What Is Personally Identifiable Data? Risks and Vulnerabilities

To fully assess an organisation’s risks and vulnerabilities in managing Personally Identifiable Data, it's crucial to understand what this entails under EU and UK GDPR.

Many organisations likely underestimate how much personal data they manage and the associated risks.

So What Is Personal Data?

Personal data is any piece of information that someone could use to identify a living person.

Any of the following can be considered personal data:

• Identity: Forename and surname, date of birth, signature, and gender.
• Contact Info: Personal or work address details, phone number, and email address.
  Personal: Bank or credit card details, passport, or driving licence.
• Professional: Job title, employment details, salary, etc.
• IT: IP address, browsing history, and cookie preferences.

Personal data can also be physical such as a photo, a CCTV image, and fingerprints.

Multiple Data Points And Vulnerability

Many organisations collect, use, share, and store single pieces of information unprotected. These could easily be combined with information from other sources to identify an individual customer or employee.

For such organisations, Personally Identifiable Information (PII) leakage should be considered a significant information security vulnerability.

This vulnerability is critical if any information could be used to track, identify, or contact a particular individual. This could be any combination or component of the above list.

There is also a sub-category of personal data termed “sensitive data”, requiring greater protection. This includes data on an individual’s ethnicity, sexual orientation, medical history, etc.

There is often confusion that non-sensitive PII does not need to be secured. As seen from the description above, any non-sensitive data could be linked to information from other sources or databases to reveal much more than intended.

"46% of organisations suffer damage to their reputations and brand value as a result of a data breach."

— Forbes Insights, 2014

Any organisation processing personally identifiable data must consider the risks of doing so and understand the risks that arise when failing to keep all aspects of PII secure.

As well as the potential financial implications from regulatory bodies, such as the Information Commissioner’s Office (ICO), for not securing PII for their customers in breach of GDPR, the reputational damage could be far more damaging to any organisation.

It is essential to consider what security measures are in place, particularly in the sending and delivery of such information, to maintain the confidentiality, integrity, and availability of the data being processed.

Protecting this data from hackers and cybercriminals should be integral to any organisation’s customer data and information security management.

Mitigating The Risk

Optimise your data storage and retention strategy by regularly reviewing and purging unnecessary information.

If you need to handle PII within your organisation, it is safest to treat all information as actual or potential sensitive data, ensuring it is secured in transit and at rest.

Implement strict protocols for handling sensitive data, including secure transmission and end-to-end encryption capabilities. Remember - only one piece of information in the hands of a sophisticated hacker can be dangerous. 

Data is particularly vulnerable during transmission - The ICO recommends recipient identification, such as two-factor authentication, as a minimum standard before you permit access to a secured email.

Summary

While UK GDPR and ICO guidelines are important, they are not the only pieces of legislation that need to be adhered to within your business.

GDPR (General Data Protection Regulation)

Allows data transfer whilst providing safeguards to protect personal data. Empowers the Information Commissioner to levy fines of up to £17m or 4% of global turnover for serious breaches.

Information Commissioner's Office

The ICO is explicit in its warning – "Without additional encryption methods in place, the email body and any attachments will also be accessible to any unintended recipient or third party who intercepts the communication."

It goes on to provide significant ‘best practice’ guidance on encryption:

"A common type of personal data disclosure occurs when an email is sent to an incorrect recipient. Data controllers should be aware that encryption will only provide protection to personal data sent by email if the incorrect recipient does not have the means to decrypt the data [e.g., does not have the decryption key]."

Senior Managers & Certification Regime (SMCR)

SMCR aims to drive personal accountability by promoting improved corporate culture, governance, and transparency. Makes senior managers personally accountable for any form of misconduct.

Financial Conduct Authority (FCA)

Uses SMCR and personal accountability of senior management to ensure a code of conduct for all staff in financial services firms [big and small].

National Cyber Security Centre (NCSC)

As part of GCHQ, the NCSC publishes advice on the latest vulnerabilities and risks as well as advice on what security professionals should be doing to protect their organisations & customers.

Implementing protection measures not only helps in saving costs and reducing anxiety, but also often results in savings that surpass the cost of the protection itself.

Additionally, these measures often have a positive impact on environmental, social, and governance (ESG) factors, making them an ideal addition to a company's Net Zero goals or corporate social responsibility strategy and messaging.

⬇️ Download the PDF

References:

What personal data is considered sensitive?, European Commission, 2024

Security outcomes, The Information Commissioner's Office, 2023

Encryption scenarios, The Information Commissioner's Office, 2023

Senior Managers and Certification Regime, FCA, 2023

Forbes - IBM Reputational IT Risk Report, 2014

Reports & advisories, NCSC, 2024

Reviewed By:

Sam Kendall, 05.06.24

Sabrina McClune, 04.03.24