PII Data Management Practices and IT (GDPR Or Not)

Europe’s new General Data Protection Regulation went into effect on May 25, 2018 and stipulates new requirements for how organizations manage, access, use and store Personal Identifiable Information (PII). This impacts several areas within the IT realm. Get used to hearing the term “PII” because it’s going to become very vital in your data management processes.

GDPR is aimed at the PII of European Union citizens, but American companies may still be affected depending on who uses their services or where all their offices or employees are located. At Mirazon, we typically serve American companies, but many of them have satellite offices in Europe or they have clientele in Europe.

Regardless of whether or not you are subject to GDPR, this enforces certain best practices that everyone should adopt. So even if you’re not worried about GDPR, these guidelines are helpful for anyone who needs to improve data management practices.

First Step: Identify and Understand What Data You Keep and Own

This area is likely to be full of bad assumptions. It’s very important to understand what PII you are storing and why. For example, a major retailer may keep track of its customers by collecting all of their information: full name, date of birth, address, credit card numbers, etc. This can add up to a massive volume of data … and what purpose is it serving? Probably convenience in tracking buying behavior or simplifying the online ordering process for the user. However, it’s a massive amount of data that requires extra security protocols (not to mention the cost of paying to store it all).

It’s common to lack full visibility into what you’re storing or maintaining as IT, so this will require some conversations with other departments to get a better understanding of what’s being collected and for what purpose. This will allow you to develop better security procedures and access restrictions to maintain the security of the data and the users.

Second Step: Manage and Secure the PII

There are two different places to guard data: from exterior sources and from interior sources. For example, nobody wants their company to get hacked and end up on the 5 o’ clock news for losing 20 million users’ credit card numbers.

However, internal access controls are often overlooked. Take this scenario: what if your web developer with unfettered access to all corporate data found his ex-girlfriend’s new address and ended up stalking her? Your company, regardless GDPR, could be liable for the outcomes.

The technologies to use to protect and to enable for access control (of PII data) are well documented, but having those policies and procedures in place and following them is the hard part.

Something else commonly skipped in securing the PII is enabling proper access control within backups. Most backup tools have built-in access control settings already, so you and your team need to work with your company’s leadership on defining what type of access levels for whom. Veeam, for example, allows you to define the access level by VM or backup job.

Third Step: Document It All

Documentation itself is the bane of most IT professionals’ existence. Things change a lot. You have to keep up with it and document it. It’s easy to get behind and it’s not exactly exciting work. However, with these new regulations and certain compliance requirements, you must have up-to-date documentation.

Technology is not going to solve this for you. There’s no way around taking the time to write out your processes, changes, access controls, etc. You can save yourself a lot of time documenting by keeping up with it on a regular basis instead of letting it go so stale and having a mountain of changes.

Have an Active Role in PII Security

Say I manage Mirazon’s website database and my marketing manager asks me to add in address fields on our contact form. This will take us from collecting purely non-sensitive data on our website database to storing PII. While changing the form seems like a simple request to our marketing manager, I as the database manager and IT person need to be aware of the type of data that’s being collected and adjust my processes on the backend to handle it securely.

You must pay attention to what’s being asked of you and ask questions back to get a full understanding of the scope.

Everybody has a responsibility moving forward in terms of data security, and that includes staying on top of any changes in policy or management in order for IT to address any consequences or impacts down the line. To effectively safeguard and manage PII, we need to start communicating interdepartmentally.

If you have questions about the best way to develop these policies or procedures, send us an email or give us a call at 502-240-0404.