Before starting let us agree on some terminology. A data subject is an individual (also called user) whose personal data is being processed. In privacy regulations the term “data subject” is normally used but for this article we prefer to call it individual or user.
Sensitive data and PII data (also called personally identifiable information) are both types of data that require careful handling to protect privacy and security.
However, there is a difference between the two. Sensitive data refers to any data that could cause harm or damage if it is accessed by unauthorized individuals or groups. This could include data such as financial information, medical records, or trade secrets. Sensitive data is typically information that, if it were to be exposed, could cause significant harm to an individual or organisation.
On the other hand, PII data refers to any data that can be used to identify a specific individual. This could include information such as name, address, phone number, email address, Social Security number, passport number, or driver’s license number.
PII is information that, if it were to be exposed, could potentially be used for identity theft, fraud, or other malicious activities. While there is overlap between sensitive data and PII, not all sensitive data is PII and not all PII is necessarily sensitive data.
For example, a person’s name and address could be considered PII, but it may not necessarily be sensitive data. In contrast, financial information such as credit card numbers may be sensitive data, but it may not be considered PII if it cannot be linked to a specific individual.
In summary, sensitive data refers to any data that could cause harm or damage if accessed by unauthorized individuals or groups, while PII refers to any data that can be used to identify a specific individual.
High-level objectives for a PII service
Now let us consider what objectives we should set up for an IT strategy focused on optimal handling of privacy concerns.
Data segregation is the practice of separating data into different categories or levels of sensitivity based on their risk of exposure or harm if they are compromised.
In the context of personally identifiable information (PII) data, data segregation is important because it helps to minimize the risk of data breaches, which could result in harm to individuals, reputational damage to organisations, legal and regulatory non-compliance as well as huge fines.
The most important objective of a PII service is to allow you to separate the PII data from all other personal data.
For instance, your Customer Data Platform (CDP) should not contain the PII data but instead focus on all other aspects of your customer data such as shopping history, preferences and so forth. Similarly, your identity provider (for signup and login) should not contain PII data. PII data should be stored in the PII service, and only there.
It will ensure that any data breach from any of your other services will not breach the identify of your customers and hence, it will not really impose a risk.
Data residency refers to the physical location where PII data is stored. The objectives around data residency should ensure that the data is stored in the right places of the world.
This means that the data should be stored in data centres located in various regions of the world in such a way that you are compliant with privacy legislations for each of the countries in which you operate. Another objective is to have a way for PII data records to be transferred from one region to another, if the user moves from one country to another.
Confidentiality refers to the protection of PII data from unauthorized access or disclosure. The PII service should provide strong authentication capabilities including multi-factor authentication for individuals and strong cryptographic protocols for server-to-server integrations.
The PII service should also provide fine-grained role-based access-control (RBAC) of all read and write operations of PII data. Finally, the PII service should maintain a detailed audit log of both read and write operations. Needless to say, it is also essential to ensure that PII data is encrypted when in transit and at rest.
Integrity refers to the protection of PII data from unauthorized modification or deletion. The PII service should ensure that the data is protected so that the integrity can always be trusted.
This can be achieved by implementing data validation checks and ensuring that the data is stored in a tamper-proof environment. Another object is that the PII service must ensure that all modifications of PII data are approved by the individual owing the PII data.
Requirements related to data privacy regulations
In addition to the high-level objectives, we discussed in the previous section, a PII service must address privacy regulations such as GDPR. The General Data Protection Regulation (GDPR) is a regulation by the European Union that governs how organisations collect, process, and store personal data of EU residents.
One of the core aspects of GDPR is the data subject rights, which provides individuals with greater control over their personal data.
These rights include the right to access, rectify, erase, and restrict processing of their data. They also have the right to data portability and the right to object to processing of their data. We will now go over each of the data subject rights from GDPR and drill out the requirements we should have when designing a PII Service.
Although these specific rights originate from GDPR, very similar rights are found in other privacy regulations around the world.
Right to be informed
The right to be informed requires organisations to inform individuals about the collection, processing, and storage of their personal data. When designing a PII service, organisations should clearly state the purpose of data collection, the categories of data being collected, the recipients of the data, and how long the data will be stored.
The information should be presented in a concise, transparent, and easily accessible format.
