Personally Identifiable Information or PII is defined by the US Department of Homeland Security as any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual. This can include items like names and addresses, emails, birthdates or medical records, credit card and financial statements, passport information, or even social security numbers and driver’s licenses. It may also include photos or biometric data such as fingerprints.
For many organizations, PII forms the base of much of the sensitive data for which they are responsible. Protecting that data – or failing to protect that data – can have long-term financial, reputational, and even legal implications for your business. For compliance officers, there are a few key considerations that should be taken to ensure that your organization stays on the right side of the law.
Classification of your PII
PII should be considered internal data and should fall into the following categories:
- High Risk: If disclosed or modified without authorization, a leak of high-risk information could have severe adverse effects on an organization’s operations. This type of data requires high levels of protection such as encryption, privilege access management protocols, and other methods.
- Sensitive: This is data that data subjects may not wish to disclose, such as their date of birth, home address, and phone number. This type of data should be covered by a moderate level of protection.
- Confidential: This is highly confidential data that hackers want but cannot obtain through legitimate means. This may include credit card information, social security, or medication information. This restricted data should be covered by the highest level of security controls.
- Public: This is data that lives in the “public domain.” This may include public records, newspaper clippings, social media platforms, or data that can be found in telephone or business directories. This type of data usually requires access controls to prevent unauthorized modification or destruction.
Data Protection & Data Sovereignty Requirements
Knowing where your data lives is a critical element of protecting your PII. Because data protection legislation can vary from jurisdiction to jurisdiction, it’s important to note that what may be required in one country, may not be in another, and failure to comply with the specific regulations in your specific jurisdiction could open your organization up to fines and even jail time.
Being aware of data protection legislation can also protect your organization’s sensitive and confidential information from third parties and prying government eyes. Know where your data lives during transport and when it is at rest.
Your organization’s compliance strategy should also include plans for business continuity and disaster recovery in the event of a catastrophic situation be it manmade or natural. In part three of our series on compliance, we’ll discuss the differences between business continuity and disaster recovery and the steps you can take to prepare.
International Certifications
In the last decade or so, The Caribbean region has been forced to accelerate its modernization to keep up with and compete with other regions. This has made being compliant with global standards an even more critical exercise for organizations across the Caribbean.
For Cloud Carib, attaining the coveted SOC 2 compliance status means that we maintain a high level of information security and ensure that sensitive information is handled responsibly. In the region, the growing demand for Software as a Service (SaaS) offerings has increased, and with it the demand for providers like Cloud Carib to be even more vigilant about how client and company data is stored, particularly for information residing in the cloud. Now, more than ever, regional MSPs and cloud providers must prove they have equal to or better than control and oversight of data security procedures that are demanded by the most progressive, highly secure, and regulated organizations worldwide (HIPPA, PCI-DSS, Etc.).
Meeting these international compliance standards not only provides a certain level of legitimacy, but also gives your clients peace of mind. For Cloud Carib clients, partners, suppliers, and regulators, this means access to detailed reports which outline how Cloud Carib manages the data lifecycle. Meaning you can rest easy knowing that your data is safe and secure.
Your organization’s compliance strategy should also include plans for business continuity and disaster recovery in the event of a catastrophic situation be it manmade or natural. In part three of our series on compliance, we’ll discuss the differences between business continuity and disaster recovery and the steps you can take to prepare.