DIFC) (since 2007) and Abu Dhabi Global Market (since 2015); and the UAE’s Telecommunication Regulatory Authority (TRA) has launched a 2020-2025 National Cybersecurity Strategy which includes crucial aspects of data privacy.
One of the greatest challenges facing organizations today is how to ensure data privacy, proper governance, and achieve compliance while staying successful. It’s a delicate balance as both the security and privacy sides of the business overlap. Focusing on one cannot come at the expense of the other. Below are three ways organizations can work to ensure data privacy and governance runs smoothly.
- Use appropriate security safeguards for PII
An estimated 87% of the U.S. population can be identified based on their gender, zip code, and birth date. And while some PII is more sensitive than others, it’s important to think about the ramifications in the event information is lost or breached. The more sensitive the data, the more powerful the protections need to be.
For example, a list of customer names and email addresses doesn’t require the same security protections as a list of customer names and credit card numbers. That said, both sets of PII need to remain very secure and only shared on an as-needed basis. It’s certainly not information you’d like distributed openly or within competitive organizations.
- Only collect PII your organization truly needs and ensure proper storage
There are a number of reasons an organization might collect data in order to provide an effective service. This might include mailing lists, medical records, payment details, and unique ID numbers. That said, the best practice is to limit PII collection to business-critical items only. Think hard about the information you’re requesting because you will be responsible for safeguarding it.
The same thoughtful approach to collection can also be applied to the issue of PII storage. An organization’s risk exposure level increases as the volume of PII rises. So before you store it, consider if it’s business critical. If not, securely dispose of it. If it is, apply the appropriate safeguards such as physical security measures for paper files, and an encrypted, secure server for electronic files. In addition, be sure to frequently examine your stored data and purge anything out of date or no longer needed.
- Apply security best practices to PII when appropriate
Combine information security with data governance programs that identify, classify, and protect critical and sensitive data assets. By leveraging technical controls and making data privacy a business priority, organizations reduce risk of data exposure.
Be sure to encrypt your customer’s PII and store it on internal servers, or within properly vetted cloud environments that are separate from any external-facing servers. Those barriers will slow down any threat actor who might make it through your “front door.” Place a firewall between the servers to add obstacles and limit lateral movement.
Security table stakes such as password protecting secure systems is a must, as is keeping your passwords secure. Do not let unauthorized individuals access secure areas or systems. Similarly, don’t be too quick to disclose personal data about your customers, coworkers, or yourself over the phone or on social media.
Ultimately, data privacy remains top of mind especially as we enter 2021 and the work-from-home reality is ever-present for organizations worldwide. For many forward-thinking organizations, an effective data privacy strategy means combining their IT investments around both cybersecurity and information protection, as good governance and compliance results in your best security posture.
For more information on best practices and to view our Privacy Awareness Kit, please visit https://www.proofpoint.com/us/resources/awareness-materials/2021-privacy-awareness-training-kit.