More specifically, we should require that each record of PII data should be associated with a purpose and a legal basis. The legal basis should be one of the following kinds: Consent, Contractual Necessity, Legal Obligation, Vital Interests, Public Interest, and Legitimate Interests.
- Consent is when the data subject gives permission for the processing of their data.
- Contractual Necessity is when processing is necessary to fulfil a contract.
- Legal Obligation is when processing is required by law.
- Vital Interests are when processing is necessary to protect someone’s life.
- Public Interest is when processing is required for tasks in the public interest or official authority.
- Legitimate Interests are when processing is necessary for the controller’s or third party’s legitimate interests.
The legal basis must be appropriate to the purpose and context of the processing and the legal basis must not violate the rights and freedoms of the data subjects. Another requirement is that within the data model of the PII service, the personal data must be categorized, typically in categories such as these:
- Personal identification information: This includes information such as a person’s name, address, social security number, or other unique identifiers.
- Contact information: This includes information such as email address, phone number, or mailing address.
- Financial information: This includes information such as bank account details, credit card numbers, or other financial identifiers.
- Health and medical information: This includes information such as medical history, test results, or other health-related data.
Finally, the legal basis and purpose should be coupled with data categories, so that the PII service manages exactly what data categories it can store for each of the legal bases defined. For example, if you store a personal record containing financial information, the PII service should check that the legal basis for that person record is compliant with storing of financial data.
Right of access
The right of access allows individuals to request access to their personal data that is being processed by an organisation. When designing a PII service, organisations should provide individuals with a means to access their data easily. You should expect from the PII service to have a self-service portal that can allow users to login and safely inspect the personal data being stored.
Right to rectification
The right to rectification allows individuals to request the correction of inaccurate or incomplete personal data. Like before, the PII service should provide self-service capabilities that will allow the individual to correct any mistakes in the personal data.
As a further requirement, the PII service should keep track of which parties received incorrect personal data and make correcting actions – if needed.
Right to erasure
The right to erasure, also known as the right to be forgotten, allows individuals to request the deletion of their personal data. A PII service should provide individuals with a means to easily request erasure of their data – either all their data or categories of data.
Next, the PII service should ensure that any third parties who received the data are notified of the erasure and if possible, the PII service should ensure the erasure in down-stream systems.
Finally, the erasure of the data should be done in such a way that retention policies are respected. Retention policies must be configurable in a 3-dimensional matrix providing retention policies pr. country, pr. data category and pr. legal basis. As an example: if an individual becomes a customer of an insurance company, the legal basis for storing of the PII data would include Legal Obligation.
The insurance company would be obliged to keep a record of the customer data, presumably covering name and social security number for some years after the ending of the customer engagement.
Right to restrict processing and right to object
The right to restrict processing allows users to request the restriction of processing of their personal data. A PII service should provide individuals with a means to request restriction of processing of their data under certain circumstances or for certain purposes.
Ideally the PII service should provide the individual with a self-service capability showing an overview of where data is being processed. Based on this the user should be able to restrict processing – of course with some limitations coming from the company’s legal obligations and need to run their business.
Right to data portability
The right to data portability allows individuals to request the transfer of their personal data to another organisation. A PII service should provide individuals with a means to export all the personal data being stored. Furthermore, the PII service should integrate with other similar services so that data export can be done conveniently.
In addition to meeting the above objectives, a PII service should also meet certain non-functional requirements. These requirements include scalability, availability, and elasticity.
Scalability refers to the ability of the PII service to handle large volumes of read and write operations of personal data. The PII service should be designed to scale horizontally and vertically. This can be achieved by using distributed systems, load balancers, and database sharding.
Availability refers to the ability of the PII service to be accessible at all times. To meet the availability requirement, the PII service should be designed with redundancy and failover mechanisms. This can be achieved by using cloud-native technologies including load balancers, clustering, backup and recovery mechanisms.
Elasticity refers to the ability of the PII service to scale up or down based on sudden changes in demand. To meet the elasticity requirement, the PII service should be designed with auto-scaling capabilities. This can be achieved by using modern container services such as those provided by AWS, Azure, or Google Cloud.
In conclusion, creating a secure and efficient PII service requires careful consideration of objectives such as data residency, confidentiality, and integrity. It is also crucial to respect data subject rights throughout the data lifecycle, ensuring that personal data is handled responsibly and with consent.
Finally, a PII service must fulfil several non-functional requirements like scalability, availability, and elasticity.