Step 1: Locate and classify PII
| What to do | How to carry it out |
|---|---|
|
Discover the presence of PII |
Match regular expressions, keyword sets, or a combination of both to locate PII |
|
Run data discovery scans periodically |
Employ distributed and incremental scanning methodology to reduce the load on the CPU |
|
Reduce false positives in data discovery scans |
Use compound term processing and proximity scanning to increase the accuracy in finding PII |
|
Find PII stored in a non-machine readable format like images and handwritten notes |
Use optical character recognition (OCR) technology |
|
Find various special categories of personal data stored such as those containing medical history, political opinions, religious beliefs, and sexual orientation |
Tailor data discovery rules to locate special categories of sensitive data |
|
Classify PII discovered |
Use both automated and manual classification capabilities |
|
Create a data inventory map |
Scan through all data repositories, including file servers, databases, cloud applications, and more, to draft detailed records on what types of personal data are stored and where |
|
Categorize personal data found using classification taxonomy |
Use a taxonomy with at least three sensitivity levels, i.e., low, moderate, and high, to segregate files containing PII |
|
Create compliance-based policies |
Find and maintain a detailed list of PII that falls under various data protection regulations |
Step 2: Assess the risks to PII stored
| What to do | How to carry it out |
|---|---|
|
Analyze access levels and implement the principle of least privilege across files containing PII |
Provide only the bare minimum permissions required by users for their daily operations across files and folders containing personal data |
|
Run a data protection impact assessment |
Periodically identify and minimize the security risks that arise out of processing stored PII |
|
Remove stale PII, i.e., personal data stored past its usefulness |
Identify and archive old and stale files containing PII no longer in use |
|
Assign a directly responsible individual (DRI) tasked with securing PII |
Empower your DRI to scrutinize PII usage and make changes to processes and standards that help secure it |
|
Conduct periodic vulnerability assessment |
Identify gaps within your security infrastructure, including unpatched servers, weak firewalls, and more |
|
Assess the lawful basis of processing for all PII |
Maintain clear and detailed records of all data processing activities to stored PII and the relevant legal justification |
Step 3: Create PII policies
| What to do | How to carry it out |
|---|---|
|
Create an acceptable data usage policy |
Clearly outline who has a legitimate need to access the files and folders containing PII and how PII can be used |
|
Maintain detailed audit trails |
Audit all file accesses and modifications with detailed information on who accessed what, when, and from where |
|
Increase employee awareness about the importance of compliance with regulatory mandates |
Conduct periodic security awareness training centered around PII protection |
|
Facilitate data subject access requests |
Ensure that there are adequate processes in place to identify and meet requests from data subjects to:
And more |
|
Adopt a data breach notification policy |
Devise provisions to notify and communicate about a personal data breach to the supervising authority and the affected data subjects |
|
Create a PII data flow map |
Track and scrutinize the movement of files and folders containing PII |
|
Enforce data minimization |
Limit data collection, storage, and processing to only what is strictly necessary for business operations |
|
Maintain a credible data processing addendum |
Review and update data processing agreements made with your subcontractors periodically |
Step 4: Secure PII with stringent processes and standards
| What to do | How to carry it out |
|---|---|
|
De-identify and secure business-critical data in all its forms |
Encrypt, pseudonymize, or anonymize sensitive personal data in motion, at rest, and wherever possible to eliminate the risk of unwanted exposure |
|
Employ a quick incident response mechanism |
Deploy a proactive security threat detection and remediation mechanism to spot and stop unusual accesses and modifications to PII |
|
Manage unwanted access to critical data |
Secure access to computers and servers that store PII with multi-factor authentication |
|
Ensure file integrity |
Maintain the integrity of the personal data stored by monitoring all changes made to it 24/7 |
|
Prevent the leakage of PII |
Use a fully integrated DLP solution that will help secure highly confidential data at rest, in use, and in motion from theft, leak, and exposure |
|
Secure the transfer of PII to third countries and international organizations |
Ensure appropriate operational safeguards for disseminating critical files and folders both within and outside the organization |
|
Secure data from malware attacks |
Detect and stop malware attacks right at their onset with comprehensive anti-malware software |
Disclaimer: Data security requires a variety of solutions, processes, people, and technologies. This checklist is provided for informational purposes only and should not be considered as legal advice. ManageEngine makes no warranties, express, implied, or statutory, as to the efficacy of the information in this material.
How ManageEngine DataSecurity Plus can help you adhere to PII compliance regulations
- Monitor, identify, and classify PII, such as Social Security numbers, driver's license details, IP addresses, and more, across your storage repositories.
- Analyze files containing sensitive data to ensure POLP is enforced and maintained to comply with data protection regulations.
- Easily review the detailed audit logs that record all access and modifications made to business-critical files.
- Block sensitive data leaks via USB, Outlook, and file sharing methods by enforcing strict data protection policies.