Extreme care needs to be exercised when handling the PII of clients particularly in these uncertain times where cyber criminality is on a steep rise.
If hacking was on the increase at the end of 2019, it reached all time levels in April & May 2020 during the COVID 19 pandemic, with hackers going to extreme lengths to obtain the personal details of individuals.
Processes to ensure the protection of PII data
It is therefore even more important for a company or organization that processes personal information of clients to abide by the latest EU regulations concerning Data Protection.
Sensitive PII requires even stricter handling guidelines because of the increased risk to an individual if the data is compromised. Some categories of PII are sensitive as stand-alone data elements.
Examples include: SSN, driver’s license or state identification number, passport number, Alien Registration Number, or financial account number. Other data elements such as citizenship or immigration status, medical information, ethnic, religious, sexual orientation, or lifestyle information, and account passwords, in conjunction with the identity of an individual (directly or indirectly inferred), are also Sensitive PII.
When collecting sensitive PII, the organization must have the legal authorization to do so. Relevant databases and information technology systems may also require specific approval prior to collecting PII data, depending on the country of residence.
Collecting personal information from members of the public may require separate requirements under the legal Acts of a country, for example a Privacy Act Statement. Access or use of sensitive PII should be only for a specific need, or on a need to know basis, according to the latest Laws in vigour. A Nondisclosure Agreement may also be needed.
The EU and anti-fraud laws clearly state that PII data must be stored for the shortest time possible, while taking into account the reasons why an organisation needs to process the data and the legal obligations to keep that data for a fixed period of time. Time limits need to be established to erase or review the data stored. The laws stipulate that an exception can be made to keeping personal data for a longer period of time for archiving purposes in the interest of the public or for scientific or historical research, provided that appropriate technical and organisation measures are deployed (anonymisation, encryption, etc). Organisations must also ensure that the data held is accurate and kept up-to-date.
Complying with the latest regulations and standards compliance
Data Protection Authorities can employ different methods in cases of non-compliance to EU regulations. In the case of a likely infringement, a warning may be issued.
When an infringement takes place, organisations may be issued with a reprimand or a temporary or definitive ban on the processing. In some countries, public bodies may also be subject to administrative fines.
The guidance rules stipulate that the processing of sensitive PII should only take place when it is not feasibly possible to carry out processing in another way. If absolutely necessary, the stored PII should only happen if it is strictly limited to the information that is required for the purpose (data minimisation). At the time of collecting the data, individuals must be clearly informed of full details of the organisation, why the data is needed, the legal justification of processing their data, the period of storage, who else may receive it, if it will be transferred outside the EU, that individuals have a right of access and a copy to this information, the right to lodge a complaint, and the right to withdraw consent at any time.
This information must be provided both in writing AND orally at the request of the individual when the identity of that person is proven by other means, or by electronic means where appropriate. Organisations and companies are required to do this in a concise, transparent, intelligible and an easily accessible way, in clear and plain language, and free of charge. When data is obtained from another organisation, these details should be provided to the person concerned within one month after obtaining the PII data. Companies and organisations are also required to inform the individual of the categories of data and the source from which it was obtained, including if it was retrieved from publicly accessible sources.
If a breach does take place, or PII is accidentally disclosed or unlawfully given to unauthorised recipients, or is altered or temporarily unavailable, the breach MUST be immediately notified to the Data Protection Authority, or within 72 hours after having been noticed.
Companies and organisations need to be aware of the rights of individuals. Where a public body is in breach of GDPR and material damages are suffered, for example financial loss or non-material damages such as reputational loss of psychological distress, individuals have the right to claim compensation, regardless of the number of organisations involved in the processing of their data. Compensation can be claimed directly from the public body or before the competent national courts of the EU Member State concerned. Organisations are also risk fines and disciplinary measures when breaches take place.
It is therefore vital that the collection and storage of PII by companies and organizations is strictly handled with full compliance to the EU and country regulations that are in force, to avoid fines, penalties, and indeed long term damage to reputation.
Would you like to find out how ARender security and privacy features can help you improve your customers' experience?
Sign up now to see a security-oriented demonstration!