When businesses process customer (or employee) data, they are responsible for keeping it secure under local laws, including GDPR. All these regulations demand that organisations manage appropriately the personally identifiable information (PII) they hold.
Failing to comply with the regulations leaves organisations liable to reprimands, enforcement orders and substantial fines. All of these actions are published, leading to reputational damage that could be far more damaging than a fine.
Companies often have multiple data repositories used by different stakeholders, and some are unaware of what company specific customer information they have on file. For these companies, one data breach could wreak havoc, especially if it is not adequately equipped with the right governance, or controls, in place to manage this type of information.
As a result, many businesses have adopted Data Loss Prevention (DLP) measures. However, this isn’t a guaranteed solution. Instead, businesses should get a head start with a document management solution that applies data classification to business critical data and sensitive information such as PII so it can be appropriately managed.
With the increasing occurrence of data breaches involving PII, it’s important to consider implementing the following best practices:
- Discover and classify PII: An organisation has thousands, even millions, of documents in its data repositories such as network folders, SharePoint, OneDrive, Microsoft Teams, and email. Forward thinking organisations use a solution that helps businesses find PII data in all their databases, tagging documents that potentially contain social security numbers and metadata. From there, a workflow can be initiated to ensure that misfiled records are either relocated or destroyed.
- Implement the least-privilege model: The principle of least privilege (POLP) works by limiting access rights for users and allowing only enough access to perform the required task. With defined access permissions, businesses can avoid PII getting into the wrong hands and being distributed to a broader network.
- Use real-time monitoring: With a smart document management platform, businesses can use an automated background service that constantly checks for new files and information. For example, if someone stores a passport number in the comments section of an application, the system should be able to alert that staff, so the business can act to remove or reduce the associated risk.
- Avoid storing unnecessary PII: Businesses should destroy or de-identify PII once it's no longer needed or when there is no further legal obligation to hold it, including former customer data. Being able to automatically set permissions to protect documents that contain PII can help. Businesses should also implement appropriate measures and policies to avoid leaving data traces in unsecured locations or accidental data deletion.
Staying ahead of a shifting threat landscape
If businesses want to mitigate data loss risk, they must practice superior PII data management. With the right solution, businesses can proactively find and classify PII data, making it easier to gain insight into what data they hold, and take the steps to effectively manage and protect it.
M-Files Discovery finds business critical information within extensive document archives and automatically classifies and categorises those documents with relevant metadata. It can also help companies find various forms of PII from different information silos and initiate a workflow to properly manage documents and application databases.
Contact the team to find out more.