PII compliance checklist

What is PII?

Personally identifiable information (PII) is any data that can be used to directly or indirectly identify an individual. Examples are names, Social Security numbers, credit card information, IP addresses, license details, and biometric details. Multiple data protection regulations—like the GDPR and CCPA—enforce stringent guidelines on how PII should be collected, stored, processed, and erased in an effort to provide customers with more visibility and control over how their personal data is used.

Use our checklist below for a quick overview of all the steps required to meet compliance regulations that mandate personal data protection.

Step 1: Locate and classify PII

What to do How to carry it out
Discover the presence of PII Match regular expressions, keyword sets, or a combination of both to locate PII
Run data discovery scans periodically Employ distributed and incremental scanning methodology to reduce the load on the CPU
Reduce false positives in data discovery scans Use compound term processing and proximity scanning to increase the accuracy in finding PII
Find PII stored in a non-machine readable format like images and handwritten notes Use optical character recognition (OCR) technology
Find various special categories of personal data stored such as those containing medical history, political opinions, religious beliefs, and sexual orientation Tailor data discovery rules to locate special categories of sensitive data
Classify PII discovered Use both automated and manual classification capabilities
Create a data inventory map Scan through all data repositories, including file servers, databases, cloud applications, and more, to draft detailed records on what types of personal data are stored and where
Categorize personal data found using classification taxonomy Use a taxonomy with at least three sensitivity levels, i.e., low, moderate, and high, to segregate files containing PII
Create compliance-based policies Find and maintain a detailed list of PII that falls under various data protection regulations

Step 2: Assess the risks to PII stored

What to do How to carry it out
Analyze access levels and implement the principle of least privilege across files containing PII Provide only the bare minimum permissions required by users for their daily operations across files and folders containing personal data
Run a data protection impact assessment Periodically identify and minimize the security risks that arise out of processing stored PII
Remove stale PII, i.e., personal data stored past its usefulness Identify and archive old and stale files containing PII no longer in use
Assign a directly responsible individual (DRI) tasked with securing PII Empower your DRI to scrutinize PII usage and make changes to processes and standards that help secure it
Conduct periodic vulnerability assessment Identify gaps within your security infrastructure, including unpatched servers, weak firewalls, and more
Assess the lawful basis of processing for all PII Maintain clear and detailed records of all data processing activities to stored PII and the relevant legal justification

Step 3: Create PII policies

What to do How to carry it out
Create an acceptable data usage policy Clearly outline who has a legitimate need to access the files and folders containing PII and how PII can be used
Maintain detailed audit trails Audit all file accesses and modifications with detailed information on who accessed what, when, and from where
Increase employee awareness about the importance of compliance with regulatory mandates Conduct periodic security awareness training centered around PII protection
Facilitate data subject access requests Ensure that there are adequate processes in place to identify and meet requests from data subjects to:
  • Rectify their personal data
  • Erase their personal data
  • Provide information on how their data was collected

And more

Adopt a data breach notification policy Devise provisions to notify and communicate about a personal data breach to the supervising authority and the affected data subjects
Create a PII data flow map Track and scrutinize the movement of files and folders containing PII
Enforce data minimization Limit data collection, storage, and processing to only what is strictly necessary for business operations
Maintain a credible data processing addendum Review and update data processing agreements made with your subcontractors periodically

Step 4: Secure PII with stringent processes and standards

What to do How to carry it out
De-identify and secure business-critical data in all its forms Encrypt, pseudonymize, or anonymize sensitive personal data in motion, at rest, and wherever possible to eliminate the risk of unwanted exposure
Employ a quick incident response mechanism Deploy a proactive security threat detection and remediation mechanism to spot and stop unusual accesses and modifications to PII
Manage unwanted access to critical data Secure access to computers and servers that store PII with multi-factor authentication
Ensure file integrity Maintain the integrity of the personal data stored by monitoring all changes made to it 24/7
Prevent the leakage of PII Use a fully integrated DLP solution that will help secure highly confidential data at rest, in use, and in motion from theft, leak, and exposure
Secure the transfer of PII to third countries and international organizations Ensure appropriate operational safeguards for disseminating critical files and folders both within and outside the organization
Secure data from malware attacks Detect and stop malware attacks right at their onset with comprehensive anti-malware software

Disclaimer: Fully complying with any data protection regulation requires a variety of solutions, processes, people, and technologies. This page is provided for informational purposes only and should not be considered as legal advice. ManageEngine makes no warranties, express, implied, or statutory, as to the information in this material.

Email Download Link