As you may know, Payment Card Industry (PCI) compliance is geared toward protecting card data. However, GDPR will be coming into effect in May 2018 to protect what’s known as Personally Identifiable Information (PII). The new legislation should in theory create a more secure online environment for customers, safe in the knowledge their PII is protected.
But what exactly is PII?
PII is any data that would allow a third party to identify a specific person. Any data that allows you to differentiate between two separate people would qualify as Personally Identifiable Information.
NIST Special Publication defines PII as:
"Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."
Taken from Wikipedia:
The concept of PII has become prevalent as information technology and the Internet have made it easier to collect PII through breaches of Internet security, network security and web browser security, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. As a response to these threats, many website privacy policies specifically address the gathering of PII, and lawmakers have enacted a series of legislations to limit the distribution and accessibility of PII.
There are considered two main types of PII.
Sensitive Personally Identifiable Information:
Sensitive PII makes up identifiers such as medical information, financial information, passport numbers, driver’s license numbers and national insurance numbers. Sensitive PII consists of data that could put a person at risk if it was shared or disclosed. Exposure of personal information doesn’t only put people at risk of fraud. Leaking PII can put people in all kinds of danger.
Non-sensitive Personally Identifiable Information:
Non-sensitive PII is information that people can find themselves in public records. For example, court records, birth records or information found in a phone book would all count as non-sensitive PII.
There is a lot of speculation as to the impact GDPR will have and the penalties that noncompliance will result in. Sanctions will be meted out to those who fall foul of the obligations placed on businesses to obtain, use, manage and protect the Personally Identifiable Information that falls within their custody.
Whilst it is easy to apportion responsibility to IT, this is a far-reaching requirement that places the burden of responsibility onto all employees. IT can help establish what exists and where it resides and afford a level of protection. However it will require a degree of knowledge and awareness from everyone within an organisation to keep PII protected.